"Cannot Connect" error for itms-services link

So this is a problem that has been driving me crazy for some time now.

We are trying create an installation link for an in-house mobile app. The intended behavior is that an employee can click on a link, and they'll be asked to download and install the app.

The install link is:

<a href="itms-services://?action=download-manifest&amp;url=https://www.example.com/OurApp.plist">Click this link to install</a>

Note that I have tired this with both "&" and "&amp;", not

The plist is:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>items</key>
  <array>
       <dict>
            <key>assets</key>
            <array>
                 <dict>
                      <key>kind</key>
                       <string>software-package</string>
                       <key>url</key>
                       <string>https://www.example.com/OurApp.ipa</string>
                  </dict>
            </array>
            <key>metadata</key>
            <dict>
                 <key>bundle-identifier</key>
                 <string>com.ourcompany.OurApp</string>
                 <key>bundle-version</key>
                 <string>1.2</string>
                 <key>kind</key>
                 <string>software</string>
                 <key>title</key>
                 <string>Our App</string>
            </dict>
       </dict>
  </array>
</dict>
</plist>

The html file, plist file, and ipa file are all in the same root directory.

But whenever I click the link in an iPad, I get "Cannot connect to www.example.com".

I can reach the actual files just fine on any non-ipad device (navigating directly to the plist file displays the plist xml in chrome). I've even tried to just navigate directly to the *.ipa file on the iPad, which causes a "Download Failed - Safari cannot download this file." error.

I've added ipa files and plist files to the list of mime types (application/octet-stream and application/xml). I've enabled https (port 443) in the site bindings. I've double-checked to make sure there isn't a pre-existing app with the same bundle identifier. I have tried adding self-signed certificates to the site, using the build-in IIS utility for creating self-signed certificates and the openssl utility.

To make matters even stranger, we *can* create a working download using the exact same setup on the development server. Can anyone provide some insight into this? Are self-signed certificates invalid for IOS app installation?