The certificate for this server is invalid. You might be connecting to a server that is pretending to be “subdomain.domainname.co.nz” which could put your confidential information at risk.

App & System Services Core OS
Akash_DY OP
Created Jul ’24
Replies 4
Boosts 1
Views 336
Participants 3

Hello All,

We are facing weird issue rarely but it continues for few hours or a day.

Observations:

  1. Issue get resolved automatically when we change iOS device network.

  2. We are using sub domain for all network request on iOS/Android App, only iOS Device is logging below mentioned issue.

  3. Both domain has different certificate, where we are using wildcard certificate on subdomain, (*.domain.co.nz )

  4. Main domain don't have subdomain name in subject list (SAN or CN)

  5. we have verified both certificate are valid and supporting TLSv1.3

Also, We have verified instruction given by apple which is also looks good: https://support.apple.com/en-us/103769

you may observer *.wordpress.com is logged in certificate chain validation But We are not calling any of the network request on *.wordpress.com Our backend server is using only NodeJs and Express.js and as mentioned by out backend team, we don't have any use of main domain/server.

Here is Xcode Error Log

Error Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “subdomain.maindomain.co.nz” which could put your confidential information at risk." UserInfo={NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, NSErrorPeerCertificateChainKey=( "<cert(0x11603ae00) s: *.wordpress.com i: Sectigo ECC Domain Validation Secure Server CA>", "<cert(0x11603b600) s: Sectigo ECC Domain Validation Secure Server CA i: USERTrust ECC Certification Authority>", "<cert(0x116043400) s: USERTrust ECC Certification Authority i: AAA Certificate Services>" ), NSErrorClientCertificateStateKey=0, NSErrorFailingURLKey=https://subdomain.maindomain.co.nz/vider/api/v1/users/login, NSErrorFailingURLStringKey=https://subdomain.maindomain.co.nz/vider/api/v1/users/login, NSUnderlyingError=0x301ec2cd0 {Error Domain=kCFErrorDomainCFNetwork Code=-1202 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x3021b1360>, kCFNetworkCFStreamSSLErrorOriginalValue=-9843, kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9843, kCFStreamPropertySSLPeerCertificates=( "<cert(0x11603ae00) s: *.wordpress.com i: Sectigo ECC Domain Validation Secure Server CA>", "<cert(0x11603b600) s: Sectigo ECC Domain Validation Secure Server CA i: USERTrust ECC Certification Authority>", "<cert(0x116043400) s: USERTrust ECC Certification Authority i: AAA Certificate Services>" )}}, _NSURLErrorRelatedURLSessionTaskErrorKey=( "LocalDataTask <A645226C-8FAB-4676-A1B8-36E751621C06>.<1>" ), kCFStreamErrorCodeKey=-9843, NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <A645226C-8FAB-4676-A1B8-36E751621C06>.<1>, NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x3021b1360>, NSLocalizedDescription=The certificate for this server is invalid. You might be connecting to a server that is pretending to be “subdomain.maindomain.co.nz” which could put your confidential information at risk.})) URLSessionTask failed with error: The certificate for this server is invalid. You might be connecting to a server that is pretending to be “subdomain.maindomain.co.nz” which could put your confidential information at risk. "Show: Something went wrong! please try again after sometime!" "Networking error message: Optional("URLSessionTask failed with error: The certificate for this server is invalid. You might be connecting to a server that is pretending to be “subdomain.maindomain.co.nz” which could put your confidential information at risk.")

End of error Log,

Kindly help us. Thanks in advance.

Replies  4
Boosts  1
Views  336
Participants  3
KalpeshJetaniSS OP
Jul ’24

Need help to solve issue above issue, which is somewhat similar to https://forums.developer.apple.com/forums/thread/42555 but as IOS developer we are not sure how we can reproduce it even.

0
Systems Engineer OP
Apple
Jul ’24

Looking at your setup, it looks like your certificate chain looks like this:

<cert(0x11603ae00) s: *.wordpress.com i: Sectigo ECC Domain Validation Secure Server CA>

<cert(0x11603b600) s: Sectigo ECC Domain Validation Secure Server CA i: USERTrust ECC Certification Authority>

<cert(0x116043400) s: USERTrust ECC Certification Authority i: AAA Certificate Services>

Which is not going to work for the domain *.domain.co.nz, you'll need to get a leaf for domain.co.nz. iOS cannot validate the chain of trust going back to the root. Note that USERTrust ECC Certification Authority is in the trust store though so you should be good there.

Regarding:

We are facing weird issue rarely but it continues for few hours or a day.

Are you saying that this only happens sporadically and not every time you make a request for this endpoint?

Matt Eaton - Networking

0
Akash_DY OP
Jul ’24

We appreciate your help, Yes, this issue is not consistent,

Sometimes, while there is issue and if we change network from wifi to cellular it started working fine.

it's very rarely producible but when it occurs it continues for some period of time.

NOTE : Main domain server is using Wordpress while our APIs are deployed on sub domain.

We are not sure from where *.wordpress.com got linked into certificates chain.

0
Akash_DY OP
3w

Hello, We are still facing issues with invalid certificates. Can you help us with the question asked above?

0
The certificate for this server is invalid. You might be connecting to a server that is pretending to be “subdomain.domainname.co.nz” which could put your confidential information at risk.
First post date Last post date
 
 
Q