Backstory: I implemented SSL pinning in my iOS app. The thing is that we’re using an letsencrypt ssl certificate on our server where we have our api. And since letsencrypt’s certificate expires every 3 months, the app will stop working every 3 months as well if we don’t issue an update with the new certificate inside. For this case I’ve built a smart mechanism of refetching fresh ssl certificates by the app.
The issue: when a new ssl cert is auto-generated by letsencrypt, the current cert, which is in the app stops being served with responses. Even though the current cert is still valid. Example:
Our web cert is valid from Mar 6 till Jun 6. The app fetched and stored it.
We manually updated our web cert today and it’s now valid from Mar 14 till Jun 14. But the app stopped working. Even though it still has a perfectly unexpired(valid?) cert till Jun 6. And until the cert is updated in the app, it won’t be able to do API calls.
- Why aren’t my API calls served?
- The premise of SSL pinning is to handle request only with an identical cert as the server does?
- Is it possible somehow to use the current unexpired (and valid a second ago) certificate and update it to a new one in a week for example? Instead of making the app useless right at the moment the server’s certificate got updated? Because in real life who knows when the app will have the opportunity to update the cert to a new one.