0

I was using iOS to connect to a server using a certificate whose CN (commonname) and FQDN (fully qualified domain name) is server.myexample.com. The server certificate was signed by my own Root CA (whose certificate I added to my anchor certs via SecTrustSetAnchorCertificates and verified via the method described here using NSURLAuthenticationChallenge).

With my iOS client, I was attempting to connect my REST service located at: server.myexample.com/Path1/service1, but I kept receiving the following error:

The certificate for this server is invalid. You might be connecting to a server
that is pretending to be “server.myexample.com” which could put your confidential
information at risk.

Error occurred while fetching https://server.myexample.com/Path1/service1: Error
Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is invalid. 
You might be connecting to a server that is pretending to be “server.myexample.com” 
which could put your confidential information at risk."

I get additional messages with the same info but specifying the errors: NSErrorFailingURLStringKey and NSURLErrorFailingURLPeerTrustErrorKey.

I found that I could also call the service with server.myexample.com/service1 and removed Path1 from my request URL, and the server certificate verification worked correctly. Why is this? I was under the impression that the server only needed 1 certificate, meaning any services it hosts would also be using that same certificate. Maybe you need a separate server certificate per path? I was not aware the paths after the server ip address/domain needed to have their own certificate.

To summarize:

  • iOS client app with Root CA certificate in the anchor certs
  • Server server1's certificate signed by Root CA has a CN of server.myexample.com and whose FQDN is https://server.myexample.com.
  • Server server.myexample.com hosts service1 which can be accessed by web browser via:
    • https://server.myexample.com/service1 (passes iOS client's authentication of server)
    • https://server.myexample.com/Path1/service1 (FAILS iOS client's authentication of server)
  • CA and server certificates were created via OpenSSL

Thanks in advance!

Community
  • 1
  • 1
aspergillusOryzae
  • 746
  • 2
  • 9
  • 25
  • The certificate is presented by the server before the path is provided, so it should not matter. when you call https://server.myexample.com/service1, do you receive HTTP 200? – Mitchell Currie Jul 31 '13 at 23:31
  • Initially the app was stopping at the failed authentication (since I didn't have it continue with failed authentication). I presume it would be 200 if I let it continue through (similar to using `[NSURLRequest setAllowsAnyHTTPSCertificate:YES forHost:myRequest.URL.host];` which allowed me to receive the response without verifying the server). However, I just tried the Path1 request again, and it worked fine this time, so maybe the issue was server-side? I will test some more and see if I get consistent results again. – aspergillusOryzae Aug 01 '13 at 17:16
  • @aspergillusOryzae It has been long but, can you please guide me what was the solution that time for you for this issue ? – Mrunal Nov 29 '18 at 07:16
  • @Mrunal It has been a while, but I believe that the issue was resolved with the server refreshing it's certificate (possibly due to caching). I don't believe I ran into additional issues after that. Possibly try restarting your server and ensuring that the server side cert is as expected. – aspergillusOryzae Jan 02 '19 at 20:40

0 Answers0