-3

I have a simple app sending data to a web service (Ubuntu / Node js / javascript) Everything worked when using http (although an https setup issue may still be the problem). The problem appears to relate to the SSL server certificate on the Ubuntu server and the fact that apple does not accept that it is secure. However I have no problem with the equivalent Android app or web browser connections to the same rest API web services. There are numerous posts on these problems on Apple and other Forums, but none have helped me successfully address the issue.

I ran an SSL server test on https://www.ssllabs.com/ssltest/ which gives ratings for SSL sites. The test gave an A rating although a number of minor issues were shown that may be crucial to the iOS failure. Some Sectigo certificates said self signed, which I couldn't understand.

Error message from XCode log attached

2025年09月10日 10:28:01.725091+0100 locateandclock[2291:1585213] ATS failed system trust 
2025年09月10日 10:28:01.725192+0100 locateandclock[2291:1585213] Connection 1: system TLS Trust evaluation failed(-9802) 
2025年09月10日 10:28:01.725291+0100 locateandclock[2291:1585213] Connection 1: TLS Trust encountered error 3:-9802 
2025年09月10日 10:28:01.725352+0100 locateandclock[2291:1585213] Connection 1: encountered error(3:-9802) 
2025年09月10日 10:28:01.726727+0100 locateandclock[2291:1585213] Task <4E41098F-6B71-4FB8-8753-78DD32961812>.<1> HTTP load failed, 0/0 bytes (error code: -1200 [3:-9802]) 
2025年09月10日 10:28:01.736504+0100 locateandclock[2291:1585213] Task <4E41098F-6B71-4FB8-8753-78DD32961812>.<1> finished with error [-1200] Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3,
NSErrorPeerCertificateChainKey=( 
 "<cert(0x10681be00) s: *.xxxxxxxxxxx.co.uk i: Sectigo Public Server Authentication CA DV R36>",
 "<cert(0x10681c800) s: Sectigo Public Server Authentication CA DV R36 i: Sectigo Public Server Authentication Root R46>",
 "<cert(0x10681d200) s: Sectigo Public Server Authentication Root R46 i: Sectigo Public Server Authentication Root R46>" ),
NSErrorClientCertificateStateKey=0, NSErrorFailingURLKey=https://xxxxxxxxxxxx.co.uk/insertclocking, NSErrorFailingURLStringKey=https://xxxxxxxxxxxx.co.uk/insertclocking, NSUnderlyingError=0x282361650 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x281cf4460>, _kCFNetworkCFStreamSSLErrorOriginalValue=-9802, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, kCFStreamPropertySSLPeerCertificates=( 
 "<cert(0x10681be00) s: *.xxxxxxxxxxxxxco.uk i: Sectigo Public Server Authentication CA DV R36>", 
 "<cert(0x10681c800) s: Sectigo Public Server Authentication CA DV R36 i: Sectigo Public Server Authentication Root R46>", 
 "<cert(0x10681d200) s: Sectigo Public Server Authentication Root R46 i: Sectigo Public Server Authentication Root R46>" )}},
 _NSURLErrorRelatedURLSessionTaskErrorKey=( "LocalDataTask <4E41098F-6B71-4FB8-8753-78DD32961812>.<1>" ), _kCFStreamErrorCodeKey=-9802, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <4E41098F-6B71-4FB8-8753-78DD32961812>.<1>, NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x281cf4460>,
NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made.}

I then changed the iOS settings by setting NSAllowsArbitraryLoads to remove ATS - a test not a solution. The error message changes to the following, however I'm not sure what that tells me.

Any ideas???

2025年09月12日 12:33:32.650932+0100 locateandclock[2832:2071478] Connection 2: default TLS Trust evaluation failed(-9813) 
2025年09月12日 12:33:32.651119+0100 locateandclock[2832:2071478] Connection 2: TLS Trust encountered error 3:-9813 
2025年09月12日 12:33:32.651175+0100 locateandclock[2832:2071478] Connection 2: encountered error(3:-9813) 
2025年09月12日 12:33:32.706852+0100 locateandclock[2832:2071478] Task <C3EFDBE5-89D2-4948-A3F5-A731FDFFB47F>.<2> HTTP load failed, 0/0 bytes (error code: -1202 [3:-9813])
2025年09月12日 12:33:32.723928+0100 locateandclock[2832:2071541] Task <C3EFDBE5-89D2-4948-A3F5-A731FDFFB47F>.<2> finished with error [-1202] Error Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be "xxxxxxxxxxx.co.uk" which could put your confidential information at risk." 
UserInfo={NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, NSErrorPeerCertificateChainKey=( 
 "<cert(0x10881e600) s: *.xxxxxxxxxxxx.co.uk i: Sectigo Public Server Authentication CA DV R36>", 
 "<cert(0x10881f000) s: Sectigo Public Server Authentication CA DV R36 i: Sectigo Public Server Authentication Root R46>", 
 "<cert(0x10881fa00) s: Sectigo Public Server Authentication Root R46 i: Sectigo Public Server Authentication Root R46>" ),
NSErrorClientCertificateStateKey=0, NSErrorFailingURLKey=https://xxxxxxxxxxxxx.co.uk/insertclocking, NSErrorFailingURLStringKey=https://xxxxxxxxxxxxx.co.uk/insertclocking, NSUnderlyingError=0x282a1a0d0 {Error Domain=kCFErrorDomainCFNetwork Code=-1202 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x2815745a0>, _kCFNetworkCFStreamSSLErrorOriginalValue=-9813, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9813, kCFStreamPropertySSLPeerCertificates=( 
 "<cert(0x10881e600) s: *.xxxxxxxxxxxxx.co.uk i: Sectigo Public Server Authentication CA DV R36>", 
 "<cert(0x10881f000) s: Sectigo Public Server Authentication CA DV R36 i: Sectigo Public Server Authentication Root R46>", 
 "<cert(0x10881fa00) s: Sectigo Public Server Authentication Root R46 i: Sectigo Public Server Authentication Root R46>" )}}, _NSURLErrorRelatedURLSessionTaskErrorKey=( "LocalDataTask <C3EFDBE5-89D2-4948-A3F5-A731FDFFB47F>.<2>" ), _kCFStreamErrorCodeKey=-9813, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <C3EFDBE5-89D2-4948-A3F5-A731FDFFB47F>.<2>, NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x2815745a0>, 
NSLocalizedDescription=The certificate for this server is invalid. You might be connecting to a server that is pretending to be "xxxxxxxxx.co.uk" which could put your confidential information at risk.}
President James K. Polk
42.2k34 gold badges113 silver badges147 bronze badges
asked Sep 28 at 15:17
8
  • 1
    You should do a web search for "sectigo public server authentication root r46 compatibility". This might give you insights on the reasons for your problem and possible fixes. Commented Sep 28 at 17:18
  • The date/time on your log messages is in the past. Is this because your logs were captured days ago? I ask because incorrect device time can be a cause of TLS failure, but in this case it does appear to be a root certificate trust issue. Commented Sep 28 at 20:08
  • @Paulw11 Thanks - Yes this was done some time ago. The original post was on Apple message board, but hasn't moved me forward. Commented Sep 29 at 7:04
  • What is the output of this openssl command: openssl s_client -connect <ACTUAL_HOST>:443 -showcerts. Is the complete chain returned, and is this the same as returned by SSLLabs? Also, on SSLLabs report, do you see several IPs resolved? Commented Sep 29 at 13:52
  • @RCDevsSecurity Thanks - openssl does return the complete chain and one IPv4 address - there is no IPv6 on this server. SSLLabs does the same. Only odd thing is that I get an error at the end - read R BLOCK HTTP/1.1 408 Request Timeout Connection: close 582A0000:error:0A000126:SSL routines::unexpected eof while reading:ssl\record\rec_layer_s3.c:701: - Not sure what to make of that Commented Sep 29 at 14:59

1 Answer 1

0

After contacting Sectigo, I had to install a CA bundle with cross-signed intermediate chain certificate AND delete the new root certificate on the server. That did the job. Thanks to all who helped.

answered 2 days ago
Sign up to request clarification or add additional context in comments.

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.