iOS clients problems with the certificate


#1

I am testing lets encrypt on one of my root-server (Ubuntu 18.04.1 LTS minimal with apache 2.4.29).

Installed the certificate via “certbot --apache” and got ssllabs.com Rating A
Same on several other test-pages like geocerts, digicert, htbridge etc. all Ratting A.

Most Browsers like FF, Chrome, IE handle my certificate as trusted, but not iOS devices like iPad (iOS 12.1.1) or iPhone (iOS 11.2.6).

They show a red URL-Bar on Safari.

Since that devices don’t allow the user to check the certificate, I have no idea what the problem is. Can anyone help?

https://crt.sh/?id=1134416759

Server: 176.9.136.117 (will redirect)

PS: I thought first the CA is not rooted in the iOS devices but this page here from letsencrypt is not red and I use the same path in my certificat.


#2

Are you sure you’re not visiting “https://innosec.ch” on those devices, for which the certificate is not valid? The difference is the missing “www.”.


#3

nope, www.included and also redirected global to it


#4

Well, #worksforme


#5

Try adding WWW, to the URL.


#6

well, I am using a global redirect in the 000-default.conf like

Redirect / https://www.innosec.ch

But yes, the Safari shows just innosec.ch BUT if you click the URL-Bar it enlarges into www.innosec.ch (which seems to be used and should)

I am confused


#7

Chicken or Egg? Which comes first?

That would be “after-the-fact”.
You would have to first connect to https://innosec.ch to get that redirection.
So you need certs for both names (or one cert with both names in it).
[so this would affect only new clients - and only those going to site without www]


#8

ok, will try that. Thanks!


#9

Is it your own iOS device that fails or users of yours?

If you can get a screenshot of the red URL bar or click through to the “View Certificate” screen, that might give a good clue about what’s happening on those devices:

Also, visiting https://letsencrypt.org on those devices to see if that succeeds could be informative too.


#10


#11

Hi @neo

your

www version is wrong ( https://check-your-website.server-daten.de/?q=innosec.ch ):

Domainname Http-Status redirect Sec. G
http://innosec.ch/
176.9.136.117 302 https://innosec.ch/ 0.050 A
http://www.innosec.ch/
176.9.136.117 302 https://innosec.ch/ 0.050 E
https://innosec.ch/
176.9.136.117 200 5.633 B
https://www.innosec.ch/
176.9.136.117 200 5.376 N
Certificate error: RemoteCertificateNameMismatch

Ssllabs doesn’t show an error if you check the (correct) non-www - version.

So create one certificate with both domain names and use that.