Apple app site association CDN cache does not work with IPv6 only servers.

Hi,

We have an IPv6 only server setup, where we have put AASA file as required: https://qa-jen.noknoktest.com/.well-known/apple-app-site-association

But Apple CDN does not found it: https://app-site-association.cdn-apple.com/a/v1/qa-jen.noknoktest.com

Is there any restriction on IPv6 only servers? Everything works with our other IPv4 servers.

Note: With alternate mode configuration in application, the AASA is accessible to devices. There is no any geo restriction or IP filtering for server.

What is missing to force CDN cache the file fro mentioned server?

Is there any feedback from Apple developers? I need this issue addressed ASAP.

Thank you for your patience as we’ve been investigating the issue you raised. I appreciate you bringing this to our attention.

Upon review, it appears that the server hosting your AASA file isn’t accessible over an HTTP request. This is necessary for the servers to synchronize and enable universal links. I ran a simple curl command to test the access, and I received the following error:

curl -v https://qa-jen.noknoktest.com/.well-known/apple-app-site-association 
* Could not resolve host: qa-jen.noknoktest.com
* Closing connection
curl: (6) Could not resolve host: qa-jen.noknoktest.com

The error message indicates that qa-jen.noknoktest.com is not a correct host. Please ensure that the server is publicly accessibly and the HTTPS address you provided is accurate.

You might find the checklist and troubleshooting guide on Apple’s developer website very helpful in resolving this issue wrt. AASA framework: https://developer.apple.com/documentation/technotes/tn3155-debugging-universal-links

Let me know if you need any additional assistance!

Hello,

Thank you for reply. Can you please confirm that computer where you run curl command has IPv6 address? As I mentioned before, this server/domain is IPv6 only. In order to reach to it the client computer need to have IPv6 address. The output for curl you shared is indication that computer has no IPv6 address.

When you will try from the network/computer where IPv6 enabled then you will get the content of AASA file.

I confirm that https://qa-jen.noknoktest.com is publicly accessible.

Thank you in advance, Arsen

The curl command works for me on my mac: curl -v https://qa-jen.noknoktest.com/.well-known/apple-app-site-association

  • Host qa-jen.noknoktest.com:443 was resolved.
  • IPv6: 2600:1900:4000:6642::
  • IPv4: (none)
  • Trying [2600:1900:4000:6642::]:443...
  • Connected to qa-jen.noknoktest.com (2600:1900:4000:6642::) port 443
  • ALPN: curl offers h2,http/1.1
  • (304) (OUT), TLS handshake, Client hello (1):
  • CAfile: /etc/ssl/cert.pem
  • CApath: none
  • (304) (IN), TLS handshake, Server hello (2):
  • TLSv1.2 (IN), TLS handshake, Certificate (11):
  • TLSv1.2 (IN), TLS handshake, Server key exchange (12):
  • TLSv1.2 (IN), TLS handshake, Server finished (14):
  • TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
  • TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
  • TLSv1.2 (OUT), TLS handshake, Finished (20):
  • TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
  • TLSv1.2 (IN), TLS handshake, Finished (20):
  • SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 / [blank] / UNDEF
  • ALPN: server accepted h2
  • Server certificate:
  • subject: CN=*.noknoktest.com
  • start date: Jan 25 00:00:00 2024 GMT
  • expire date: Jan 13 23:59:59 2025 GMT
  • subjectAltName: host "qa-jen.noknoktest.com" matched cert's "*.noknoktest.com"
  • issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=RapidSSL TLS RSA CA G1
  • SSL certificate verify ok.
  • using HTTP/2
  • [HTTP/2] [1] OPENED stream for https://qa-jen.noknoktest.com/.well-known/apple-app-site-association
  • [HTTP/2] [1] [:method: GET]
  • [HTTP/2] [1] [:scheme: https]
  • [HTTP/2] [1] [:authority: qa-jen.noknoktest.com]
  • [HTTP/2] [1] [:path: /.well-known/apple-app-site-association]
  • [HTTP/2] [1] [user-agent: curl/8.6.0]
  • [HTTP/2] [1] [accept: /]

GET /.well-known/apple-app-site-association HTTP/2 Host: qa-jen.noknoktest.com User-Agent: curl/8.6.0 Accept: /

< HTTP/2 200 < server: nginx/1.20.1 < date: Thu, 10 Oct 2024 21:20:50 GMT < content-length: 660 < accept-ranges: bytes < etag: W/"660-1695685549000" < last-modified: Mon, 25 Sep 2023 23:45:49 GMT < {

"webcredentials": { "apps": [ "SG9R4B6BLT.com.noknok.ios.tutorialappplus", "26L5NKC893.com.noknok.ios.cordovatutorialapp", "SG9R4B6BLT.com.noknok.ios.cordovatutorialapp", "SG9R4B6BLT.com.noknok.s3express", "SG9R4B6BLT.com.noknok.droneshop" ] }, "applinks": { "apps": [], "details": [ { "appID": "SG9R4B6BLT.com.noknok.ios.tutorialappplus", "paths": [ "" ] }, { "appID": "26L5NKC893.com.noknok.ios.NokNokPassport", "paths": [ "" ] }, { "appID": "SG9R4B6BLT.com.noknok.ios.passport", "paths": [ "*" ] } ] } }

  • Connection #0 to host qa-jen.noknoktest.com left intact

This was successful on my home wifi that has IPv6 enabled by the ISP. It is also successful on the office wifi with IPv6 enabled by the ISP.

Hi something_goes_here,

Thank you for try. Correct, it is working if computer has IPv6 ip. My problem is that following not working: https://app-site-association.cdn-apple.com/a/v1/qa-jen.noknoktest.com

This expected to return the same file but from Apple CDN.

Hi DTS Engineer, Is there any update?

Hi @DTS Engineer any update?

Apple app site association CDN cache does not work with IPv6 only servers.
 
 
Q