iOS clients problems with the certificate


I am testing lets encrypt on one of my root-server (Ubuntu 18.04.1 LTS minimal with apache 2.4.29).

Installed the certificate via “certbot --apache” and got Rating A
Same on several other test-pages like geocerts, digicert, htbridge etc. all Ratting A.

Most Browsers like FF, Chrome, IE handle my certificate as trusted, but not iOS devices like iPad (iOS 12.1.1) or iPhone (iOS 11.2.6).

They show a red URL-Bar on Safari.

Since that devices don’t allow the user to check the certificate, I have no idea what the problem is. Can anyone help?

Server: (will redirect)

PS: I thought first the CA is not rooted in the iOS devices but this page here from letsencrypt is not red and I use the same path in my certificat.


Are you sure you’re not visiting “” on those devices, for which the certificate is not valid? The difference is the missing “www.”.


nope, www.included and also redirected global to it


Well, #worksforme


Try adding WWW, to the URL.


well, I am using a global redirect in the 000-default.conf like

Redirect /

But yes, the Safari shows just BUT if you click the URL-Bar it enlarges into (which seems to be used and should)

I am confused


Chicken or Egg? Which comes first?

That would be “after-the-fact”.
You would have to first connect to to get that redirection.
So you need certs for both names (or one cert with both names in it).
[so this would affect only new clients - and only those going to site without www]


ok, will try that. Thanks!


Is it your own iOS device that fails or users of yours?

If you can get a screenshot of the red URL bar or click through to the “View Certificate” screen, that might give a good clue about what’s happening on those devices:

Also, visiting on those devices to see if that succeeds could be informative too.



Hi @neo


www version is wrong ( ):

Domainname Http-Status redirect Sec. G 302 0.050 A 302 0.050 E 200 5.633 B 200 5.376 N
Certificate error: RemoteCertificateNameMismatch

Ssllabs doesn’t show an error if you check the (correct) non-www - version.

So create one certificate with both domain names and use that.

1 Like
closed #12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.