Airplay not working (webdav server with letsencrypt -> iOS -> AppleTV)

I’m serving a webdav/nextcloud server from docker container on a singleboard armbian machine running with letsencrypt in a separate container. Nginx v 1.16.1.
The server works fine, when i access the server from iOS (always via public dns-domain even when on LAN to get the certificate to appear right), but not when i airplay to neither AppleTV (3. gen) nor airport express.
I know that the airplay protocol will try and “give away” the entire https-stream to the appleTV, because it works, if i download the file before streaming to airplay (in this way appleTV is not communicating to my server, but only iPhone).
Also i have managed to get the setup working with Charles debugging proxy as an intermediate (webdav -> Charles -> iOS -> Charles -> appleTV), that replaces the SSL-certificate, which leads me to believe, that the certificate is the root of the problem. If i turn off wifi from the phone after the airplay has been initiated (directly from webdav) the music keeps on playing - another proof, that the stream is transferred to the AppleTV.

I have tried to add the fullchain.pem directly to the iPhone with no success. I believe that the problem is either, that the older units (appleTV/airport express) haven’t been updated to trust the Let’s Encrypt Authority X3, or that they don’t support TLS 1.2 which is the oldest version, my setup supports.
The ladder i deduct from the difference between the functioning public test-server i’ve used and my own certificate:

Any thoughts or help?

It gets more confusing…
The ISRG Root X1 certificate (and DST Root CA X3) was added in iOS 10, and my tvOS is equivalent to iOS 8, so you would think, that this is the problem.
However - the Charles proxy is signed by it’s own root certificate, which definitely does NOT appear in any of the supported root certificates… Might be the older TLS-support that does the trick then??

15 hours later i found the solution: disable HTTP2 on the web server (apache / nginx).
I tried downgrading TLS, adding all the outdated ciphers to no avail :slight_smile:
I guess the problem could be solved by the app doing the initial request by using a HTTP1.1 header, or heck maybe even apple should make that mandatory, when forwarding the stream to older airplay devices.

EDIT: this also solved sync problems with iOS apps.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.