Invalid Certificate Error

[EdMartin]

Our Zimbra installation uses self-signed certificates. They just came up for renewal and I renewed them last Saturday. Everyone using the web client or Zimbra Desktop was back in business almost immediately after authorizing an exception for the new certificate.

Two customers access their email via IMAP on the same model Android smart phone. They both installed an OS upgrade (to v2.3.3) on their phones, coincidentally, also on Saturday. Prior to this they had been receiving, sending, and deleting email on their phone and everything had been syncing perfectly.

After the certificate renewal and OS upgrade, one of the customers continued to be able to access his email exactly as before. The other, whose account was configured on his phone in exactly the same way, could no longer even connect to the mail server. His phone reported "invalid certificate" errors.

I set him up with a brand new account, which he configured in exactly the same way again on his phone. With this account, he too could handle email in the usual way. But nothing we tried made it possible for him to use his original account on his phone.

If I can, I would like to avoid having to migrate him over to the new account because his mailbox is approaching 6GB.

What could be the reason for this illogical behavior? Surely a certificate is either valid or invalid; it shouldn't be invalid just for one account and valid for everyone else.

Can anyone shed any light on this and offer a suggested way out of the impasse?

... Ed

[EdMartin]

I still have no clue what's causing this bizarre behavior. However, I've managed to work around it.

1. I created a new account.
2. I used imapsync to sync the customer's entire 5.5GB mailbox from the account he could not access on his phone to the new account.
3. I had the customer set up the new account on his phone (using the exact same configuration that did not work for his old account) and confirm that he could now access the new account. He could.
4. I set his former account to forward to the new account and NOT retain copies of messages. I also asked the customer to set his From address in the new account to be his old address. (This has the effect of masking all the address shenanigans from the outside world.)
5. I then reran imapsync in order to sync all the message activity that had taken place between the first imapsync run and setting his old account to forward to the new account.
6. Next, I discovered that imapsync had not copied over any of his Contacts. (Probably some kind of Ubuntu permissions problems, but life it too short for me to waste time trying to track that down.) So I used Zimbra Desktop and exported the Contacts from the old account to a CSV file, imported the CSV file into the new account, and then waited a few minutes for everything to sync back to the server.
7. I then confirmed with the customer that he could now do everything he wanted to email-wise on his phone, and he could.

I plan to let that marinate over the weekend, and if everything remains OK see if I can come up with a more permanent, less schizophrenic solution.

I'm still left with the illogicality of a certificate being invalid for one user and valid for everyone else. I have no inkling as to what might have caused that. Maybe the Android OS update on his phone is horked in some way. Who knows?!

... Ed