2 proven ways to fix error “Cannot Verify Server Identity” in iPhone & iOS
“Cannot Verify Server Identity” is a common error in iPhone and other iOS devices.
It means that iOS considers the mail server’s certificate is fake.
A typical error message looks like this:
What is the error Cannot Verify Server Identity?
When an iPhone tries to connect to a mail server securely, it’ll fetch the server’s “SSL certificate” and check if it is reliable.
If it finds the certificate expired, or not matching the domain name, or not signed by a well known company, it’ll mark the cert as unreliable.
At that point the secure connection fails, and iPhone will show the error “Cannot Verify Server Identity“.
We see this error usually when:
- The mail server’s certificate is changed (eg. new issuer), or
- A new account is being setup in iPhone, or
- After an account migration
What are the causes of Cannot Verify Server Identity error?
Of course, there are cases where this error is shown when the certificate is indeed bad (expired, wrong domain, etc.).
But we often see cases where valid certificates are also misclassified as fake by iPhone. The two major reasons we’ve seen are:
1. Mismatch between Domain name and Server name
Many hosting companies provide the mail server name as “mail.website-name.com”.
Whereas, the certificate of the mail server will be in the format “mail.server-name.com”.
When configuring iPhone users put in their mail server as “mail.website-name.com”, but when iPhone fetches the certificate, it sees the name “mail.server-name.com” printed in it.
iPhone plays safe, and marks the certificate as unreliable.
How we fix it
We fix it in three ways:
- Change mail server name – In cases where the hosting customer has a VPS account, we change the mail server name to match the certificate name.
- Fix mail configuration – If the hosting user is a Shared Hosting customer, we help them change iPhone’s mail server settings to use “mail.server-name.com” instead of “mail.website-name.com”.
- Setup a free dedicated certificate – For VPS users who didn’t use a valid certificate (eg. self-signed certs are untrusted), we setup certificates from Let’s Encrypt, which is a valid CA that provides free SSLs.
2. “Bug” in iPhone & iOS
Apple uses pretty strong checks to ensure certificate security.
So, if there is no way to change the server’s certificate name, or the mail user’s MX name, the error will remain no matter what.
In the cases where this error comes up after a server certificate change, we help mail users to explicitly add the server’s SSL certificate to the “Trusted” list.
To do that,
- Tap on the “Details” button shown in the error message.
- And in the next screen, tap on the “Trust” link.
How to fix it in iOS 10.x+
In the later versions of iPhone and iOS 10.x+, this option to add certificates to “Trusted” list is no longer available.
So, for such devices, we’ve found these steps to work:
- Delete all mail accounts related to your domain.
- Go to Settings –> Accounts & Password –> [Account Name] –> Delete Account.
- Then delete all outgoing mail servers in settings.
- Re-add the mail account(s).
This will provide the option to “Trust” the certificates again as described above.
“Cannot Verify Server Identity” error is caused by iPhone’s and iOS’s strict verification of mail server certificates. Today we’ve covered the top two causes for this error, and how our Dedicated Support Engineers fix this error.