Lets Encrypt Cert Issues

App & System Services Networking
Patrick Bateman OP
Created Jun ’20
Replies 3
Boosts 0
Views 3.8k
Participants 4

Hi folks,


I'm having issues trying to connect from my app to my server. It seems that it doesn't accept the Let's encrypt cert.


Info.plist


  <key>NSAppTransportSecurity</key>
    <dict>
      <key>NSAllowsArbitraryLoads</key>
      <true/>
      <key>NSAllowsArbitraryLoadsInWebContent</key>
      <true/>
      <key>NSExceptionDomains</key>
      <dict>
         <key>tunait-app.com</key>
           <dict>
           <key>NSExceptionAllowsInsecureHTTPLoads</key>
           <true/>
           <key>NSIncludesSubdomains</key>
           <true/>
           <key>NSExceptionMinimumTLSVersion</key>
           <string>TLSv1.1</string>  
           <!--Include to allow HTTP requests-->
           <key>NSExceptionRequiresForwardSecrecy</key>
           <false/>
           </dict>
      </dict>
    </dict>




nscurl command


nscurl --ats-diagnostics --verbose https://www.tunait-app.com
Starting ATS Diagnostics

Configuring ATS Info.plist keys and displaying the result of HTTPS loads to https://www.tunait-app.com.
A test will "PASS" if URLSession:task:didCompleteWithError: returns a nil error.
================================================================================

Default ATS Secure Connection
---
ATS Default Connection
ATS Dictionary:
{
}
Result : FAIL
Error : Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, NSErrorPeerCertificateChainKey=(
    "<cert(0x7fc42281c800) s: tunait-app.com i: Let's Encrypt Authority X3>",
    "<cert(0x7fc42281d000) s: tunait-app.com i: Let's Encrypt Authority X3>",
    "<cert(0x7fc42281d800) s: Let's Encrypt Authority X3 i: DST Root CA X3>"
), NSErrorClientCertificateStateKey=0, NSErrorFailingURLKey=https://www.tunait-app.com/, NSErrorFailingURLStringKey=https://www.tunait-app.com/, NSUnderlyingError=0x7fc42250a2f0 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x7fc42241d4b0>, _kCFNetworkCFStreamSSLErrorOriginalValue=-9802, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, kCFStreamPropertySSLPeerCertificates=(
    "<cert(0x7fc42281c800) s: tunait-app.com i: Let's Encrypt Authority X3>",
    "<cert(0x7fc42281d000) s: tunait-app.com i: Let's Encrypt Authority X3>",
    "<cert(0x7fc42281d800) s: Let's Encrypt Authority X3 i: DST Root CA X3>"
)}}, _NSURLErrorRelatedURLSessionTaskErrorKey=(
    "LocalDataTask <F3B800C7-49C2-4A7E-B443-01F8BAA31B04>.<1>"
), _kCFStreamErrorCodeKey=-9802, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <F3B800C7-49C2-4A7E-B443-01F8BAA31B04>.<1>, NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x7fc42241d4b0>, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made.}
---

================================================================================

Allowing Arbitrary Loads

---
Allow All Loads
ATS Dictionary:
{
    NSAllowsArbitraryLoads = true;
}
Result : FAIL
Error : Error Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “www.tunait-app.com” which could put your confidential information at risk." UserInfo={NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, NSErrorPeerCertificateChainKey=(
    "<cert(0x7fc423013600) s: tunait-app.com i: Let's Encrypt Authority X3>",
    "<cert(0x7fc423013e00) s: tunait-app.com i: Let's Encrypt Authority X3>",
    "<cert(0x7fc42301a800) s: Let's Encrypt Authority X3 i: DST Root CA X3>"
), NSErrorClientCertificateStateKey=0, NSErrorFailingURLKey=https://www.tunait-app.com/, NSErrorFailingURLStringKey=https://www.tunait-app.com/, NSUnderlyingError=0x7fc422523a50 {Error Domain=kCFErrorDomainCFNetwork Code=-1202 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x7fc422522570>, _kCFNetworkCFStreamSSLErrorOriginalValue=-9843, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9843, kCFStreamPropertySSLPeerCertificates=(
    "<cert(0x7fc423013600) s: tunait-app.com i: Let's Encrypt Authority X3>",
    "<cert(0x7fc423013e00) s: tunait-app.com i: Let's Encrypt Authority X3>",
    "<cert(0x7fc42301a800) s: Let's Encrypt Authority X3 i: DST Root CA X3>"
)}}, _NSURLErrorRelatedURLSessionTaskErrorKey=(
    "LocalDataTask <34CEF44C-09D5-46D6-A164-364E3EC5644B>.<1>"
), _kCFStreamErrorCodeKey=-9843, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <34CEF44C-09D5-46D6-A164-364E3EC5644B>.<1>, NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x7fc422522570>, NSLocalizedDescription=The certificate for this server is invalid. You might be connecting to a server that is pretending to be “www.tunait-app.com” which could put your confidential information at risk.}
---

================================================================================

Configuring TLS exceptions for www.tunait-app.com

---
TLSv1.3
ATS Dictionary:
{
    NSExceptionDomains =     {
        "www.tunait-app.com" =         {
            NSExceptionMinimumTLSVersion = "TLSv1.3";
        };
    };
}
Result : FAIL
Error : Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, NSErrorPeerCertificateChainKey=(
    "<cert(0x7fc424028e00) s: tunait-app.com i: Let's Encrypt Authority X3>",
    "<cert(0x7fc424029600) s: tunait-app.com i: Let's Encrypt Authority X3>",
    "<cert(0x7fc424029e00) s: Let's Encrypt Authority X3 i: DST Root CA X3>"
), NSErrorClientCertificateStateKey=0, NSErrorFailingURLKey=https://www.tunait-app.com/, NSErrorFailingURLStringKey=https://www.tunait-app.com/, NSUnderlyingError=0x7fc422511dd0 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x7fc422629050>, _kCFNetworkCFStreamSSLErrorOriginalValue=-9802, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, kCFStreamPropertySSLPeerCertificates=(
    "<cert(0x7fc424028e00) s: tunait-app.com i: Let's Encrypt Authority X3>",
    "<cert(0x7fc424029600) s: tunait-app.com i: Let's Encrypt Authority X3>",
    "<cert(0x7fc424029e00) s: Let's Encrypt Authority X3 i: DST Root CA X3>"
)}}, _NSURLErrorRelatedURLSessionTaskErrorKey=(
    "LocalDataTask <6602668C-3A5B-45F4-9F64-F592A6DB4C2E>.<1>"
), _kCFStreamErrorCodeKey=-9802, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <6602668C-3A5B-45F4-9F64-F592A6DB4C2E>.<1>, NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x7fc422629050>, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made.}
---

---
TLSv1.2
ATS Dictionary:
{
    NSExceptionDomains =     {
        "www.tunait-app.com" =         {
            NSExceptionMinimumTLSVersion = "TLSv1.2";
        };
    };
}
Result : FAIL
Error : Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, NSErrorPeerCertificateChainKey=(
    "<cert(0x7fc423825600) s: tunait-app.com i: Let's Encrypt Authority X3>",
    "<cert(0x7fc423825e00) s: tunait-app.com i: Let's Encrypt Authority X3>",
    "<cert(0x7fc423826600) s: Let's Encrypt Authority X3 i: DST Root CA X3>"
), NSErrorClientCertificateStateKey=0, NSErrorFailingURLKey=https://www.tunait-app.com/, NSErrorFailingURLStringKey=https://www.tunait-app.com/, NSUnderlyingError=0x7fc42262a7b0 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x7fc42274af40>, _kCFNetworkCFStreamSSLErrorOriginalValue=-9802, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, kCFStreamPropertySSLPeerCertificates=(
    "<cert(0x7fc423825600) s: tunait-app.com i: Let's Encrypt Authority X3>",
    "<cert(0x7fc423825e00) s: tunait-app.com i: Let's Encrypt Authority X3>",
    "<cert(0x7fc423826600) s: Let's Encrypt Authority X3 i: DST Root CA X3>"
)}}, _NSURLErrorRelatedURLSessionTaskErrorKey=(
    "LocalDataTask <8C273609-244A-48C2-920C-0E723B9DA7F5>.<1>"
), _kCFStreamErrorCodeKey=-9802, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <8C273609-244A-48C2-920C-0E723B9DA7F5>.<1>, NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x7fc42274af40>, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made.}
---

---
TLSv1.1
ATS Dictionary:
{
    NSExceptionDomains =     {
        "www.tunait-app.com" =         {
            NSExceptionMinimumTLSVersion = "TLSv1.1";
        };
    };
}
Result : FAIL
Error : Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, NSErrorPeerCertificateChainKey=(
    "<cert(0x7fc42301e400) s: tunait-app.com i: Let's Encrypt Authority X3>",
    "<cert(0x7fc42301ec00) s: tunait-app.com i: Let's Encrypt Authority X3>",
    "<cert(0x7fc42301f400) s: Let's Encrypt Authority X3 i: DST Root CA X3>"
), NSErrorClientCertificateStateKey=0, NSErrorFailingURLKey=https://www.tunait-app.com/, NSErrorFailingURLStringKey=https://www.tunait-app.com/, NSUnderlyingError=0x7fc4224203e0 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x7fc42253ce40>, _kCFNetworkCFStreamSSLErrorOriginalValue=-9802, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, kCFStreamPropertySSLPeerCertificates=(
    "<cert(0x7fc42301e400) s: tunait-app.com i: Let's Encrypt Authority X3>",
    "<cert(0x7fc42301ec00) s: tunait-app.com i: Let's Encrypt Authority X3>",
    "<cert(0x7fc42301f400) s: Let's Encrypt Authority X3 i: DST Root CA X3>"
)}}, _NSURLErrorRelatedURLSessionTaskErrorKey=(
    "LocalDataTask <721FB0A8-FA2E-47FC-A34E-33F160A5B770>.<1>"
), _kCFStreamErrorCodeKey=-9802, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <721FB0A8-FA2E-47FC-A34E-33F160A5B770>.<1>, NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x7fc42253ce40>, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made.}
---

---
TLSv1.0
ATS Dictionary:
{
    NSExceptionDomains =     {
        "www.tunait-app.com" =         {
            NSExceptionMinimumTLSVersion = "TLSv1.0";
        };
    };
}
Result : FAIL
Error : Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, NSErrorPeerCertificateChainKey=(
    "<cert(0x7fc423021000) s: tunait-app.com i: Let's Encrypt Authority X3>",
    "<cert(0x7fc423021800) s: tunait-app.com i: Let's Encrypt Authority X3>",
    "<cert(0x7fc423022000) s: Let's Encrypt Authority X3 i: DST Root CA X3>"
), NSErrorClientCertificateStateKey=0, NSErrorFailingURLKey=https://www.tunait-app.com/, NSErrorFailingURLStringKey=https://www.tunait-app.com/, NSUnderlyingError=0x7fc422423690 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x7fc4225489b0>, _kCFNetworkCFStreamSSLErrorOriginalValue=-9802, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, kCFStreamPropertySSLPeerCertificates=(
    "<cert(0x7fc423021000) s: tunait-app.com i: Let's Encrypt Authority X3>",
    "<cert(0x7fc423021800) s: tunait-app.com i: Let's Encrypt Authority X3>",
    "<cert(0x7fc423022000) s: Let's Encrypt Authority X3 i: DST Root CA X3>"
)}}, _NSURLErrorRelatedURLSessionTaskErrorKey=(
    "LocalDataTask <6BA17137-7344-475E-9650-4FFA5854D39E>.<1>"
), _kCFStreamErrorCodeKey=-9802, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <6BA17137-7344-475E-9650-4FFA5854D39E>.<1>, NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x7fc4225489b0>, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made.}
---

================================================================================

Configuring PFS exceptions for www.tunait-app.com

---
Disabling Perfect Forward Secrecy
ATS Dictionary:
{
    NSExceptionDomains =     {
        "www.tunait-app.com" =         {
            NSExceptionRequiresForwardSecrecy = false;
        };
    };
}
Result : FAIL
Error : Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, NSErrorPeerCertificateChainKey=(
    "<cert(0x7fc42402f200) s: tunait-app.com i: Let's Encrypt Authority X3>",
    "<cert(0x7fc42402fa00) s: tunait-app.com i: Let's Encrypt Authority X3>",
    "<cert(0x7fc424030200) s: Let's Encrypt Authority X3 i: DST Root CA X3>"
), NSErrorClientCertificateStateKey=0, NSErrorFailingURLKey=https://www.tunait-app.com/, NSErrorFailingURLStringKey=https://www.tunait-app.com/, NSUnderlyingError=0x7fc422525480 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x7fc42262afc0>, _kCFNetworkCFStreamSSLErrorOriginalValue=-9802, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, kCFStreamPropertySSLPeerCertificates=(
    "<cert(0x7fc42402f200) s: tunait-app.com i: Let's Encrypt Authority X3>",
    "<cert(0x7fc42402fa00) s: tunait-app.com i: Let's Encrypt Authority X3>",
    "<cert(0x7fc424030200) s: Let's Encrypt Authority X3 i: DST Root CA X3>"
)}}, _NSURLErrorRelatedURLSessionTaskErrorKey=(
    "LocalDataTask <90E24CE4-6698-43E4-9246-3284D7139756>.<1>"
), _kCFStreamErrorCodeKey=-9802, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <90E24CE4-6698-43E4-9246-3284D7139756>.<1>, NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x7fc42262afc0>, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made.}
---

================================================================================

Configuring PFS exceptions and allowing insecure HTTP for www.tunait-app.com

---
Disabling Perfect Forward Secrecy and Allowing Insecure HTTP
ATS Dictionary:
{
    NSExceptionDomains =     {
        "www.tunait-app.com" =         {
            NSExceptionAllowsInsecureHTTPLoads = true;
            NSExceptionRequiresForwardSecrecy = false;
        };
    };
}
Result : FAIL
Error : Error Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “www.tunait-app.com” which could put your confidential information at risk." UserInfo={NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, NSErrorPeerCertificateChainKey=(
    "<cert(0x7fc424033400) s: tunait-app.com i: Let's Encrypt Authority X3>",
    "<cert(0x7fc424033c00) s: tunait-app.com i: Let's Encrypt Authority X3>",
    "<cert(0x7fc424034400) s: Let's Encrypt Authority X3 i: DST Root CA X3>"
), NSErrorClientCertificateStateKey=0, NSErrorFailingURLKey=https://www.tunait-app.com/, NSErrorFailingURLStringKey=https://www.tunait-app.com/, NSUnderlyingError=0x7fc422426450 {Error Domain=kCFErrorDomainCFNetwork Code=-1202 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x7fc42261a230>, _kCFNetworkCFStreamSSLErrorOriginalValue=-9843, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9843, kCFStreamPropertySSLPeerCertificates=(
    "<cert(0x7fc424033400) s: tunait-app.com i: Let's Encrypt Authority X3>",
    "<cert(0x7fc424033c00) s: tunait-app.com i: Let's Encrypt Authority X3>",
    "<cert(0x7fc424034400) s: Let's Encrypt Authority X3 i: DST Root CA X3>"
)}}, _NSURLErrorRelatedURLSessionTaskErrorKey=(
    "LocalDataTask <DCFA753B-C2FD-4754-8433-0E15BAF5F4AE>.<1>"
), _kCFStreamErrorCodeKey=-9843, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <DCFA753B-C2FD-4754-8433-0E15BAF5F4AE>.<1>, NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x7fc42261a230>, NSLocalizedDescription=The certificate for this server is invalid. You might be connecting to a server that is pretending to be “www.tunait-app.com” which could put your confidential information at risk.}
---

================================================================================

Configuring TLS exceptions with PFS disabled for www.tunait-app.com

---
TLSv1.3 with PFS disabled
ATS Dictionary:
{
    NSExceptionDomains =     {
        "www.tunait-app.com" =         {
            NSExceptionMinimumTLSVersion = "TLSv1.3";
            NSExceptionRequiresForwardSecrecy = false;
        };
    };
}
Result : FAIL
Error : Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, NSErrorPeerCertificateChainKey=(
    "<cert(0x7fc423026c00) s: tunait-app.com i: Let's Encrypt Authority X3>",
    "<cert(0x7fc423027400) s: tunait-app.com i: Let's Encrypt Authority X3>",
    "<cert(0x7fc42402e600) s: Let's Encrypt Authority X3 i: DST Root CA X3>"
), NSErrorClientCertificateStateKey=0, NSErrorFailingURLKey=https://www.tunait-app.com/, NSErrorFailingURLStringKey=https://www.tunait-app.com/, NSUnderlyingError=0x7fc422716500 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x7fc42253eed0>, _kCFNetworkCFStreamSSLErrorOriginalValue=-9802, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, kCFStreamPropertySSLPeerCertificates=(
    "<cert(0x7fc423026c00) s: tunait-app.com i: Let's Encrypt Authority X3>",
    "<cert(0x7fc423027400) s: tunait-app.com i: Let's Encrypt Authority X3>",
    "<cert(0x7fc42402e600) s: Let's Encrypt Authority X3 i: DST Root CA X3>"
)}}, _NSURLErrorRelatedURLSessionTaskErrorKey=(
    "LocalDataTask <A8507C97-ED6A-4FD3-AB57-218F16DC789F>.<1>"
), _kCFStreamErrorCodeKey=-9802, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <A8507C97-ED6A-4FD3-AB57-218F16DC789F>.<1>, NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x7fc42253eed0>, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made.}
---

---
TLSv1.2 with PFS disabled
ATS Dictionary:
{
    NSExceptionDomains =     {
        "www.tunait-app.com" =         {
            NSExceptionMinimumTLSVersion = "TLSv1.2";
            NSExceptionRequiresForwardSecrecy = false;
   ncrypt Authority X3>",
    "<cert(0x7fc42382fa00) s: tunait-app.com i: Let's Encrypt Authority X3>",
    "<cert(0x7fc423830200) s: Let's Encrypt Authority X3 i: DST Root CA X3>"
), NSErrorClientCertificateStateKey=0, NSErrorFailingURLKey=https://www.tunait-app.com/, NSErrorFailingURLStringKey=https://www.tunait-app.com/, NSUnderlyingError=0x7fc42252e3a0 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x7fc422749c80>, _kCFNetworkCFStreamSSLErrorOriginalValue=-9802, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, kCFStreamPropertySSLPeerCertificates=(
    "<cert(0x7fc42382f200) s: tunait-app.com i: Let's Encrypt Authority X3>",
    "<cert(0x7fc42382fa00) s: tunait-app.com i: Let's Encrypt Authority X3>",
    "<cert(0x7fc423830200) s: Let's Encrypt Authority X3 i: DST Root CA X3>"
)}}, _NSURLErrorRelatedURLSessionTaskErrorKey=(
    "LocalDataTask <BB47CD73-5836-445A-9DC6-ECF947FE5EAE>.<1>"
), _kCFStreamErrorCodeKey=-9802, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <BB47CD73-5836-445A-9DC6-ECF95B69A>.<1>"
), _kCFStreamErrorCodeKey=-9802, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <BF1740B3-B947-455D-AC65-6B96DD85B69A>.<1>, NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x7fc4227492e0>, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made.}
---

---
TLSv1.0 with PFS disabled
ATS Dictionary:
{
    NSExceptionDomains =     {
        "www.tunait-app.com" =         {
            NSExceptionMinimumTLSVersion = "TLSv1.0";
            NSExceptionRequiresForwardSecrecy = false;
        };
    };
}
Result : FAIL
Error : Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, NSErrorPeerCertificateChainKey=(
    "<cert(0x7fc424038e00) s: tunait-app.com i: Let's Encrypt Authority X3>",
    "<cert(0x7fc424039600) s: tunait-app.com i: Let's Encrypt Authority X3>",
    "<cert(0x7fc424039e00) s: Let's Encrypt Authority X3 i: DST Root CA X3>"
), NSErrorClientCertificateStateKey=0, NSErrorFailingURLKey=https://www.tunait-app.com/, NSErrorFailingURLStringKey=https://www.tunait-app.com/, NSUnderlyingError=0x7fc4227467c0 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x7fc42263be00>, _kCFNetworkCFStreamSSLErrorOriginalValue=-9802, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, kCFStreamPropertySSLPeerCertificates=(
    "<cert(0x7fc424038e00) s: tunait-app.com i: Let's Encrypt Authority X3>",
    "<cert(0x7fc424039600) s: tunait-app.com i: Let's Encrypt Authority X3>",
    "<cert(0x7fc424039e00) s: Let's Encrypt Authority X3 i: DST Root CA X3>"
)}}, _NSURLErrorRelatedURLSessionTaskErrorKey=(
    "LocalDataTask <ACED6791-1B74-42A7-B9BE-BAD5A83162A8>.<1>"
), _kCFStreamErrorCodeKey=-9802, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <ACED6791-1B74-42A7-B9BE-BAD5A83162A8>.<1>, NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x7fc42263be00>, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made.}
---

================================================================================

Configuring TLS exceptions with PFS disabled and insecure HTTP allowed for www.tunait-app.com

---
TLSv1.3 with PFS disabled and insecure HTTP allowed
ATS Dictionary:
{
    NSExceptionDomains =     {
        "www.tunait-app.com" =         {
            NSExceptionAllowsInsecureHTTPLoads = true;
            NSExceptionMinimumTLSVersion = "TLSv1.3";
            NSExceptionRequiresForwardSecrecy = false;
        };
    };
}
treamErrorCodeKey=-9843, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <419DF896-CD4B-4ADD-9CB9-F8CA51A08704>.<1>, NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x7fc422747e10>, NSLocalizedDescription=The certificate for this server is invalid. You might be connecting to a server that is pretending to be “www.tunait-app.com” which could put your confidential information at risk.}
---

================================================================================

https://www.ssllabs.com/ssltest/analyze.html?d=tunait-app.com


It works perfectly in Chrome.


Any suggestion?


Thank you

Replies  3
Boosts  0
Views  3.8k
Participants  4
DTS Engineer OP
Apple
Jun ’20

I’m not sure what you’re doing wrong here, but iOS definitely trust’s Let’s Encrypt certificates by default. You should not need any ATS exceptions.

I created a new test project, added the code pasted in below, and ran it on the iOS 13.5 simulator. It ran just fine, printing this:

… 22:27:18.692305+0100 … task will start
… 22:27:19.046558+0100 … task finished with status 200, bytes 2602

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
NSLog("task will start")
let url = URL(string: "https://www.tunait-app.com")!
let request = URLRequest(url: url, cachePolicy: .reloadIgnoringLocalCacheData, timeoutInterval: 60.0)
URLSession.shared.dataTask(with: request) { (data, response, error) in
    if let error = error as NSError? {
        NSLog("task transport error %@ / %d", error.domain, error.code)
        return
    }
    let response = response as! HTTPURLResponse
    let data = data!
    NSLog("task finished with status %d, bytes %d", response.statusCode, data.count)
}.resume()
0
Jason1975 OP
Oct ’20
Did you manage to get this working as im facing the exact issue with lets encrypt, was working fine for a year and still is for everything else just not on iPhone 11 and above :(
0
SH4R-Qi OP
Apr ’22

same here… after 3 months I have to delete my Email Accounts to renew the trust of the Let’s Encryt Certifcate. My girlfriend with her Android phone never has this problem!!

0
Lets Encrypt Cert Issues
First post date Last post date
 
 
Q