iTunes rejecting LE certs?


It seems since I upgraded all my certs to LE, one of my sites has dropped off the iTunes podcast category, and the other one is saying ‘Can’t read the feed’ in the new Podcast Connect with the wonderful error:

“ PKIX path building failed: unable to find valid certification path to requested target”

It seems looking further if Powerpress is to be believed that Apple doesn’t support LE certificates? :frowning: As detailed halfway down this page:

Will this be rectified? I don’t really like having to switch my podcast sites back to HTTP.



Well, just in case that helps, Java doesn’t come with the DST Root CA integrated as trusted…


This looks like a Java error, so I’m guessing it’s as Jason says: Java doesn’t include IdenTrust’s “DST Root CA X3” in its trusted roots. Let’s Encrypt depends on a cross-signature from that in order to be trusted on existing platforms.

It surprising that iTunes is using Java’s root store rather than Apple’s (which does include DST Root CA X3). I think it would be reasonable to file an issue with Apple for iTunes to use the system root store. Unfortunately in the meantime, I think your options are to use a different CA for your podcasts or switch back to HTTP. Sorry not to have a better answer, and thanks for trying Let’s Encrypt!


I heart about this several times. It was also reported that Apple does not support SNI for iTunes backends.


I’m running into the exact same problem as @fingertrouble. Is it possible to make it so that the Let’s Encrypt certificate simply excludes the RSS Feeds that Apple reads (for podcasts)?


What you’re asking for is not technically feasible.

Go and get a commercial certificate that chains back to a root CA supported by all your target audience’s clients. This certificate doesn’t necessarily have to cover all your webspace but just the RSS or other iTunes stuff. Perhaps you want to issue it for only. Single domain certs are quite inexpensive these days.


What you can do is allow http requests for your RSS Feed


You don’t need to spend money, you can use a free StartSSL certificate. I had that on the domain previously.

It’s just annoying that I moved to using LE because they are a complete faff to renew (that site with the browser certs!) and less flexible than LE certificates.


Sorry … forgot to mention that I only count on ECDSA keys these days (hint: my nick …). The guys from StartCom just don’t care to support ECDSA keys. Is there any other free CA issuing such certificates? And from the commercial offers still not all support issuing ECC for certificates. The page I linked offers cheap certificates which support ECC certificates in a ECC-only certificate chain which is the next big thing for LE, btw.


I know StartCom aren’t the greatest - which is why I tried to move to LE. But the core part of LE is it’s free?

They know, as everyone knows, a lot of people won’t pay out £5+ per domain per year, for every domain, (or domains for more expensive wildcard certs). Which gets in the way of the idea of making the whole web HTTPS/encrpyted. After all the other stuff I have to pay, I don’t have money for that too.

So you want extra key security - fine, pay for it. But for us people just wanting a basic working SSL it’s good enough. I’m not running shopping carts or transporting sooper-sekrit documents, I just want better Google rankings. And give my readers a chance to avoid NSA snooping on their stuff - but those readers aren’t paying me a dime, so I dunno where this money for extra whizzy security would magically would come from?


I’m not familiar with iTunes particular fun and games, but I agree that this is a Java error – and if you have access to the JRE commandline tools, you should be able to add any cert you want to the store.

keytool -import -trustcacerts -alias server -file DST_Root_CA_X3 -keystore your_site_name.jks

or something similar can be used to insert the CA cert.


Oh, and if it claims you need a password and you don’t remember setting a password, it is almost certainly changeit or a variant such as ChangeIt.


@dsr: I think the poster is more concerned that the listeners of their podcast won’t be able to access it. The listeners probably won’t want to run a scary command line just to hear a podcast. :slight_smile:


This is about the Apple side of the iTunes server stuff…

IIRC Apples uses Java 1.6 and, thus, also doesn’t support SNI.


how that? renewing is pretty simple to me. validate domains (like less than a minute per domain if you are quick) create a blank CSR (it literally ignores everything except key)
upload it, enter your domains and get your cert. cant be much easier.


For one domain - maybe. I have many domains on one server.

You skipped a few steps - you have to validate each domain, edit the Apache site confs, add in the certs, upload the certs and change the permissions on them. Then check each one in SSLLabs. Everything but the latter LE does for you.

Startcom isn’t that fast either, with the browser certificates and is pretty slow generating each one…and pretty sure blank CSR’s are a bad idea?

That doesn’t take ‘a minute’ unless you already have those sites enabled for HTTPS (in which case you’re renewing, not adding HTTPS from scratch as I was to domains I couldn’t be arsed to jump through StartCom’s hoops). Or your idea of a minute is more like 15-30 mins at best. Per domain.


well I am usually pretty quick, on some occaions I need to wait a while before I can get the cert but LE takes a lot of “fun” from me because client doesnt work in windows etc etc etc.

and while an empty CSR isnt generally the best Idea, the only thing that will be in the cert are the domains and the key and the only thing the CSR proves is that you do have the private key and want a cert for the content in question, but it wouldnt make much sense in the first place to make a cert for something where you dont have the key, so I think in this case (pure domain validation) this is not that much of a problem.

also I dont get how it is so problematic. I usually only got a mail to my whois and/or admin mail and enter the code in there and usually the mail is there instantly making validation pretty quick.
LE Certs do have the advantage of letting you use more than the 5 domains StartSSL does recently (can be up to 10 since sssl includes the root of the listed domains)
and the best you only need to verify each root and not each and every little subdomain, also you dont need to verify over and over again when trying to get multiple certs with the same domain, since the domain validatuin is stored for 30 days.
and since SSSL recently with the new design and everything also seem to work with .tk domains it’s even better.


I’m having the same problem… but it seems to be specifically an LE issue. A couple of other commenters here have mentioned SNI, but my previous cert (a commercial one) didn’t have this problem, despite being configured for SNI.

@tdelmas mentions allowing http requests for the feed, but we use HSTS on our entire domain, which prevents using any http requests.

Interestingly, neither the iTunes desktop software client nor Apple’s Podcasts client for iOS have any problem with our feed and are receiving new episodes with no problem since we installed our LE cert 2 episodes ago. So it appears to just be a problem with the main iTunes Store RSS client.

Another interesting item to note: Apple’s mirror for our feed (displayed in the Podcasts Connect area) works just fine. Since we do not provide a non-https feed, it must also be successfully reading our secure feed.

Perhaps there’s a way to apply some pressure to Apple to accept LE certs? Shall we start a Tweetstorm?


As a follow-up, I petitioned iTunes support via the PodcastsConnect website. After quite a bit of back and forth helping them understand the nature of the issue, my ticket was escalated.

Ultimately, here’s the response I got:

Hi David,

To continue using SSL, many podcasters note the follow SSL certificate work well. Consider using one of the following ( iTunes will update in 24 hours):

Or, redirect to a non-SSL feed. iTunes will update in 24 hours.

Thank you,

(I’ve removed the links for obvious reasons)

Sadly, it doesn’t seem possible (at this time) to cut through the bureaucracy at Apple far enough to have them take a second look at this issue.

So, I’ve been forced to switch to a commercial cert in order to allow our podcast listing to be updated. I’ll continue to use LE for other purposes, but for our main website / podcast, it hasn’t worked out because of this Apple / iTunes issue.


Good work! But sad about the terrible response from Apple. This doesn’t surprise me, they seem to have lost interest in podcasters, I’ve had a lot of problems even before this with them deleting my feed. And Podcast Connect is frankly shite.

But you don’t need to use a commercial cert, what they don’t tell you is a free cert from StartSSL works fine. Obviously I’d rather use LE, I was planning to move completely til this happened…but annoyingly seem still tied to Startcom. Maybe in a year they’ll have changed their mind…or I might abandon my feeds in iTunes. The latter is very tempting since it’s such a struggle to keep them up there.