iOS clients problems with the certificate

Server
1

I am testing lets encrypt on one of my root-server (Ubuntu 18.04.1 LTS minimal with apache 2.4.29).

Installed the certificate via “certbot --apache” and got ssllabs.com Rating A
Same on several other test-pages like geocerts, digicert, htbridge etc. all Ratting A.

Most Browsers like FF, Chrome, IE handle my certificate as trusted, but not iOS devices like iPad (iOS 12.1.1) or iPhone (iOS 11.2.6).

They show a red URL-Bar on Safari.

Since that devices don’t allow the user to check the certificate, I have no idea what the problem is. Can anyone help?

https://crt.sh/?id=1134416759

Server: 176.9.136.117 (will redirect)

PS: I thought first the CA is not rooted in the iOS devices but this page here from letsencrypt is not red and I use the same path in my certificat.

2

Are you sure you're not visiting "https://innosec.ch" on those devices, for which the certificate is not valid? The difference is the missing "www.".

3

nope, www.included and also redirected global to it

4

Well, #worksforme

D5239EA5-05A5-4F2A-BCCA-191FE2F870B3
D5239EA5-05A5-4F2A-BCCA-191FE2F870B3.png640×1136 321 KB

5

Try adding WWW, to the URL.

6

well, I am using a global redirect in the 000-default.conf like

Redirect / https://www.innosec.ch

But yes, the Safari shows just innosec.ch BUT if you click the URL-Bar it enlarges into www.innosec.ch (which seems to be used and should)

I am confused

7

Chicken or Egg? Which comes first?

That would be "after-the-fact".
You would have to first connect to https://innosec.ch to get that redirection.
So you need certs for both names (or one cert with both names in it).
[so this would affect only new clients - and only those going to site without www]

8

ok, will try that. Thanks!

9

Is it your own iOS device that fails or users of yours?

If you can get a screenshot of the red URL bar or click through to the “View Certificate” screen, that might give a good clue about what’s happening on those devices:

C00B3ECD-0A87-4F0C-987E-5D5CFD49C1F9
C00B3ECD-0A87-4F0C-987E-5D5CFD49C1F9.png640×1136 46.9 KB

Also, visiting https://letsencrypt.org on those devices to see if that succeeds could be informative too.

10

image
image.png640×1136 115 KB

11

Hi @neo

your

www version is wrong ( https://check-your-website.server-daten.de/?q=innosec.ch ):

Domainname Http-Status redirect Sec. G
http://innosec.ch/
176.9.136.117 302 https://innosec.ch/ 0.050 A
http://www.innosec.ch/
176.9.136.117 302 https://innosec.ch/ 0.050 E
https://innosec.ch/
176.9.136.117 200 5.633 B
https://www.innosec.ch/
176.9.136.117 200 5.376 N
Certificate error: RemoteCertificateNameMismatch

Ssllabs doesn't show an error if you check the (correct) non-www - version.

So create one certificate with both domain names and use that.

1 Like
12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.