Connection is not trusted (iOS only)

Hi,

I have a simple API for my iOS app running on EC2 Ubuntu.
I’m using LetsEncrypt cert for a while but recently I started to have bug reports from users saying that app isn’t working. Today it stopped working on my iPhone.

I tried to connect to the URL it is using and it says “Not trusted”:
https://api.dartoapp.com:9001/station/test1

On macOS Safari everything looks fine.
I renewed cert hoping that it will fix the problem but it didn’t help.

SSL Lab says that it should work on iOS but it doesn’t.
https://www.ssllabs.com/ssltest/analyze.html?d=api.dartoapp.com

here is curl output:

~ ⟩ curl -kvI https://api.dartoapp.com:9001/station/test1
*   Trying 54.154.203.139...
* TCP_NODELAY set
* Connected to api.dartoapp.com (54.154.203.139) port 9001 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=api.dartoapp.com
*  start date: Mar 11 18:18:58 2018 GMT
*  expire date: Jun  9 18:18:58 2018 GMT
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7ffeac806c00)
> HEAD /station/test1 HTTP/2
> Host: api.dartoapp.com:9001
> User-Agent: curl/7.54.0
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
< HTTP/2 200
HTTP/2 200
< content-type: application/json; charset=utf-8
content-type: application/json; charset=utf-8
< content-length: 471
content-length: 471
< date: Sun, 11 Mar 2018 19:38:24 GMT
date: Sun, 11 Mar 2018 19:38:24 GMT

Hi @OgreSwamp,

You aren’t sending the full certificate chain. You’re only sending the end-entity certificate, not the intermediate certificate (that confirms that Let’s Encrypt is a trusted certificate authority).

For example, if you used Certbot you need to configure your server to use fullchain.pem, not just cert.pem.

Probably the reason that this just started happening is described in this thread

(Let's Encrypt just changed something that made some incorrect configurations that worked before start displaying errors on some clients.)

It's misleading. SSL Labs is testing https://api.dartoapp.com/ on port 443, which is configured correctly.

If you're not sure how to fix the https://api.dartoapp.com:9001/ web server configuration, could you post more about what ACME client is being used, what web server is being used, and how it's configured?

Thanks a lot.

@schoen answer did help - replacing cert.pem to fullchain.pem did work.
I’ll read suggested post carefully.

Thanks a lot for a quick help!

Great! Now the site’s configured correctly and will keep working whether or not Let’s Encrypt reverts the change they made, or if the culprit was something else.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.