Renewed certificate is not accepted

Every time (AutoSSL, every 3 month) my provider renews the certificate of my mail domain (mail.keukenmeester.eu), K-9 mail does not accept the renewed certificate and stops receiving (and sending) mails on all email accounts of this domain without notice. When I then accept the new certificate on the account of the domain for the incoming and for the outgoing mail, there is no problems until 3 months later. The same issue occurs on the other domain I use of the same provider (Neostrada.nl). There are no issues when using Thunderbird with Linux or Windows for these domains.
Used device: OnePlus Nord 3 5G
Used software level: Android 14 security update 5 june 2024
Used K-9 mail version: 6.804

Question1: what should I do to avoid this issue?
Question2: how can I be noticed for certificate errors so I’m aware mail is not coming in?

Thanks for the answers in advance,
Henk

Do you have a hosting contract with them or do you have a VPS? In the latter case, you can check in cPanel whether you can configure your own certificate or if there is an alternate name for your MX that uses a different certificate.

K-9 Mail should create an error notification when there’s a certificate error. Make sure you allow “miscellaneous” notifications for all accounts.

The certificate that mail.keukenmeester.eu returns for IMAP on port 143 and 993, for POP3 on port 110 and 995, and for SMTP on port 587 and 465 looks good to me. K-9 Mail shouldn’t report a certificate error, and didn’t in my tests.

Sorry for the misunderstanding but I already accepted the renewed certificate. When this is a new issue for you/the forum, I will return in this topic or (when closed) open a new one before accepting. But this will take three months.
Kind regards,
Henk Keukenmeester

cketti via K-9 Mail Forum noreply@forum.k9mail.app schreef op 16 juli 2024 20:56:39 CEST:

Why change the certificate when it works OK with Thunderbird on Linux and Windows and also in an older version of Android (I have to look after my old phone to find out which version) for over at least five years?
Met vriendelijke groet/Kind regards,
Henk Keukenmeester

Tenshi via K-9 Mail Forum noreply@forum.k9mail.app schreef op 16 juli 2024 19:27:28 CEST:

One thing that could lead to the certificate not being regarded as valid is if the certificate authority that signed the certificate was disabled in Android’s settings. Make sure “Internet Security Research Group” (ISRG Root X1) is enabled under Security → More security settings → Encryption & credentials → Trusted credentials (or just search for “trusted credentials” if your Android version puts it in a slightly different place).

You don’t have to do nothing. You seemed annoyed by the short validity, so I pointed out some ways to work around with certificates valid a bit longer. If you are happy with the three month, don’t change it (btw: let’s encrypt also limits the certificate validity to three month).

Wrt @cketti’s hunch regarding CAs, you can import the chain to Android’s certificate manager. Only do that, if you trust the CA. Beware of “the connection may be monitored or unsafe” warnings triggered by the OS whenever the chain is invoked.

I think I know what Henk is talking about. When your server cert is provided by Letsencrypt, certificates are valid for 3 months, so they are renewed at that time.
When K9 receives a cert different from the one cached for a given server, it complains even if the new cert is valid.
I understand the possibility of MITM, and in fact, the current practice of creating a spoofing cert by firewalls, so I sympathize with that, but I guess the notification should be avoided if the public key stays the same, and that would be easier on the users.

My IMAP & SMTP server has Let’s Encrypt certificates, which are auto-renewed every three months, and K9 never mentions it.

I have the same certificate environment but this problem on a OnePlus Nord 3 5g with Oxygen 15 os. On my earlier smartphones I never had problems with K9 and certificates so I guess it has something to do with Oxygen. But I have no knowledge on how certificates work. As a bypass I now use on this smartphone the underlying server name to reach my mailserver without any issue.

Well, I do the same and I’m used to having to accept the new cert every renewal cycle, so there has to be some other contributing factor I’m not aware of… In fact, as I do starttls on outgoing. I have to do 2 different cert checks every renewal in every device…

Perhaps it’s related to the system’s certificate chain, rather than something internal to k9? My phone is a Samsung.

Mine es a Moto, but a Samsung behaves the same. But it seems K9 does not have a cert store of its own, so may be the underlying OS has to do with it.
Hmm, Gemini says it has its own cert store, but no user GUI.
And that notification should happen any time the certificate changes. That’s what I see… you are using IMAPs ?

Yes, imaps for me.

I’ve never seen K9 moan about a valid certificate.

I don’t use imaps. I even don’t know what is is😏

imaps == IMAP over SSL(TLS)

I do receive a notification that links to the server settings dialog. Given that I just changed certs, I can reproduce this by going back to the old cert which is still valid.

Screenshot_20250305-0827531080×1920 80.3 KB

I guess I found the core of the discrepancy.
Code at

checks first for defaultTrust, and then exceptions. It seems my “defaultTrust” does not cover LetsEncrypt certs… (i.e. I have an old phone, but works!)
Well, no, I’ve just checked and ISRG Root X1 is there. Beats me.