SSL certificate failure

App & System Services Networking
jameseasylog OP
Created Sep ’25
Replies 4
Boosts 0
Views 202
Participants 2

This problem doesn’t appear to relate to the app as everything worked when using http (although an https setup issue may still be the problem). The problem appears to relate to the SSL server certificate on the Ubuntu server and the fact that apple does not accept that it is secure. However I have no problem with the equivalent Android app or web browser connections to the same rest API web services. There are numerous posts on these problems on Apple and other Forums, but none have helped me successfully address the issue.

I ran an SSL server test on https://www.ssllabs.com/ssltest/ which gives ratings for SSL sites. The test gave an A rating although a number of minor issues were shown that may be crucial to the iOS failure. Some Sectigo certificates said self signed, which I couldn't understand.

Error message from XCode log attached

2025-09-10 10:28:01.725091+0100 locateandclock[2291:1585213] ATS failed system trust 2025-09-10 10:28:01.725192+0100 locateandclock[2291:1585213] Connection 1: system TLS Trust evaluation failed(-9802) 2025-09-10 10:28:01.725291+0100 locateandclock[2291:1585213] Connection 1: TLS Trust encountered error 3:-9802 2025-09-10 10:28:01.725352+0100 locateandclock[2291:1585213] Connection 1: encountered error(3:-9802) 2025-09-10 10:28:01.726727+0100 locateandclock[2291:1585213] Task <4E41098F-6B71-4FB8-8753-78DD32961812>.<1> HTTP load failed, 0/0 bytes (error code: -1200 [3:-9802]) 2025-09-10 10:28:01.736504+0100 locateandclock[2291:1585213] Task <4E41098F-6B71-4FB8-8753-78DD32961812>.<1> finished with error [-1200] Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, NSErrorPeerCertificateChainKey=( "<cert(0x10681be00) s: *.xxxxxxxxxxx.co.uk i: Sectigo Public Server Authentication CA DV R36>", "<cert(0x10681c800) s: Sectigo Public Server Authentication CA DV R36 i: Sectigo Public Server Authentication Root R46>", "<cert(0x10681d200) s: Sectigo Public Server Authentication Root R46 i: Sectigo Public Server Authentication Root R46>" ), NSErrorClientCertificateStateKey=0, NSErrorFailingURLKey=https://xxxxxxxxxxxx.co.uk/insertclocking, NSErrorFailingURLStringKey=https://xxxxxxxxxxxx.co.uk/insertclocking, NSUnderlyingError=0x282361650 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x281cf4460>, _kCFNetworkCFStreamSSLErrorOriginalValue=-9802, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, kCFStreamPropertySSLPeerCertificates=( "<cert(0x10681be00) s: *.xxxxxxxxxxxxxco.uk i: Sectigo Public Server Authentication CA DV R36>", "<cert(0x10681c800) s: Sectigo Public Server Authentication CA DV R36 i: Sectigo Public Server Authentication Root R46>", "<cert(0x10681d200) s: Sectigo Public Server Authentication Root R46 i: Sectigo Public Server Authentication Root R46>" )}}, _NSURLErrorRelatedURLSessionTaskErrorKey=( "LocalDataTask <4E41098F-6B71-4FB8-8753-78DD32961812>.<1>" ), _kCFStreamErrorCodeKey=-9802, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <4E41098F-6B71-4FB8-8753-78DD32961812>.<1>, NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x281cf4460>, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made.}

Answered by DTS Engineer in 860682022
I would guess this is because iOS 16 and earlier doesn't have Sectigo root certificates loaded

It’d be better to check rather than guess. Which brings me back to this comment:

There’s a bunch of links … in .

Networking Resources include various links to the Apple Support articles that explain which root certificates are installed on which versions of iOS.

I’m not able to speak for Sectigo, obviously, but a quick ’net search for Sectigo Public Server Authentication Root R46 suggests that they are in the process of transitioning from one root to another. If iOS 16 compatibility is important to you, I recommend that you discuss this with them. It’s possible that they might have some advice for how to tweak your server to be compatible.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Replies  4
Boosts  0
Views  202
Participants  2
DTS Engineer OP
Apple
Sep ’25

I recommend that you create a small test app that tries to access the server over HTTPS. Then, in this test app, disable App Transport Security (ATS) by setting NSAllowsArbitraryLoads. That’ll tell you whether this issue is:

  • Specific to the additional security checks done by ATS, or
  • Fundamental to the way that your TLS is set up

ps There’s a a bunch of links to general info about TLS server trust evaluation on Apple platforms in Networking Resources.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
jameseasylog OP
Sep ’25

So the connection succeeded first time but failed second time with the following error. Messages changed but similar results. Not sure what that tells us.

2025-09-12 12:33:32.650932+0100 locateandclock[2832:2071478] Connection 2: default TLS Trust evaluation failed(-9813) 2025-09-12 12:33:32.651119+0100 locateandclock[2832:2071478] Connection 2: TLS Trust encountered error 3:-9813 2025-09-12 12:33:32.651175+0100 locateandclock[2832:2071478] Connection 2: encountered error(3:-9813) 2025-09-12 12:33:32.706852+0100 locateandclock[2832:2071478] Task <C3EFDBE5-89D2-4948-A3F5-A731FDFFB47F>.<2> HTTP load failed, 0/0 bytes (error code: -1202 [3:-9813]) 2025-09-12 12:33:32.723928+0100 locateandclock[2832:2071541] Task <C3EFDBE5-89D2-4948-A3F5-A731FDFFB47F>.<2> finished with error [-1202] Error Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “xxxxxxxxxxx.co.uk” which could put your confidential information at risk." UserInfo={NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, NSErrorPeerCertificateChainKey=( "<cert(0x10881e600) s: *.xxxxxxxxxxxx.co.uk i: Sectigo Public Server Authentication CA DV R36>", "<cert(0x10881f000) s: Sectigo Public Server Authentication CA DV R36 i: Sectigo Public Server Authentication Root R46>", "<cert(0x10881fa00) s: Sectigo Public Server Authentication Root R46 i: Sectigo Public Server Authentication Root R46>" ), NSErrorClientCertificateStateKey=0, NSErrorFailingURLKey=https://xxxxxxxxxxxxx.co.uk/insertclocking, NSErrorFailingURLStringKey=https://xxxxxxxxxxxxx.co.uk/insertclocking, NSUnderlyingError=0x282a1a0d0 {Error Domain=kCFErrorDomainCFNetwork Code=-1202 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x2815745a0>, _kCFNetworkCFStreamSSLErrorOriginalValue=-9813, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9813, kCFStreamPropertySSLPeerCertificates=( "<cert(0x10881e600) s: *.xxxxxxxxxxxxx.co.uk i: Sectigo Public Server Authentication CA DV R36>", "<cert(0x10881f000) s: Sectigo Public Server Authentication CA DV R36 i: Sectigo Public Server Authentication Root R46>", "<cert(0x10881fa00) s: Sectigo Public Server Authentication Root R46 i: Sectigo Public Server Authentication Root R46>" )}}, _NSURLErrorRelatedURLSessionTaskErrorKey=( "LocalDataTask <C3EFDBE5-89D2-4948-A3F5-A731FDFFB47F>.<2>" ), _kCFStreamErrorCodeKey=-9813, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <C3EFDBE5-89D2-4948-A3F5-A731FDFFB47F>.<2>, NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x2815745a0>, NSLocalizedDescription=The certificate for this server is invalid. You might be connecting to a server that is pretending to be “easylogservers.co.uk” which could put your confidential information at risk.}

0
jameseasylog OP
2w

Ok - should have checked this sooner but I normally use iOS 16 on simulators and actual device to check for backward compatibility. iOS 17 and 18 actually work with simulators. I would guess this is because iOS 16 and earlier doesn't have Sectigo root certificates loaded (found on other posts once I knew what I was looking for). Not sure there is any way around this??

0
DTS Engineer OP
Apple
2w
Recommended
I would guess this is because iOS 16 and earlier doesn't have Sectigo root certificates loaded

It’d be better to check rather than guess. Which brings me back to this comment:

There’s a bunch of links … in .

Networking Resources include various links to the Apple Support articles that explain which root certificates are installed on which versions of iOS.

I’m not able to speak for Sectigo, obviously, but a quick ’net search for Sectigo Public Server Authentication Root R46 suggests that they are in the process of transitioning from one root to another. If iOS 16 compatibility is important to you, I recommend that you discuss this with them. It’s possible that they might have some advice for how to tweak your server to be compatible.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
SSL certificate failure
First post date Last post date
 
 
Q