Invalid Certificate error when developing an iPhone app which calls APIs from a local computer even after implementing CA Certificate

Question

Created 1w

Replies 6

Boosts 0

Participants 2

I am getting an error when trying to call an api being hosted on my local development machine from an XCode project running on my iPhone:

Task <xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx>.<2> finished with error [-1202] Error Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “10.0.0.5” which could put your confidential information at risk." UserInfo={NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, NSErrorPeerCertificateChainKey=(
    "<cert(0x106046600) s: XXXXXXXXXX-Dev i: XXXXXXXXXX Dev CA>",
    "<cert(0x106047000) s: XXXXXXXXXX Dev CA i: XXXXXXXXXX Dev CA>"
), NSErrorClientCertificateStateKey=0

I have followed the instructions for creating a certificate authority and certificate and installing it on my phone as outlined in Creating Certificates for TLS Testing and Installing a CA’s Root Certificate on Your Test Device. I have read posts in this forum without resolution and seen them on stack overflow like this one and this one which have not been answered or the solutions do not work in more current environments (example response: "This doesn't work in XCode 14.2").

I did have this running in earlier versions and with Android Studio. It would be ideal to have the current state answer to how to develop api's on your local machine and call them from your iPhone or simulator.

Answered by DTS Engineer in 805341022

I recently walked someone through this process in detail; see this thread.

Looking at the info you’ve posted, it seems like you’re connecting to an IP address. Don’t do that. Rather, have your CA issue the certificate for, and then connect to, your Mac’s local DNS name; see System Settings > General > Sharing > Local hostname.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Boost

Answer 1

DTS Engineer OP

Apple

1w

Recommended

I recently walked someone through this process in detail; see this thread.

Looking at the info you’ve posted, it seems like you’re connecting to an IP address. Don’t do that. Rather, have your CA issue the certificate for, and then connect to, your Mac’s local DNS name; see System Settings > General > Sharing > Local hostname.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

lj1 OP

1w

I read through the thread but it was hard to follow. I did go to the website referenced, which was very helpful (https://blog.arrogantrabbit.com/ssl/Root-CA-macOS/) but also needed to know how to deal with a wired iPhone vs a simulator or web page as I think Subject Alternate Name Extension becomes a factor and for that step in the CA creation it states:

Unchecked, Unless you have good reason to provide alternate names

Which this might be. Do you know? Would I use the Mac's local DNS name for this?

0

Answer 3

lj1 OP

1w

If I'm trying to connect to a service running on my local MacBook on my local LAN and I have an iPhone connected to my MacBook, how do I reference the API services on my MacBook without using the IP? Can I use the IP or is it just bad practice? If I can, do I need to configure the CA or exported .p12 in some specific way to allow it? Otherwise, is there a way to call the connected MacBook with something other than the IP from the USB connected phone?

0

Answer 4

DTS Engineer OP

Apple

1w

I think Subject Alternate Name Extension becomes a factor and for that step in the CA creation it states:

I think you’re misreading the advice there. The Subject Alternate Name extension is pointless on the CA’s certificate but absolutely critical on the server certificates issued by that CA. The doc makes that clear later on, in the Subject ALternate Name Extension section (it’s easy to recognise because it’s the only one where Alternate is misspelt :-).

As to what you should use, I recommend a local DNS name. That’s what you see, and can set, in System Settings > General > Sharing > Local hostname. For example, my Mac’s name is Guy Smiley [1], so its local DNS name is guy-smiley.local. That’s the value I put in the Subject Alternate Name extension.

And yeah, this works regardless of whether I run the client app in the simulator or on a real device [2].

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Hey hey hey, it’s Guy Smiley!.

[2] Assuming the real device is on the same Wi-Fi as my Mac.

0

Answer 5

lj1 OP

1w

I think your local hostname is a little more creative than mine which is MacBook-Pro.local. My Use dynamic global hostname is off.

In creating the certificate from the authority do I leave the IPAddress: as 127.0.0.1 or use the ip on my LAN? I left it as 127.0.0.1 as neither the documentation or your response said I should change it to 10.0.0.5.

I got an error running this:

openssl pkcs12 -in certificate.p12 -out server.key -nodes

Here is the error:

Error outputting keys and certificates 40E24F0202000000:error:0308010C:digital envelope > routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()

However, I am using this on Kestrel which seems to take the p12 or pfx.

I am getting this error:

Connection 4: default TLS Trust evaluation failed(-9813)

Connection 4: TLS Trust encountered error 3:-9813

Connection 4: encountered error(3:-9813)

Task <E8F804FD-56EE-4700-AA64-4B9D461B7FD9>.<2> HTTP load failed, 0/0 bytes (error code: -1202 [3:-9813])

Task <DC46FCDC-E048-409D-82E2-E0CBA248E0F5>.<2> finished with error [-1202] Error Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “macbook-pro.local” which could put your confidential information at risk." UserInfo={NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, NSErrorPeerCertificateChainKey=( "<cert(0x105160a00) s: MacBook-Pro.local i: XXXXXXXXXXX Dev CA>", "<cert(0x105150400) s: XXXXXXXXXX Dev CA i: XXXXXXXXXX Dev CA>" ), NSErrorClientCertificateStateKey=0, NSErrorFailingURLKey=https://macbook-pro.local:5001/api/TestAPI, NSErrorFailingURLStringKey=https://macbook-pro.local:5001/api/TestAPI, NSUnderlyingError=0x302a09620 {Error Domain=kCFErrorDomainCFNetwork Code=-1202 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x30141fa20>, _kCFNetworkCFStreamSSLErrorOriginalValue=-9813, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9813, kCFStreamPropertySSLPeerCertificates=( "<cert(0x105160a00) s: MacBook-Pro.local i: XXXXXXXXXX Dev CA>", "<cert(0x105150400) s: XXXXXXXXXX Dev CA i: XXXXXXXXXX Dev CA>" )}}, _NSURLErrorRelatedURLSessionTaskErrorKey=( "LocalDataTask <DC46FCDC-E048-409D-82E2-E0CBA248E0F5>.<2>" ), _kCFStreamErrorCodeKey=-9813, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <DC46FCDC-E048-409D-82E2-E0CBA248E0F5>.<2>, NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x30141fa20>, NSLocalizedDescription=The certificate for this server is invalid. You might be connecting to a server that is pretending to be “macbook-pro.local” which could put your confidential information at risk.}

0

Answer 6

DTS Engineer OP

Apple

6d

I think your local hostname is a little more creative than mine which is MacBook-Pro.local.

I’m in no position to criticise your life choices (-:

But, yeah, that local DNS should work just fine. The only weirdness you might hit is if you join a network with a second MacBook Pro on it. If that device is still using the default name, there’s a conflict and one of them will rename. That could get confusing.

In creating the certificate from the authority do I leave the IPAddress

I generally don’t include an IP address and instead lean in to the local DNS name. This has a couple of advantages:

It puts you on the beaten path. If you look at most ‘real’ TLS server certificates, they only include a DNS name in the SAN extension.
It continues to work as you change networking environments.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0