LetsEncrypt and iPad problem after renew


#1

I am using LetsEncrypt cert for my Domotich instance installed on Raspberry Pi. The installation was made in accordance with Domoticz WIKI. Works correctly on all platforms and in all browsers.
After 90 days I had to renew the certificate and reinstall it. After installing the new certificate, the situation is as follows:

  • Windows works correctly in all browsers (Edge, IE, Chrome, Firefox)
  • Linux works correctly in Firefox and Chrome
  • Android works correctly on Chrome, Firefox and dedicated client
  • on iPad Air gets the “Domoticz is off-line” message on Safari, Chrome, Firefox. But on a dedicated client it works correctly (requires a qualified certificate by default)

Of course, I cleaned the caches of all browsers on the iPad. So what’s the problem? Why can not I get access to Domoticz from an iPad through any browser? Any idea idea?


#2

Hi @mackowiakp, what’s your domain name?

This kind of problem is often due to a different configuration between IPv6 and IPv4, or to missing the intermediate certificate in your web server configuration.


#3

my domain is -> mackowiakp-nano.ddns.net:8081

But the problem accrues both on WiFi in local networks and via LTE where IP ver6 is not available on my Telco.
So what You suggest to do?
I have to mention once more. The problem is only with iPad with the newest FW available.
Before renew cert all worked properly on iPad too


#4

Thanks! I wasn’t able to find any problem with your configuration so far.

Could you post a screen shot of the error message that you see in browsers under iOS?


#5

So Safari for example


#6

I’ve got the same picture using FireFox and Edge (Windows 10, Berlin, Lan).

The browser want’s a login, using ESC produces this picture. But the certificate is ok, Letsencrypt - today created.


#7

PS: Are you using a windows logon? Which Safari doesn’t support?

So Safari may show this page direct, without hitting ESC.


#8

As I wrote in my first post:


#9

But your picture doesn’t show a certificate error.

I see also the “Domoticz Offline” message with my FireFox. But the certificate is correct.


#10

But in Firefox and Chrome the picture is the same on iPad.
For test purposes, I install payd test cert from company unizeto.pl . It costs 25 cents for 30 days. All works correctly.


#11

It’s very interesting but it feels like this is somehow an error inside the application rather than from the browser itself, even though the certificate might somehow indirectly play a role in the problem. (If the browser didn’t accept the certificate, it wouldn’t normally show this message, but rather a completely different message.) Is there any way that you can ask the developers of the software for support in diagnosing this?


#12

In my meaning situation is like this. Apple does not like free-cost Open source World. Apple does not say it officially of course So - for example - Domoticz app taken from AppStore needs qualified cert and works properly even after renew. Of course this app works over HTTP API. Other example is that in case of WIN and Linux I can manually import (even unwanted) any CA and server cert to Firefox itself (NOT to the system but to the Firefox itself). It is not possible in Apple World. I know, LetsEcrypt is cross-certifcated to well known Apple CA . But what is in the mind of Apple developers - who knows.
The workaround could be manual import LetsEncrypt CA and server cert to system key-chain of Apple. It works for me in case of Synology for example.
What is proper CA cert of LetsEnccrypt?


#13

Let’s Encrypt (ISRG Root X1) is already in Apple’s Root Certificate Program, comes pre-installed on iOS 10+ and macOS, so there shouldn’t be any need for importing further certificates. On older versions, cross-signing from the DST Root CA X3 achieves the same effect.

You’ve not demonstrated that iOS Safari is having problems. That screenshot you posted indicates a successful SSL connection. Maybe something else is happening (DNS-based or user-agent-based condition) ?

BTW, I also get that “offline” page in Firefox 61 on Linux:

Before that loaded, I got spammed with Basic Auth prompts. This smells very application-related.


#14

iOS has the same problem with Firefox and Chrome. So it is not Safari related problem. It is kind of removing of old certs from system I think,
If You are using FF on WIN or Linux, simply import manually server cert. Run FF, try to log in to desired page, then “show cert” and You can manually add URL as trusted page with cert it serve. I dont know the names of options in Your language so it is translation from my language.


#15

The error is not clearly seen in Safari. But well seen in Chrome on iPad. Look to the picture:

You can see the https error. The answer I found out is factory reset. Bene. Any more cleaver idea?


#16

Are there any details of this error?

If it is Chrome, what shows the webmaster console?

Strg + Shift + I

then “Console” or Security.


#17

But this is iPad, so there is no such key like Strg. Any other way to send You more info?
It seems to use old cert I think.


#18

The menu has an option “Weitere Tools” - maybe “additional tools”, then “Entwickler Tools” = “Developer Tools”


#19

Sorry, no such options in iPad Chrome implementation. In FF too


#20

Maybe you could click on the :warning: icon in the URL bar to bring up more information?

I really agree that this is primarily an application problem because if the HTTPS security error were serious enough, no page content would be loaded at all and you could not even see the “DOMOTICZ OFFLINE” error. For example if you look at https://expired.badssl.com/ (a deliberately expired certificate), you don’t see any page content but only a browser error. That’s different from the situation with your site.