Troubleshooting Universal Links

I'm working on implementing Universal Links and Handoff for my domains, and running into some trouble.


I've followed all of the Apple Guides, however I am hitting a roadblock when it comes to apple-app-site-association hosting.


I have valid SSL certs for my domain, a valid apple-app-site-association file - however I am consistently seeing these errors in my logs:

default 09:15:45.000000 -0500   swcd     2016-11-15 10:15:45.677187 AM [SWC] ### Bad apple-app-site-association server trust: -6754/0xFFFFE59E kAuthenticationErr, 4 (kSecTrustResultUnspecified), {
        "TrustResultValue" : 4
        "TrustEvaluationDate" : 2016-11-15 15:15:45.410148
        "TrustResultDetails" :
        [
            {},
            {}
        ]
    }

default 09:15:45.000000 -0500   swcd     2016-11-15 10:15:45.697530 AM [SWC] ### Rejecting URL 'https://<redacted>/.well-known/apple-app-site-association' for auth method 'NSURLAuthenticationMethodServerTrust': -6754/0xFFFFE59E kAuthenticationErr
default 09:15:46.000000 -0500   swcd     2016-11-15 10:15:46.189794 AM [SWC] ### Denying redirect 'https://<redacted>/.well-known/apple-app-site-association' -> 'http://<redacted>/.well-known/apple-app-site-association'
default 10:15:46.000000 -0500   swcd     2016-11-15 10:15:46.251853 AM [SWC] ### Bad apple-app-site-association server trust: -6754/0xFFFFE59E kAuthenticationErr, 4 (kSecTrustResultUnspecified), {
        "TrustResultValue" : 4
        "TrustEvaluationDate" : 2016-11-15 15:15:46.241376
        "TrustResultDetails" :
        [
            {},
            {}
        ]
    }
default 10:15:46.000000 -0500   swcd     2016-11-15 10:15:46.253257 AM [SWC] ### Rejecting URL 'https://<redacted>/apple-app-site-association' for auth method 'NSURLAuthenticationMethodServerTrust': -6754/0xFFFFE59E kAuthenticationErr
Nov 11 09:04:35 iPad-Mini swcd[739] <Notice>: 2016-11-11 09:04:34.376592 AM [SWC] ### Download URL 'https://<redacted>/apple-app-site-association' failed: -6756/0xFFFFE59C kTypeErr



If I use an unrelated test domain, then I get proper functionality with the same file.

On my actual domain, the .well-known/apple-app-site-association does not redirect, it's by default a "301 Permanently Moved" response. I am not sure if this causes any issues with the flow, but I see the app install make the call to .well-known, then the call to the root apple-app-site-association which succeeds.

I've run the domains through all sorts of SSL validation tools, and they all show that it's properly setup -

However, the apple universal search validator fails (https://search.developer.apple.com/appsearch-validation-tool), but does not give any good steps to resolve.


If anyone could offer any help, it'd be very much appreciated here.

Replies

On my actual domain, the .well-known/apple-app-site-association does not redirect, it's by default a "301 Permanently Moved" response.

I’m confused by this. A 301 is a redirect, so how can your server both “not redirect” and be giving a “301”?

default 09:15:46.000000 -0500 swcd 2016-11-15 10:15:46.189794 AM

[SWC] ### Denying redirect 'https:…' -> 'http:…'

Some factoids about the above:

  • SWC is shared web credential.

  • swcd
    is the shared web credential daemon.
  • That daemon uses NSURLSession to fetch the

    apple-app-site-association
    file.
  • That message is generated when NSURLSession delivers the

    -URLSession:task:willPerformHTTPRedirection:newRequest:completionHandler:
    delegate callback to
    swcd
    .
  • When

    swcd
    gets this delegate callback and issues this log message, it always calls the completion handler with nil, causing the body of the redirection response to be delivered as the payload of this request. That doesn’t sound good, eh?

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

So to followup, and apologies for the late response - I've removed all redirects, made sure they are static files with the correct content-types, and still no luck.


the errors regarding denying the redirect are resolved, but this issue still remains:


default 22:51:58.815436 -0500   swcd    ### Download URL 'https://<redacted>/.well-known/apple-app-site-association' failed: -6756/0xFFFFE59C kTypeErr
default 22:51:58.815971 -0500   swcd    Started request for domain '<redacted>', URL 'https://<redacted>/apple-app-site-association'
default 22:51:58.871038 -0500   swcd    ### Download URL 'https://<redacted>/apple-app-site-association' failed: -6756/0xFFFFE59C kTypeErr
default 22:51:58.871516 -0500   swcd    Completing request for 'https://<redacted>/apple-app-site-association', status -6756/0xFFFFE59C kTypeErr



I see this when the app installs, when I launch safari on the device to the <redacted> site

In this context

kTypeErr
means that the
apple-app-site-association
JSON (either inside the CMS or standalone) is valid JSON but has an invalid internal structure. There are lots of checks done on that structure, more than I can reasonably outline here. If you post the JSON you’re using, I can take a quick look at it (feel free to redact the identifying details).

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

- There are a way to use "Multi-domain" certificates (SAN Certificates) for universal links? The certificate is expedited for .com as base and the other domains are .fr, .es, .de...

- For the .com all is ok, an universal links are working, but for the other domains, the log console show me a fail:

<Notice>: ### Bad apple-app-site-association server trust: -6754/0xFFFFE59E kAuthenticationErr, 5 (kSecTrustResultRecoverableTrustFailure), {

"TrustResultDetails" :

[

{

"SSLHostname" : false,

},

{},

{}

],

"TrustResultValue" : 5,

"TrustEvaluationDate" : 2016-11-22 05:52:49.792425,

"TrustCertificateTransparency" : true,

}

here's the json:



Raw:


{"activitycontinuation":{"apps":["TEAM_ID.com.app.bundleid","ALT_TEAM_ID.com.app.bundleid-develop"]},"applinks":{"apps":[],"details":[{"appID":"TEAM_ID.com.app.bundleid","paths":[["\/shows\/","\/full-episodes\/","\/video-clips\/"]]},{"appID":"ALT_TEAM_ID.com.app.bundleid-develop","paths":[["\/shows\/","\/full-episodes\/","\/video-clips\/"]]}]}}



Formatted:


{
    "activitycontinuation": {
        "apps": ["TEAM_ID.com.app.bundleid", "ALT_TEAM_ID.com.app.bundleid-develop"]
    },
    "applinks": {
        "apps": [],
        "details": [{
            "appID": "TEAM_ID.com.app.bundleid",
            "paths": [
                ["\/shows\/", "\/full-episodes\/", "\/video-clips\/"]
            ]
        }, {
            "appID": "ALT_TEAM_ID.com.app.bundleid-develop",
            "paths": [
                ["\/shows\/", "\/full-episodes\/", "\/video-clips\/"]
            ]
        }]
    }
}

just saw an issue in the paths statements...


will correct that and try again.

I also get those "Bad apple-app-site-association server trust: -6754" errors although all SSL-stuff is setup correctly. I can download the file with NSURLSession without any problems:


Optional(<NSHTTPURLResponse: 0x60c00022a200> 
{ URL: http://server/.well-known/apple-app-site-association }
{ Status Code: 200, Headers {
    "Accept-Ranges" =     (
        bytes
    );
    "Cache-Control" =     (
        "private,max-age=10"
    );
    Connection =     (
        "keep-alive"
    );
    "Content-Length" =     (
        301
    );
    "Content-Type" =     (
        "application/json"
    );
    Date =     (
        "Wed, 11 Apr 2018 13:08:15 GMT"
    );
    Etag =     (
        "\"4ad5554785a1d31:0\""
    );
    "Last-Modified" =     (
        "Fri, 09 Feb 2018 09:06:32 GMT"
    );
    "Proxy-Connection" =     (
        "keep-alive"
    );
    Server =     (
        "Microsoft-IIS/7.5"
    );
    Via =     (
        "1.1 proxy:3128 (Cisco-WSA/8.5.3-069)"
    );
    "X-Powered-By" =     (
        "ASP.NET"
    );
} })


Could you solve your error?

What are you seeing in the system log? In vmnKCatigbe’s first post they show a bunch of logging that’s around this error. Are you seeing similar logging? If so, please post a copy.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hello ,


We are facing issues with app linking where it works on some devices and does not on the others. Our app version is in Testflight .


When we check the console of the device where it does not work we see following error.


default 13:54:36.992693 +0200 swcd Started request for domain , URL 'https://www.***.be/.well-known/apple-app-site-association'

default 13:54:37.016006 +0200 dasd Submitted Activity: com.apple.CFNetwork-cc-98-54-Task <73F68C34-7F2A-4E19-85B0-5C2526FE11BB>.<com.apple.swcd>.<com.apple.SharedWebCredentials-55DDB6A7-DB8D-47A9-BECC-AE2B110595A1>.<1>:62BB26 at priority 90 <private>

default 13:54:37.020478 +0200 dasd com.apple.CFNetwork-cc-98-54-Task <73F68C34-7F2A-4E19-85B0-5C2526FE11BB>.<com.apple.swcd>.<com.apple.SharedWebCredentials-55DDB6A7-DB8D-47A9-BECC-AE2B110595A1>.<1>:62BB26:[

{name: ApplicationPolicy, policyWeight: 5.000, response: {Decision: Can Proceed, Score: 0.10}}

{name: DeviceActivityPolicy, policyWeight: 10.000, response: {Decision: Can Proceed, Score: 0.60}}

] sumScores:27.200000, denominator:35.700000, FinalDecision: Can Proceed FinalScore: 0.761905}

default 13:54:37.020575 +0200 dasd 'com.apple.CFNetwork-cc-98-54-Task <73F68C34-7F2A-4E19-85B0-5C2526FE11BB>.<com.apple.swcd>.<com.apple.SharedWebCredentials-55DDB6A7-DB8D-47A9-BECC-AE2B110595A1>.<1>:62BB26' DecisionToRun:1 (Bypasses Predictions)

default 13:54:37.059375 +0200 nsurlsessiond [C58 Hostname#ec124cd0:443 tcp, bundle id: com.apple.swcd, url hash: d0fc027c, tls, indefinite] start

default 13:54:37.266159 +0200 swcd ### Bad apple-app-site-association server trust: -6754/0xFFFFE59E kAuthenticationErr, 1 (kSecTrustResultProceed), {

"TrustExpirationDate" : 2019-07-25 06:35:42.000,

"TrustRevocationChecked" : true,

"TrustExtendedValidation" : true,

"Organization" : "*** ",

"TrustResultValue" : 1,

"TrustCertificateTransparency" : true,

"TrustEvaluationDate" : 2019-07-18 11:54:37.252,

"TrustResultDetails" :

[

{},

{},

{}

],

}

default 13:54:37.266216 +0200 swcd ### Rejecting URL 'https://www.***.be/.well-known/apple-app-site-association' for auth method 'NSURLAuthenticationMethodServerTrust': -6754/0xFFFFE59E kAuthenticationErr

default 13:54:37.267680 +0200 swcd Task <1674E61D-77F1-4D10-9820-CFF592216A27>.<2> resuming, QOS(0x15)

default 13:54:37.267737 +0200 swcd Create activity <nw_activity 12:3>

default 13:54:37.267901 +0200 swcd Activated <nw_activity 12:3 [33900FB4-9DBD-4648-966C-A6EEC044C195] (reporting strategy default)>

default 13:54:37.268273 +0200 swcd [Telemetry]: Activity <nw_activity 12:3 [33900FB4-9DBD-4648-966C-A6EEC044C195] (reporting strategy default)> on Task <1674E61D-77F1-4D10-9820-CFF592216A27>.<2> was not selected for reporting

default 13:54:37.270222 +0200 swcd Started request for domain 'www.***.be', URL 'https://www.***.be/apple-app-site-association'

default 13:54:37.273741 +0200 dasd Submitted Activity: com.apple.CFNetwork-cc-98-55-Task <1674E61D-77F1-4D10-9820-CFF592216A27>.<com.apple.swcd>.<com.apple.SharedWebCredentials-55DDB6A7-DB8D-47A9-BECC-AE2B110595A1>.<2>:3F4E84 at priority 90 <private>

default 13:54:37.275261 +0200 dasd com.apple.CFNetwork-cc-98-55-Task <1674E61D-77F1-4D10-9820-CFF592216A27>.<com.apple.swcd>.<com.apple.SharedWebCredentials-55DDB6A7-DB8D-47A9-BECC-AE2B110595A1>.<2>:3F4E84:[

{name: ApplicationPolicy, policyWeight: 5.000, response: {Decision: Can Proceed, Score: 0.10}}

{name: DeviceActivityPolicy, policyWeight: 10.000, response: {Decision: Can Proceed, Score: 0.60}}

] sumScores:27.200000, denominator:35.700000, FinalDecision: Can Proceed FinalScore: 0.761905}

default 13:54:37.275403 +0200 dasd 'com.apple.CFNetwork-cc-98-55-Task <1674E61D-77F1-4D10-9820-CFF592216A27>.<com.apple.swcd>.<com.apple.SharedWebCredentials-55DDB6A7-DB8D-47A9-BECC-AE2B110595A1>.<2>:3F4E84' DecisionToRun:1 (Bypasses Predictions)

default 13:54:37.278397 +0200 nsurlsessiond [C59 Hostname#ec124cd0:443 tcp, bundle id: com.apple.swcd, url hash: c76faa2c, tls, indefinite] start

default 13:54:37.444839 +0200 swcd <nw_activity 12:3 [81BB1A2C-179B-49E7-96F0-7360EB6EF4E1] (reporting strategy default) complete (reason failure)> complete with reason 3 (failure), duration 480ms

error 13:54:37.444895 +0200 swcd Task <73F68C34-7F2A-4E19-85B0-5C2526FE11BB>.<1> load failed with error Error Domain=NSURLErrorDomain Code=-999 UserInfo={NSErrorFailingURLStringKey=<private>, NSErrorFailingURLKey=<private>, _NSURLErrorRelatedURLSessionTaskErrorKey=<private>, _NSURLErrorFailingURLSessionTaskErrorKey=<private>, NSLocalizedDescription=<private>} [-999]

default 13:54:37.635952 +0200 swcd ### Request for 'https://www.***.be/apple-app-site-association' denied: 404/0x194 Not Found

default 13:54:37.636026 +0200 swcd Completing request for 'https://www.***.be/apple-app-site-association', status 0/0x0 noErr

default 13:54:37.637070 +0200 swcd Updated app ID '8C3949R27A.be.***.MyXXX2', domain 'www.***.be', flags 0x0 < > -> 0x4 < SiteDenied > on check

default 13:54:37.641292 +0200 swcd <nw_activity 12:3 [33900FB4-9DBD-4648-966C-A6EEC044C195] (reporting strategy default) complete (reason failure)> complete with reason 3 (failure), duration 274ms

error 13:54:37.642884 +0200 swcd Task <1674E61D-77F1-4D10-9820-CFF592216A27>.<2> load failed with error Error Domain=NSURLErrorDomain Code=-999 UserInfo={NSErrorFailingURLStringKey=<private>, NSErrorFailingURLKey=<private>, _NSURLErrorRelatedURLSessionTaskErrorKey=<private>, _NSURLErrorFailingURLSessionTaskErrorKey=<private>, NSLocalizedDescription=<private>} [-999]

default 13:54:37.645895 +0200 swcd Closing NSURLSession com.apple.SharedWebCredentials-55DDB6A7-DB8D-47A9-BECC-AE2B110595A1

default 13:54:37.645949 +0200 swcd Save database


If someone has faced simlilar issue or provide any help it will be appreciated.

Regards,

Aniket