iTunes rejecting LE certs?


Apple can fix this as @pfg said. It’s just a matter of them choosing to do so. Why don’t we all open tickets with them specifically requesting that they add LE support?

I found this email for opening tickets for podcast-related stuff: If we all message them, creating a bunch of tickets, hopefully it’ll put some pressure on to update their trust store and let us use LE for podcasts.

EDIT: if you want to make it really easy, here’s what I wrote so you can copy/paste:

​Please update your SSL trust store to include Let’s Encrypt SSL certificates! iOS, OSX, and macOS all trust Let’s Encrypt sites, so please add it to iTunes as well. It’s extremely frustrating that we can’t submit podcast feeds that are SSL encrypted using Let’s Encrypt. Let’s Encrypt is backed by Google, Mozilla, Automattic, and others. Please fix this asap. ​


Already done that - 26th Feb 2016:

"Hello Tim,

Regarding LE certificates, I thank you for the feedback, and will forward your comments to the appropriate team.

Please let us know if we can assist with anything further.

For reference, your case number is xxxxxxxxx.

Apple Inc."


Maybe not Google and Mozilla, but it’s not just them causing a fuss about this?

The whole thing just leaves a nasty taste in my mouth…I understand the problems, but as you can see from this thread there always has been a residual hatred of StartSSL. And it’s not great, but as this whole thread proves, LE is far from a replacement.

‘Just’ modify the trust store? You make it sound easy, but Apple is a corporation.

Also nice that you’re comfortable enough or not affected enough (or not caring enough) that it’s an ‘inconvenience’. Us in the real world outside of encryption geekery - which is what LE has to appeal to, and was supposed to open the door to - have a different response to having to probably buy SSL certificates that they cannot afford?

I’m guessing you’re in the ‘just $5’ set (which it isn’t because I have multiple podcasts) that I’ve encountered before? Well unless I start making advertising revenue, dunno where that extra money is coming from…


(I could add the case number if you want, I couldn’t think of how someone could abuse it but just in case I didn’t add it, but if someone is approaching them, it’s well worth pointing out it was raised nearly a year ago)


You’re right - people who’ve been keeping track of their issues for quite some time have been outspoken about this, even before the final events that lead to their removal. The vast majority of them don’t work for CAs. StartCom has had incidents before, and they didn’t make any friends when they refused to revoke certificates that were potentially compromised by Heartbleed either.

I don’t know, I’m more concerned about the fact that a corporation the size of Apple doesn’t have procedures that would allow them to update their trust store in the event that a CA is compromised (which has probably happened a couple of times since their last Java update :smile:).

Sadly, I’m quite familiar with this kind of corporate inertia, but I’d rather not base root program policies around them.

Let’s not lose track of the big picture here. This is one use-case, one vendor, one particular application. Let’s Encrypt works (and is free) for a myriad of others. It’s not always possible to make every single person happy, and in this case, it’s outside of the control of Let’s Encrypt. I understand your frustration, but it’s misdirected and your suggestion to keep trusting CAs that would work for your use-case even though they’re a risk to the ecosystem is a bit short-sighted.


@fingertrouble rather than debating it here further, let’s reach out to the podcast community and encourage them all to open tickets with Apple as I previously suggested. Apple’s going to add Let’s Encrypt to it’s trust store at some point. But if they get a big push from the community, maybe we can get them to act much quicker than they otherwise would. We could even reach out to hosting companies that use Let’s Encrypt for free SSL as well. It’s in their interest to have it work everywhere, so they might also be able to apply some pressure. Squarespace, Flywheel, and CloudWays all come to mind. I’d think there are many more.


Upload to Youtube? Host your own site? Who forces you to use specifically Apple for this? And why are you complaining to LE here? Apple needs to update their Java base, or Oracle needs to update the cert store for older Javas. There is absolutely no point in keeping old cert stores out of sync with the latest version.

So use your customer power, since you’re an Apple customer. Surely they must do everything to keep customers happy, seeing the prices they charge for everything, no? Go be an informed and responsible market participant and don’t come trashing the small project that enables people to get a cert for free and that is doing so much to actually make the world better.


iTunes is kinda the de-facto standard for podcasts. Most podcast apps and such pull from iTune’s API. So you have to be listed on iTunes, if you want any kind of real distribution or exposure. So it’s not really an option to go elsewhere. But we can submit lots of tickets asking them to fix this.

And nobody’s uploading to iTunes. The podcasts are hosted on the individual sites or cloud services like Amazon S3. The problem here is if you submit an https feed (with your podcast episode info and file location) for the podcast to iTunes, it won’t take it if it’s a Let’s Encrypt SSL cert (or a few others it sounds like) on there.


Wait, what? So they don’t even host that stuff? They’re just… being in the way with their outdated Java crap? Hilarious.


Yep. Pretty ridiculous. And unfortunately they’re the podcasting gatekeepers. :frowning:


Sadly yes. But a lot of people use iTunes for their podcasts, and many sites pull stuff via there too…it’s like not being on YouTube if you create a video. Yes there is Vimeo, Dailymotion et al, but bar maybe Fb Video, there isn’t the audience elsewhere. In fact I’d say iTunes now Zune et al is gone is probably the only really big site for podcasts. There ARE others, but like Vimeo to YT, it’s a massive drop in users, probably more than that ratio.


It looks like the folks at Apple have silently updated their java backend because I tested an https feed today and it validated on iTunes Podcast Connect. They have yet to update their FAQ.


symantec also had enough problems and they are only forced to do CT and that only in chrome, other browsers dont care.


Great news! It sounds like iTunes now supports Let’s Encrypt certificates. Thanks for helping to make that happen, everyone!

Is Apple blocking LE-Certificates?

I’d like to take credit for this, since it came within weeks of me suggesting we all open tickets… But let’s face it, even if it were true, you’d all rip me a new one for being so pretentious. :grin:

THIS IS EXCELLENT NEWS! Merry Christmas to all podcasters and all us webmasters with clients who are podcasters.