Can't certificate SSL on iPhone


#1

Hi!
I’m would like to add my LE certificate on my iPhone but although the profile is there, it doesn’t appear on the 'régalge des certificats" So I can’t approve it!

My domain is: 2tbquk2vhxzuiue.synology.me

The operating system my web server runs on is (include version): iOS 10,3,3

!


#2

Hi,

Do you mean you want to make 2tbquk2vhxzuiue.synology.me as trusted on your iphone (remove “connection is not secure” message?)


#3

The certificate there has CN = synology.com, so there is a mismatch.

But you have a Letsencrypt-certificate:

https://crt.sh/?id=527294966

Not Before: Jun 13 17:05:39 2018 GMT

8 days old.

So you must told your webserver to use this certificate.


#4

Hi Juergen,
I manage to install the SSL Synology certificate. This is why it appears. But I didn’t manage to install the SSL LE certificate.


All profiles appear on my iPhone, but to turn on the SSL certificate, it doesn’t appear as previous image shows.
I’m my own “webmaster” and I learn as I go…


#5

Hi Steven,
Yes but I can’t because the certificate doesn’t appear so I can make it as trustful.
Only the sinology certificate appears.
Thank you for your help! :wink:
Pascal


#6

@PascalLacourneuve, the observation correctly made by @stevenzhu and @JuergenAuer is that the problem is on your Synology device, not on your iPhone.

Let’s Encrypt certificates are already trusted by iPhones without any further configuration. You don’t need to modify or configure anything on your iPhone at all.

Instead, you need to configure your Synology device so that it correctly presents your Let’s Encrypt certificate. This has not been done yet. Your Synology device is currently configured incorrectly and presents the wrong certificate. Since it’s the Synology device that has the incorrect configuration, this should be fixed on the Synology device, not on the iPhone.


#7

In Synology’s web interface, go to Control Panel > Security > Certificate.

Here you would be able to ask Let’s Encrypt for a certificate if you didn’t have one already, but someone already found that you do. So you should see a certificate for 2tbquk2vhxzuiue.synology.me listed here.

Select that certificate and click Edit, then select Set as default certificate and click Apply, and this should resolve your issue.


#8

Hi!
The problem isn’t on my Synology NAS. It works fine on my Mac with the 2tbquk2vhxzuiue.synology.me certificate
I did configure my NAS as image shows. And did what Patches described.
15
But I can’t authorize that same certificate on my iPhone because the option doesn’t appear.


#9

Hi,

The website is not working at my side…

You probably need to install a certificate on the server which is binding to port 5001 too…

Thank you


#10

Hi Steven,
It is normal that the website isn’t working as there is no website.
I use my synology only for private access to my files through Drive or DS file.
Cheers
Pascal


#11

When I connect to https://2tbquk2vhxzuiue.synology.me/, it presents the correct certificate and immediately redirects me to https://2tbquk2vhxzuiue.synology.me:5001/, which presents the incorrect certificate. Is that the same thing that you see on your Mac? Is the certificate error not present for you after the redirection?

Edit: Did you previously add an additional trusted certificate on your Mac in order to make a certificate error message go away?


#12

You do not need to authorize the certificate on your iPhone. You do not need to authorize the certificate on your iPhone. You do not need to authorize the certificate on your iPhone. You do not need to authorize the certificate on your iPhone. Please stop thinking you need to do this, because you don’t. Your problem is that your Synology box is presenting the wrong cert:

 dan@Dan-MacBook-Pro-7  ~/Downloads  openssl s_client -connect 2tbquk2vhxzuiue.synology.me:443
CONNECTED(00000003)
depth=0 /C=TW/L=Taipei/O=Synology Inc./CN=synology.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=TW/L=Taipei/O=Synology Inc./CN=synology.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=TW/L=Taipei/O=Synology Inc./CN=synology.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=TW/L=Taipei/O=Synology Inc./CN=synology.com
   i:/C=TW/L=Taipei/O=Synology Inc./CN=Synology Inc. CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDGjCCAgICCQDCDd3wwYlN1jANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJU
VzEPMA0GA1UEBwwGVGFpcGVpMRYwFAYDVQQKDA1TeW5vbG9neSBJbmMuMRkwFwYD
VQQDDBBTeW5vbG9neSBJbmMuIENBMB4XDTE3MDcyNzA3MTQ1N1oXDTM3MDQxMzA3
MTQ1N1owTTELMAkGA1UEBhMCVFcxDzANBgNVBAcMBlRhaXBlaTEWMBQGA1UECgwN
U3lub2xvZ3kgSW5jLjEVMBMGA1UEAwwMc3lub2xvZ3kuY29tMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7tlOo4qfsdNIvEkruGbl9vxmTc4foWTV7Y8m
w1ek9MerCL9xynYEmYtgvNgb5csLYR/kASN47nXzuuK/9JegCKGy2Z3Z7PQ+nZrD
PxunMvRp3vHQzWPF09tNOf30N2YbJUeCt7tBjQIuvNqSzrIn6M8CO8BMs+EvKW3I
8vfVumT1jkrJAmkYUU69LQYWSYwtXen6nAhjz79DukmvwZ0vyKfjwE+5VmgoI+nt
0hpu7FzZyqF2neE4V/bTtvzPzpcpjEDYJ+97zzsBbLxE4LxHBd0Y39CIZ7/WSe2/
wZoxzF5jiVK51T07klhwr1s56GNATbZMJSkpCj1N4pB+sEHxWQIDAQABMA0GCSqG
SIb3DQEBCwUAA4IBAQBGabMNAx3s0wrkQ7ZZnCRVQehQUG5btN/LB3NiIFG7km88
tWuOHc1Uq95ZBVrbtZ4EFwx10zO1+j9vWqK4fw2WdLz2MiNUl43hQSMFqNIyHeiU
P2OtNToJWwpvCRo+DYK/TL9peb0G31LOkvViZcj0mMAzpadtK/NePRFFKFyZv4KY
fbTtt8gm/JwaZPuVM8r1FZHgOUCgiFiba2efHq4mhcOatjva58MO9YwRBYgb4E8I
ELEMKMcPBekgtnbGG3qnkc1N2fJUVd5Vweza32YfSwa0PVARGU1EwVBE4qyJIFqz
v09CtPgoRHcPcUdqfimgzNmt2jzhlv570hC/Pogu
-----END CERTIFICATE-----
subject=/C=TW/L=Taipei/O=Synology Inc./CN=synology.com
issuer=/C=TW/L=Taipei/O=Synology Inc./CN=Synology Inc. CA
---
No client certificate CA names sent
---
SSL handshake has read 1753 bytes and written 456 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES128-SHA
    Session-ID: B8536FE7CFABEA7E30E13695F2F3605376E546153709F2058E8D61E283A840C5
    Session-ID-ctx: 
    Master-Key: 2F7FDC0969AEF9628E39EA6659D167F5E2D11199B8391561EC5B824EF3318EFCC2A52E09ABF223D91E84DE0F2BB55AD3
    Key-Arg   : None
    Start Time: 1529704426
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---

Until you fix that configuration, nothing you do to your iPhone will matter.


#13

Even if you’ve perhaps previously authorized the certificate on your Mac, this is really a workaround rather than a fix to the underlying problem. Let’s Encrypt certificates generally do not need to be authorized on individual client devices because they are issued by a CA that the devices already trust for this purpose. (In the same way, the certificate used on this forum is issued by Let’s Encrypt just like the certificate for your Synology device is, with the same general type and technical characteristics; you don’t have to authorize the forum’s certificate on most current IT equipment in order to visit this forum.)

As @danb35 pointed out and as I tried to suggest above, the certificate that’s presented on port 5001 is not the Let’s Encrypt certificate, and therefore the iPhone error is not related to the Let’s Encrypt certificate.


#14

Port 5001 gave the same result, but the test I posted was on port 443.


#15

That’s what I also see right now, but I thought I tested it before and saw something different.


#16

Thk u Shoen an Dan for your help.
OK So this is not a problem on my phone.
I opened a ticket with Synology but I it happened to work, they closed the ticket.
I updated the OS of the DSM.
So since, “SynologyDrive - 1003” appeared that was not present before. So I change to it “2tbquk2vhxzuiue.synology.me” certificate. Was it that the I’m supposed to do ?!
44|688x136
Now the links are not working.
I don’t know exactly what I did before. (This all very very new to me. And I don’t have any informatics background)
How do I present the LE certificate to port 5001 ?


#17

52


#18

59
This is what I get on safari now.


#19

“The connection is not secure”.

Are there additional informations? Near the address or near https?


#20

I don’t know. How do I get more info ?