Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


    Cloudron Forum

    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular

    Solved Automatically generated self signed wildcard certificate doesn't appear to be able to be trusted by ios 13 or greater

    Support
    certificates ios
    3
    5
    342
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ChristopherMag
      ChristopherMag last edited by girish

      I have saved and then followed these steps for installing a certificate once it has been sent to a iOS 13.7 iPhone (in my case I used iCloud storage and the Files app to get the certificate onto the device.

      After these steps have been completed you should be able enable trust for this certificate like this.

      I have also used the iMazing profile editor to create a profile with the auto generated self signed wildcard certificate in case that made a difference.

      In all cases the certificate doesn't show up under the "Enable full trust for root certificates" heading on the Settings > General > About > Certificate Trust Settings screen.

      Apple published new requirements for certificates that can be trusted in iOS 13 and above.

      All of the first set of requirements appear to be met but the last section's bullets appear to be where the problems are:

      Additionally, all TLS server certificates issued after July 1, 2019 (as indicated in the NotBefore field of the certificate) must follow these guidelines:

      • TLS server certificates must contain an ExtendedKeyUsage (EKU) extension containing the id-kp-serverAuth OID.
      • TLS server certificates must have a validity period of 825 days or fewer (as expressed in the NotBefore and NotAfter fields of the certificate).

      At present it appears that it is not possible for an updated iOS device to trust the automatically generated self signed certificate created by Cloudron.

      This blog article provides steps that work, part of the issue being the requirement to have a separate CA cert that is then used to generate the TLS Web Server Authentication cert that ultimately is used for the tls connections.

      Beyond that it also appears that the 10 year life time on the certificate would have to be reduced to 825 days or less (~2.26 years).

      d19dotca 1 Reply Last reply Reply Quote 1
      • d19dotca
        d19dotca @ChristopherMag last edited by

        @ChristopherMag That lifespan is the gotcha. Cloudron will need to update the self-signed generated certs I suppose to be no longer than about 2 years.

        --
        Dustin Dauncey
        www.d19.ca

        1 Reply Last reply Reply Quote 0
        • girish
          girish Staff last edited by

          @ChristopherMag Thanks for the detailed analysis. Good to know! I will reduce the timespan to 2 years.

          1 Reply Last reply Reply Quote 0
          • girish
            girish Staff last edited by

            Before I make this change, I have a question. Are you using the Cloudron generated self-signed certificate for all the apps or was this just the initial setup wizard.

            For using certs for apps, it's best to create and set a certificate yourself from Domains -> Advanced. See this - https://docs.cloudron.io/certificates/#custom-certificates . You can also create your own CA as iOS requires and provide Cloudron the full cert file with the intermediate certs attached.

            For the initial setup wizard, I have lowered the validity of certs - https://git.cloudron.io/cloudron/box/-/commit/0064ac5ead2740e2f597f53e26db0f2b3307ad29

            ChristopherMag 1 Reply Last reply Reply Quote 0
            • ChristopherMag
              ChristopherMag @girish last edited by

              @girish Sorry for the late reply, I the default forum settings were to send me email notifications once a week, I have changed that to daily.

              I was trying to use the self-signed certificate for all apps.

              I have gone ahead and followed the steps in the blog article I linked to and was able to upload the full CA and web server cert chain to Cloudron and after getting the root certificate authority into all the devices accessing Cloudron everything is working well from Windows and iOS based devices.

              It looks like Apple is going to be decreasing the certificate lifetime further down to 398 days so you may want to lower the lifetime down to a year to get ahead of that change.

              1 Reply Last reply Reply Quote 1
              • First post
                Last post
              Powered by NodeBB