Invalid Certificate on some Apple devices

BarryCambridge · June 29, 2022, 2:27pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.soundandvision.org.uk

My web server is (include version): Apache/2.4.41

The operating system my web server runs on is (include version): Ubuntu Server 20.04.3

I can login to a root shell on my machine: Yes

The version of my client is: Certbot 0.40.0

One of the WordPress sites we host in house has started playing up. All the other sites work fine and it seems the problem started when the certificate auto renewed 8 days ago. The site works fine on every type of browser and device we can test it on, but a few iPhones and Mac Book users are getting an Invalid certificate warning.

Firefox gives a warning but shows the certificate from the server correctly

"https://www.soundandvision.org.uk/

Unable to communicate securely with peer: requested domain name does not match the server's certificate.

HTTP Strict Transport Security: false
HTTP Public Key Pinning: false
"

I ran it on SSL shopper and it passed with flying colours, so I'm not sure where to look. Any help much appreciated!

Barry

MikeMcQ · June 29, 2022, 2:32pm

Welcome to the community @BarryCambridge

I see you have a cert for soundandvision.org.uk but that cert does not have the www subdomain in it. So, requests using www domain will give that error but requests using the apex name should be fine (unless you redirect them to www).

I don't know why this would be new though. Your prior certs since Dec 2021 were all like this:

BarryCambridge · June 29, 2022, 2:49pm

Thanks Mike! I've had issues before with www. and I did try using both versions of the url on other browsers where it works fine. It seems strange it's just the Apple devices are affected.

I'm not sure how to correct this? I'd have selected 'redirect all' when I set the certificate up

Thanks
Barry

rg305 · June 29, 2022, 2:56pm

If you don't have a certificate that covers the "www" name, then this redirection will create a problem for such "www" visitors:

curl -Ii http://www.soundandvision.org.uk/
HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2022 14:55:52 GMT
Server: Apache/2.4.41 (Ubuntu)
X-Redirect-By: WordPress
Location: https://www.soundandvision.org.uk/
Content-Type: text/html; charset=UTF-8

BarryCambridge · June 29, 2022, 3:06pm

Sorry to be slow but how do I create a certificate for the www domain?

linkp · June 29, 2022, 3:08pm

Include the www name along with the apex domain in your cerificate request.

BarryCambridge · June 29, 2022, 3:12pm

I'm clearly having a bad day - I've done this many times before and now I've just run certbot again, I can see the www.domain listed!

I've rerun the certificates and expanded to the www domain, so hopefully that's fixed it

Thanks for the help all

Barry

MikeMcQ · June 29, 2022, 3:13pm

Yes, looks good. Both names are again in the cert sent by your server.

BarryCambridge · June 29, 2022, 3:14pm

Excellent - thanks again

system · July 29, 2022, 3:14pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.