Certificate issues with new iOS

Hello,

I have not had any issues with GMS and setting this up on anybody's iPhone until the latest 10.3.3 update. We have GMS 14.2.1 Build 270. When I try to set up email sync on a users iPhone now it says that it cannot verify the Certificate. It is self signed so I know why it is getting that. In the past I manually downloaded the Cert and imported into the phone and all worked well. Now I get it downloaded and imported/installed on the iPhone and it says "Verified" under the profile and I have it enabled under the Certificate trust settings. After doing this if I try to set up email sync again, it still says it cannot verify and it brings up the profile but it says "not Verified" for some reason and does not allow me to trust or allow this cert. As a test I removed the Email account from my iPhone and removed my device from the GMS admin console under my name. I then upgraded my iPhone to the 10.3.3 version. I then went and was able to successfully add my email account to the iPhone. I did not have to add any profiles (nothing is under the profile section) or enable any profiles under the Certificate Trust settings. Now I am really confused.

Does anyone have any ideas or what I could try?

Thanks,
Andy
  • Acshearer,
    > Does anyone have any ideas or what I could try?


    FWIW. Buy a certificate :) You can spend hours and hours trying to get
    selfsigneds to work with all devices and still not succeed.

    --
    Anders Gustafsson (NKP)
    The Aaland Islands (N60 E20)

    Have an idea for a product enhancement? Please visit:
    https://www.novell.com/products/enhancement-request.html

  • 1. The last service certificates I purchased were something like
    $12USD/year. It is quite literally not worth the time to try and make
    self signed certs work when they can be had so inexpensively.

    I'm sure a supervisor would be ok with that expenditure vs. spending an
    hour on each device type to try and work out the self signed imports.


    On 9/5/2017 1:21 PM, Anders Gustafsson wrote:
    > Acshearer,
    >> Does anyone have any ideas or what I could try?

    >
    > FWIW. Buy a certificate :) You can spend hours and hours trying to get
    > selfsigneds to work with all devices and still not succeed.
    >


  • Unsigned,
    > 1. The last service certificates I purchased were something like
    > $12USD/year. It is quite literally not worth the time to try and make
    > self signed certs work when they can be had so inexpensively.


    Well, it depends on where you buy. If you want a certificate without
    hassle and a vendor that does decent support, then a standard SSL cert
    is 175$. That goes down to 139$/year if you buy three years.

    Given the fact that a skilled IT-professional probably costs his
    employer 100$/hour or more... I'd say buy a cert.

    --
    Anders Gustafsson (NKP)
    The Aaland Islands (N60 E20)

    Have an idea for a product enhancement? Please visit:
    https://www.novell.com/products/enhancement-request.html

  • AndersG;2465595 wrote:
    Acshearer,
    > Does anyone have any ideas or what I could try?


    FWIW. Buy a certificate :) You can spend hours and hours trying to get
    selfsigneds to work with all devices and still not succeed.

    --
    Anders Gustafsson (NKP)
    The Aaland Islands (N60 E20)

    Have an idea for a product enhancement? Please visit:
    https://www.novell.com/products/enhancement-request.html


    Or use the free letsencrypt cert.. Seems to work according to this thread: https://forums.novell.com/showthread.php/502375-LetsEncrypt-setup

    Thomas
  • Thank you all for the information. I will just purchase a Signed cert if that will make it easier, that is not an issue. We usually buy ours from Thawte so I will just do that. Once I purchase the cert and get that installed how will that affect the current users that are syncing with the GMS? Will I have to do anything to their phones, such as re-connect them or anything else? Just wanted to be prepared.

    Thanks,
    Andrew
  • Acshearer,
    > We usually buy ours
    > from Thawte so I will just do that.


    Sounds like a plan.

    > Once I purchase the cert and get
    > that installed how will that affect the current users that are syncing
    > with the GMS? Will I have to do anything to their phones, such as
    > re-connect them or anything else? Just wanted to be prepared.


    Nope, it should be transparent.

    --
    Anders Gustafsson (NKP)
    The Aaland Islands (N60 E20)

    Have an idea for a product enhancement? Please visit:
    https://www.novell.com/products/enhancement-request.html

  • Oh totally. I've purchased from 'the guys' that everyone likes with
    great support and the experience was good. I also feel like there are
    only so many reasonable ways to use a cert that a smalker IT shop will
    come across and these are well documented on the internet. Reputable
    CA's or re-sellers allow for multiple re-issues, and have their roots
    widely distributed, which are about the only major concerns.

    At the end of the day, the $12 cert provides the exact same
    functionality as the $175 or $500 one. There can be some differences in
    the CRL server responsiveness or the vetting process of the issuer, and
    maybe one could argue these can be important depending on the expected
    traffic or business type. However once plugged into say, a web server,
    the key material works in concert with the available crypto libraries
    and a trusted RSA/SHA2 cert works the same as any other trusted RSA/SHA2
    cert.

    Not that this is relevant for GMS, but the same for EV/GreenBar. Its
    simply a field in the cert that the browsers look for to change a
    display. There is zero difference in the crypto technology provided.

    On 9/6/2017 12:53 AM, Anders Gustafsson wrote:
    >
    > Well, it depends on where you buy. If you want a certificate without
    > hassle and a vendor that does decent support, then a standard SSL cert
    > is 175$. That goes down to 139$/year if you buy three years.
    >
    > Given the fact that a skilled IT-professional probably costs his
    > employer 100$/hour or more... I'd say buy a cert.
    >


  • Hello,

    I am getting ready to purchase the cert from Thawte. For the GMS and Webaccess Thawte has the option for Apache or Tomcat. Do I do the cert for Apache or Tomcat?
    Thanks,
    Andrew
  • Acshearer,
    > I am getting ready to purchase the cert from Thawte. For the GMS and
    > Webaccess Thawte has the option for Apache or Tomcat. Do I do the cert
    > for Apache or Tomcat?
    > Thanks,
    > Andrew


    You should have the option to select either when downloading. IIRC Tomcat, but FWIW certs are just text files anyway. See:

    https://www.novell.com/communities/coolsolutions/groupwise-mobility-figuring-out-certificates/

    --
    Anders Gustafsson (NKP)
    The Aaland Islands (N60 E20)

    Have an idea for a product enhancement? Please visit:
    https://www.novell.com/products/enhancement-request.html