iOS Enterprise Deployement: Clicking on itms-services link results in "Cannot connect to [domain]" error

Question

In an effort to deploy an enterprise iOS app, I've created the following link:

Unencoded version (for easy reading):

<a href="itms-services://?action=download-manifest&url=https://example.com/api/distribution/ios?token=abc123">Download</a>

Encoded version:

<a href="itms-services://?action=download-manifest&url=https%3A%2F%2Fexample.com%2Fapi%2Fdistribution%2Fios%3Ftoken%3Dabc123">Download</a>

The link is properly encoded, as discussed here and here.

Assuming the user's token is valid, a .plist file is returned via SSL, as discussed here. The URL of the .ipa file referenced in the .plist file is generated on the fly. Here is what the .plist file looks like:

<plist version="1.0">
<dict>
    <key>items</key>
    <array>
        <dict>
            <key>assets</key>
            <array>
                <dict>
                    <key>kind</key>
                    <string>software-package</string>
                    <key>url</key>
                    <string>TEMP_URL</string>
                </dict>
            </array>
            <key>metadata</key>
            <dict>
                <key>bundle-identifier</key>
                <string>org.cocos2d.ready-ios</string>
                <key>bundle-version</key>
                <string>0.0.1</string>
                <key>kind</key>
                <string>software</string>
                <key>title</key>
                <string>Ready</string>
            </dict>
        </dict>
    </array>
</dict>
</plist>

As far as I can tell, our GoDaddy SSL certificate appears to be on the trusted list.

However, despite all of the above, after tapping the link and waiting a moment, I receive the following error:

Cannot connect to [domain]

This is the iPhone console output after tapping the link:

Aug 29 07:30:56 My-iPhone wifid[15] <Notice>: WiFi:[431015456.799163]: Client itunesstored set type to background application
Aug 29 07:30:56 My-iPhone wifid[15] <Notice>: WiFi:[431015456.804319]: BG Application: Not Present, BG Daemon: Present. Daemons: apsd networkd itunesstored 
Aug 29 07:30:56 My-iPhone wifid[15] <Notice>: WiFi:[431015456.806066]: Already connected to [Company Name].
Aug 29 07:30:58 My-iPhone itunesstored[100] <Warning>: Could not load download manifest with underlying error: Error Domain=SSErrorDomain Code=2 "Cannot connect to iTunes Store" UserInfo=0x15788270 {NSLocalizedDescription=Cannot connect to iTunes Store}
Aug 29 07:31:03 My-iPhone wifid[15] <Notice>: WiFi:[431015463.925398]: Client itunesstored set type to normal application
Aug 29 07:31:03 My-iPhone wifid[15] <Notice>: WiFi:[431015463.928745]: BG Application: Not Present, BG Daemon: Present. Daemons: apsd networkd

Any ideas?

*"Any ideas?"* - DNS problem, firewall problem, or route problem to the enterprise server? — jww, Aug 29 '14 at 07:17
@jww: Thanks for the comment. I don't think it's a DNS problem, since all other DNS lookups are working fine. I'm able to download both the .plist file and the .ipa file by following the links in a browser, so I don't think it's a route problem. And I don't have any firewalls running. — David Jones, Aug 29 '14 at 14:28
MIME Type to be set on server https://stackoverflow.com/questions/29559793/cannot-connect-to-example-com-in-ios-enterprise-app — Harish Pathak, Oct 10 '17 at 04:48

score 8 · Answer 1 · answered Nov 25 '15 at 17:50

8

I had this problem and none of the documented solutions here, or in other answers, worked for me. Using a correct SSL certificate, it was possible to load the plist in safari, on the target device with no problems. However, attempting to install using the "itms-services://..." link would always fail with the "Cannot connect to [domain]" error.

The problem was the intermediate SSL certificate was not configured on the web server. Web browsers had no problem with this, SSL was valid, but connecting the device to a Mac, and viewing the log through the devices panel in XCode showed the below error:

iPhone itunesstored[83] <Warning>: Could not load download manifest with underlying error: Error Domain=NSURLErrorDomain Code=-1202 "Cannot connect to the Store".... "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “[mydomain]”, which could put your confidential information at risk."

Installing the intermediate SSL certificate on Apache solved this issue.

answered Nov 25 '15 at 17:50

MikeH

93
1
5

Same! I didn't know I had an issue but used [this](https://casecurity.ssllabs.com/) to check my SSL Certificate setup on my server and found out what was wrong; and sure enough the intermediate certificate was the problem. – jrobe May 10 '16 at 20:02
I have the same error. If I self-signed my own ssl certificate for the point of testing the webpage on my own machine, how can I create an intermediate SSL certificate? ( site that I used to create my own stuff: https://getgrav.org/blog/mac-os-x-apache-setup-ssl ) – finneycanhelp Jun 26 '16 at 21:22
@finneycanhelp The intermediate certificate is used to establish a chain of trust to the root certificate authority. If you've signed your own SSL certificate, then no such thing exists. What you probably need to do is install your self signed SSL on to your iOS device. This [question](http://stackoverflow.com/questions/4589562/how-to-install-my-servers-self-signed-certificate-on-an-ipad) might help. – MikeH Jun 27 '16 at 15:48

score 6 · Answer 2 · answered Oct 24 '14 at 14:51

6

I had a problem like this for a while and it was driving me crazy. I was getting the popup "Cannot connect to [domain]" and I saw the same error in the log "Cannot connect to iTunes Store."

The original problem was that I had a missing ">" in my .plist xml file.

But I fixed the missing ">" and it worked on another ipad. So, it should have worked on the original ipad, right? Well, no, because the bad plist with the typo must have still been in the cache of that ipad.

So, the fix is to either rename the .plist file, or shut down and "re-boot" the ipad, or find some other way of clearing your ipad's cache of the bad plist file.

answered Oct 24 '14 at 14:51

blalond

875
10
17

at which line , this > was missing . – h.kishan Jan 18 '15 at 06:33
It didn't matter where the > was missing, since the overall effect of a missing > was to make the .plist file invalid XML. An example would be the missing > in a line like `` where it's missing the ">" after ` – blalond Jan 19 '15 at 14:51
That seems to have fixed it for me. After I fixed the syntax problem in my .plist file, I had to restart my iPad. I had put an ampersand into the title string. That broke the XML file it looks like. Perhaps an & ? – Chris Prince Jul 16 '15 at 13:57
I can't believe that cache thing. Renaming the file worked for me. I kept reboothing the device but I was still getting the same error. Is there really no way to clear the cache for the bad plist file??? – Jan Jun 02 '16 at 16:17

score 3 · Answer 3 · answered Apr 05 '16 at 00:21

3

I was receiving the same error.

In my case, the ".plist" wasn't accessible.

My resolution was to add the appropriate mime-types to the website being hosted by Internet Information Services (IIS).

Namely, ".ipa", and ".plist".

answered Apr 05 '16 at 00:21

aero

1,654
1
21
31

score 2 · Answer 4 · answered Sep 29 '14 at 02:24

2

Check for any trailing slashes on your URL link value for TEMP_URL and remove them. If you test the URL with trailing slashes on a browser it will download without problem. In the plist it will fail.

answered Sep 29 '14 at 02:24

Ikerion

21
2

2

I cannot believe i was this stupid. It worked.. I erased the `<` from `` when i copied and pasted the build number. THANKS! – Jann Apr 16 '15 at 13:59

score 2 · Answer 5 · answered Mar 02 '15 at 11:45

Not sure this would have helped the original poster as I don't know how itms-services works, but it might help other seeing the "Cannot connect to [domain]" error.

We were trying to install an enterprise deployment through Safari and kept seeing this error. The plist was fine and the ipa file it pointed to would download if we entered the url directly. However we realised we were making the first (pre-install) connection through http. Changing this to https allowed the installation to proceed as expected.

score 1 · Answer 6 · answered Apr 19 '16 at 12:52

We faced same problem because of the internal date of the device was set to the invalid date range. (Jan 1, 1970)

Invalid date also invalidates the ssl certificate and 7.1+ devices requires valid https connections for enterprise application installations.

We achieve this problem with the changing device date to the current date.

score 1 · Answer 7 · answered Jun 14 '16 at 09:25

If you have tried everything else and still receive "Cannot connect to [domain]" error, make sure that URLs inside your .plist that are pointing to images ends with ".jpg" or ".png". If this is dynamically generated image you can create a special route that ends with one of these extensions.

score 1 · Answer 8 · answered Jul 02 '21 at 04:19

1

For my case, I had space in the file name for .ipa

Once that's removed, the issue was resolved.

answered Jul 02 '21 at 04:19

juminoz

3,168
7
35
52

iOS Enterprise Deployement: Clicking on itms-services link results in "Cannot connect to [domain]" error

8 Answers8

Linked