I'm trying to setup a MDM Check-in connection from my device to server. In my .mobileconfig I already put in the identity which is from the credential, I generate it from keychain access and using the .p12 file. For Server & Check-in URL - https://address.To.Server:9769/mdm/
I'm hosting my server in tomcat with SSL enabled which i generate the JKS using keytools, - "keytool -importkeystore -srckeystore client-cert.p12 -srcstoretype PKCS12 -destkeystore keystore.jks"
*client-cert.p12 is same with the .p12 file i put in mobileconfig's identity.
If i'm not mistaken, all the request from IOS to server are using HTTP PUT method. I already tried access my server directly from chrome browser and got no problem with it. I believe it is the certificate problem, but i got no clue what happening.
I got all these error when i tried to install the profile from safari.
>Notice: (Error) MC: Connection to <server> failed with error: NSError:
Desc : The server certificate for <server> is invalid.
US Desc: The server certificate for <server> is invalid.
Domain : MCHTTPTransactionErrorDomain
Code : 23002
Type : MCFatalError
Params : (
"<server>"
)
>Notice: (Error) MC: Cannot install MDM Mobile Device Management. Error: NSError:
Desc : The payload Mobile Device Management could not be installed.
Sugg : The server certificate for <server> is invalid.
US Desc: The payload Mobile Device Management could not be installed.
US Sugg: The server certificate for <server> is invalid.
Domain : MCInstallationErrorDomain
Code : 4001
Type : MCFatalError
Params : (
"Mobile Device Management"
)
>Desc : The profile SilverlakeMDM could not be installed.
Sugg : The payload Mobile Device Management could not be installed.
US Desc: The profile SilverlakeMDM could not be installed.
US Sugg: The payload Mobile Device Management could notbe installed.
Domain : MCProfileErrorDomain
Code : 1009
Type : MCFatalError
Params : (
SilverlakeMDM
)
Below are from my server console:
>httpsConnector.receiver.02 ERROR DefaultSystemExceptionStrategy:300 logException - Caught exception in Exception Strategy: Received close_notify during handshake
javax.net.ssl.SSLException: Received close_notify during handshake
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1868)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1821)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1922)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1059)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1294)
at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:848)
at sun.security.ssl.AppInputStream.read(AppInputStream.java:102)
at sun.security.ssl.AppInputStream.read(AppInputStream.java:69)
at org.apache.commons.httpclient.HttpParser.readRawLine(HttpParser.java:78)
at org.apache.commons.httpclient.HttpParser.readLine(HttpParser.java:106)
at org.mule.transport.http.HttpServerConnection.readLine(HttpServerConnection.java:219)
at org.mule.transport.http.HttpServerConnection.readRequest(HttpServerConnection.java:185)
at org.mule.transport.http.HttpMessageReceiver$HttpWorker.run(HttpMessageReceiver.java:155)
at org.mule.work.WorkerContext.run(WorkerContext.java:311)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
at java.lang.Thread.run(Thread.java:722)
Possible issues can be,
Check your CN first. Yes it should match the domain. If you are testing it in your local machine make sure to add the IP there.
Make sure you SSL certificate is signed with Root CA if its self signed. Signer should clearly indicated as Root CA.
If you are using a RA certificate it also needs to be signed by the Root CA.
Implement checkin and server urls as PUT methods. If this is not implemented simply it will give this error.
I also had your issue due to point 4) and managed to resolve that.
Most likely, it's exactly the problem which it mentions: "The server certificate for is invalid.".
May be, it's not root certificate (I am not sure how iOS will like that) or may be you are using something unusual in this cert which is supported by your desktop, but it's not support by iOS device.
Try to access to your server from Safari on your iOS device and see what it will say.
Also, I assume that you created a configuration profile with server certificate which you installed beforehand. Go to Preferences and look at this configuration profile. This certificate should say something like "Trusted".
Related
When I run the project with SSL I get a warning in the browser, in every browser: firefox, IE, edge, chrome. When I launch the project it doesn't show me the warning dialog and I don't know if I have any certificate installed.
How to check if I have the certificate installed and if not, how to install it?
You probably need to add your certificate to CA Root.
High level plan:
Export SSL certificate from IIS.
Import that SSL certificate into CA Root.
Here is a blog post that explains everything in detail and with screenshots.
If you use Google Chrome, you might need to close and re-open it after installing a new SSL certificate due to browser's caching.
You can use online SSL checker tool to diagnoses issues regarding SSL certificate installation.
You should check that you are using a self-signed certificate or a CA signed certificate. If it’s a self-signed certificate then your users will experience warning message when they browse your site because browsers don't recognize it.
If you have a CA signed certificate, then you received a certificate via email from trusted third-party certificate authority, which contains the root, intermediate and primary certificates. You should install all three files on your server.
You should update your all browser. Modern browsers have already implemented root certificate, so you need to configure only intermediate and primary certificate on the server.
Follow below link which may help you to add CA Root certificate in the Trusted Root Certification Authorities store. https://technet.microsoft.com/en-us/library/cc754841(v=ws.11).aspx
Since I update to iOS 7.1 I had to start using a secure conexion to be able to download the plist file, I received the following:
Mar 21 09:08:36 xx-iPad itunesstored[98] <Warning>: Could not load download manifest with underlying error:
Error Domain=NSURLErrorDomain Code=-1202 "Cannot connect to the Store"
UserInfo=0x16ec5500 {NSLocalizedDescription=Cannot connect to the Store,
NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?,
NSLocalizedFailureReason=A secure connection could not be established. Please check your Date & Time settings.,
NSErrorFailingURLStringKey=https://mydomain/myappanme.plist,
NSUnderlyingError=0x16dd7fa0 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “mydomain.com” which could put your confidential information at risk.",
NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x16e04510>,
NSErrorFailingURLKey=https://anything/myappanme.plist}
My server it is configured like this:
We've got a wildcard certificate for *.mydomain.com. We moved it to a new server, and the certificate is valid for all browsers that we have tested. (IE, firefox, chrome, safari...). The certificate is the tipical CRT with a bundle/intermediate certificate from GoDaddy and the key. The https site loads without issues. Apache 2.4 and Linux Fedora 20.
The download to install the app is:
itms-services://?action=download-manifest&url=https://mydomain/resources/myappanme.plist
Posible duplicated questions (try them all)
-)The certificate for this server is invalid
-)iOS Enterprise OTA distribution Unable to Download Application
-)http://www.nefkens-ict.nl/enterprise-build-does-not-install/
Thanks in advance
Try the below link, which will help you solving this certificate problem
http://cases.azoft.com/how-to-fix-certificate-is-not-valid-error-on-ios-7/
No issue in sharing the .ipa or apk file, for quick round, you can use below link to share binary file's, using multiple recipients...
URL:
thebetafamily.com/supersend/
I am trying to install a MDM configuration profile via iPhone Configuration Utility. This is what I am doing -
Build a simple mdm server in asp.net and host over SSL. (This server does nothing for now apart from listing to input requests.)
Generate a p12 certificate from the asp.net server's SSL certificate
Specify the url of the server in MDM configuration
Set the p12 certificate in the identify of MDM profile.
Install the profile
During installation I am getting the error The server certificate for "https://myservername/mdmserver/api/" is invalid.
I already tried lots of things which I found over internet but could succeed. Any kind of help will really be appreciated.
Detailed error -
NSError:
Desc : The payload com.mycompany.test01.mdm2 could not be installed.
Sugg : The server certificate for https://myservername/mdmserver/api is invalid.
US Desc: The payload com.mycompany.test01.mdm2 could not be installed.
US Sugg: The server certificate for https://myservername/mdmserver/api is invalid.
Domain : MCInstallationErrorDomain
Code : 4001
Type : MCFatalError
Params : (
"com.mycompany.test01.mdm2"
)
Two problems:
1) You should include device identity in your MDM profile. It's either PKCS12 or SCEP. In the case, if you are using PKCS12, usage of server PKCS12 is wrong (because it's server PKCS12 vs device identify PKCS12). Create new cert and private key, pack them into PKCS12 and use it as device identity.
2) Most likely, you forgot to include your server certificate in MDM profile. So, iOS can't validate whether it's contacting to appropriate server or not.
There is another possibility that your server certificate is truly invalid (as example, expired or common name doesn't match "myservername"
The problem is solved!
The issue was because I was using self-signed certificates.
In case anyone facing similar issues then you can check more details here
I was using iOS to connect to a server using a certificate whose CN (commonname) and FQDN (fully qualified domain name) is server.myexample.com. The server certificate was signed by my own Root CA (whose certificate I added to my anchor certs via SecTrustSetAnchorCertificates and verified via the method described here using NSURLAuthenticationChallenge).
With my iOS client, I was attempting to connect my REST service located at: server.myexample.com/Path1/service1, but I kept receiving the following error:
The certificate for this server is invalid. You might be connecting to a server
that is pretending to be “server.myexample.com” which could put your confidential
information at risk.
Error occurred while fetching https://server.myexample.com/Path1/service1: Error
Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is invalid.
You might be connecting to a server that is pretending to be “server.myexample.com”
which could put your confidential information at risk."
I get additional messages with the same info but specifying the errors: NSErrorFailingURLStringKey and NSURLErrorFailingURLPeerTrustErrorKey.
I found that I could also call the service with server.myexample.com/service1 and removed Path1 from my request URL, and the server certificate verification worked correctly. Why is this? I was under the impression that the server only needed 1 certificate, meaning any services it hosts would also be using that same certificate. Maybe you need a separate server certificate per path? I was not aware the paths after the server ip address/domain needed to have their own certificate.
To summarize:
iOS client app with Root CA certificate in the anchor certs
Server server1's certificate signed by Root CA has a CN of server.myexample.com and whose FQDN is https://server.myexample.com.
Server server.myexample.com hosts service1 which can be accessed by web browser via:
https://server.myexample.com/service1 (passes iOS client's authentication of server)
https://server.myexample.com/Path1/service1 (FAILS iOS client's authentication of server)
CA and server certificates were created via OpenSSL
Thanks in advance!
I'm using the acegi security plugin and I run the app -https. The cert is generated but I get a certificate warning when i visit the web page. I have then download the weak ssl plugin and added weakssl.trustAll =true to Config.groovy. But still getting the same warning. Have I left out anything?
The warning is normal. You can just accept the self-signed certificate. The weakssl module allows the Grails server to trust itself even if it provides a self-signed certificate. It has no effect whatsoever on the client. (Think what a horrible security hole it would be if you could just install some code on the server and get a client to accept a self-signed certificate without a warning!)
To solve your problem you need to either
manually tell your browser the certificate is OK by adding the certificate to your truststore
or
get a certificate from a trusted CA (Certificate Authority) a list of trusted CAs is stored in your browser. To get a certififate from a CA you need to proof your identity and pay (a lot) some money.
so I recommend you just accept the untrusted certifcate unless you want to buy a CA certificate.
The config you changed tells only the server to accept all certificates. i.e. if your server is connecting to another server