iTunes rejecting LE certs?


#19

As a follow-up, I petitioned iTunes support via the PodcastsConnect website. After quite a bit of back and forth helping them understand the nature of the issue, my ticket was escalated.

Ultimately, here’s the response I got:

Hi David,

To continue using SSL, many podcasters note the follow SSL certificate work well. Consider using one of the following ( iTunes will update in 24 hours):
httpx://www.godaddy.com/ssl/ssl-certificates.aspx
httx://www.symantec.com/ssl-certificates
httpx://www.thawte.com/ssl/
httpx://www.globalsign.com/en/ssl/
httx://www.entrust.net
httpx://www.geotrust.com/ssl/
httx://www.affirmtrust.com
httpx://ssl.comodo.com

Or, redirect to a non-SSL feed. iTunes will update in 24 hours.

Thank you,

(I’ve removed the links for obvious reasons)

Sadly, it doesn’t seem possible (at this time) to cut through the bureaucracy at Apple far enough to have them take a second look at this issue.

So, I’ve been forced to switch to a commercial cert in order to allow our podcast listing to be updated. I’ll continue to use LE for other purposes, but for our main website / podcast, it hasn’t worked out because of this Apple / iTunes issue.


#20

Good work! But sad about the terrible response from Apple. This doesn’t surprise me, they seem to have lost interest in podcasters, I’ve had a lot of problems even before this with them deleting my feed. And Podcast Connect is frankly shite.

But you don’t need to use a commercial cert, what they don’t tell you is a free cert from StartSSL works fine. Obviously I’d rather use LE, I was planning to move completely til this happened…but annoyingly seem still tied to Startcom. Maybe in a year they’ll have changed their mind…or I might abandon my feeds in iTunes. The latter is very tempting since it’s such a struggle to keep them up there.


#21

Unfortunately, StartSSL / Startcom certs are likely to not be trusted in the not-too-distant future, thanks to a nasty flaw in their DC validation process:

In any event, I’m not willing to go down that road at the moment.


#22

In addition to iTunes having a problem, after enabling SSL on my RSS feeds, I received a bunch of reports from listeners that reported they were unable to download my podcasts. It looks like several apps on Android (DoubleTwist, BeyondPod) as well as Microsoft’s Podcast app on Windows Phone had issues. As soon as I disabled SSL, they were able to automatically download the episodes. This is going to be a big issue for a lot of podcasters, but hopefully this gets ironed out over the coming months with platforms and apps getting updated.


#23

Besides copy&paste media, I’ve not seen anyone actually blaming StartSSL CA after this report or even indicating the respective Root CA was about to be banned.

Note that this was, in the end, a false claim. See StartCom’s response.

https://startssl.com/NewsDetails?date=20160322


#24

Also the next day StartCom started using Certificate Transparency on all their certs:

https://www.startssl.com/NewsDetails?date=20160323

As this is apparently better than Google, and I suspect other CAs haven’t even done this yet, I doubt they will be ‘banned’.

BTW I’m no apologist for StartSSL - there was a real issue with them charging for Heartbleed re-issuing of certs which I thought was really crappy (but that issue is over now, as it’s well over a year so all certs will have expired). Hence why I wanted to switch ALL my sites to LE .And to some extent you get what you pay for…but it’s not fair to claim they are somehow ‘insecure’.


#25

It doesn’t appear to just be iTunes, but now I’m getting reports that iHeart Radio stopped processing feeds because of a move to SSL using Let’s Encrypt. This is really bizarre and I have no idea why they don’t like the certificate.


#26

Possibly they don’t have trust for the root. The way it was mentioned earlier, Apple is using Java on their backend, which doesn’t include the DST root. It may be similar for iHeartMedia.


#27

What I did, was simply create a sub-domain that was not on HTTPS feed.mydomain.com, and used PHP to copy my feed into the index of the new url. So instead of www.mydomain.com/feed/podcast, my new feed is just feed.mydomain.com.

Supper sketchy, but it works, and ITunes accepted it.

Here is my php code

<?php
$content = file_get_contents('https://www.learnjazzstandards.com/feed/podcast/');
$content = new SimpleXMLElement($content);
Header('Content-type: text/xml');
print($content->asXML());
?>

#28

Received an email from iTunes Podcast Connect today titled “Podcast News & Announcements.” They now seem to be pushing SSL, which is a first. Previously, they only hinted at requiring it in the future at an unknown date. Doesn’t look like they fixed the Java backend in iTunes, because they provided a list of recommended certificate authorities and not Let’s Encrypt.

iTunes desktop and the Podcasts app for iOS and tvOS both support HTTPS protocol for metadata, cover art, and episode files. We require an SSL certificate from one of the following providers:

https://www.godaddy.com/ssl/ssl-certificates.aspx
http://www.symantec.com/ssl-certificates
https://www.thawte.com/ssl/
https://www.globalsign.com/en/ssl/
http://www.entrust.net
https://www.geotrust.com/ssl/
http://www.affirmtrust.com
https://www.comodo.com/


#29

and also not identrust, which essentially backs LE.


#30

And oddly not mentioning StartSSL - which does work…

Although apparently that support might not be always there either, I forget what reason, something to do with the type of certificate? :-/


#31

I haven’t looked at this issue since June and it’s still a problem. Just today I noticed iTunes podcast connect throwing the following message:

“Can’t read your feed. sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target”


#32

Thanks for the update, @zerodistraction – I suspected it was still true, but I appreciate your confirming this.


#33

Well @ecdsa-chacha20 – I may not have chosen the most reliable source to link to at the time, but within the security community, StartCom has known to be problematic for quite some time.

Mozilla certainly seems to think there’s something to the problem:
https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/


#34

Oh, come on @TheDavidJohnson, there has been quite some other news around StartCom and WoSign since April. Where’ve you been all the time?


#35

:grin: I’ve been tracking it all along, but I’d forgotten we discussed it in this thread. Since I was in here today for another reason, I thought we better have an update of some kind about StartCom for the sake of anyone who stumbles across this thread and isn’t aware…


#36

Aware of that, although my StartSSL sites seem to be still OK in Firefox and my podcasts are also still in iTunes.

Would love to know of another free cert that works with iTunes? I don’t think there is one. Yes I know there are paid alternatives, but given I have no money coming in atm, all unessential costs like SSL certs are banned. Saying it’s ‘only $5’ when I don’t have those $5 doesn’t really help.

Security community can throw their toys out of the pram, but if they block StartSSL then I’ll just have to live with that browser not working with my sites. shrug. Their choice. I suspect a lot of other Startcom users will be similar…


#37

“That browser” in this case being Chrome, Firefox and I think also Safari. So, basically everything people actually use besides Internet Explorer, for now (Microsoft are sometimes slow to decide policy on these things, but a Patch Tuesday can change the installed CA certificates on every Windows PC overnight…). The announced policy change is to reject new certificates, to avoid disruption for people like you whose certificates appear to have been issued in good faith prior to the announcement. This may have to change if there is further misbehaviour involving fake timestamps.

I presume that eventually Apple will catch up to the modern era and the Let’s Encrypt certificates will work with iTunes, but that’s really up to Apple and/or their customers.


#38

And if enough sites get blocked then it’ll backfire. Safari and Apple don’t do the same program as Mozilla, they’re separate. Firefox - given today’s news about the 0-day exploit on Windows that wouldn’t be much of a loss, I think FF is on the way out tbh - and maybe Chrome.

It would be annoying, but since I don’t have the $$$s to change it, and I obviously can’t change how these spats play out, not much I can do about it.

Best I could do is go back to HTTP. Big woop for security, there. slow clap. I think SOME encryption is better than none, but those stressing about this seem to want to force people to pay for certs that offer no extra security, really. I wonder if they work for the paid CAs? I betcha they do.