钛-“此服务器的证书无效。您可能正在连接到假装为DOMAIN.COM的服务器”

Question

I am developing an app for iOS using Titanium Appcelerator. I am struggling with securing the connections to my server. I bought a UCC certificate to protect my server (and other websites) and installed it. When I go on any browser, it displays that the connection is secured.

Now, when I try to create a connection from the app to my server, I get the following error:

The certificate for this server is invalid. You might be connecting to a server that is pretending to be DOMAIN.COM

I've tried with other secured domains, and it works fine. I am using Ti.Network.createHTTPClient to create my connections. Does anyone have any idea about that problem? Is there something I'm missing here?

Answer 1

You should use a securityManager to communicate with a secured website. Below is the simple example from the documentation . The certificate should be provided as a X.509 certificate file in DER binary format.

Disclaimer: The appcelerator.https module is a paid feature!

// Require in the module
var https = require('appcelerator.https'),
    securityManager,
    httpClient;

// Use the module to create a Security Manager that authenticates the specified URLs
securityManager = https.createX509CertificatePinningSecurityManager([
    {
        url: "https://dashboard.appcelerator.com",
        serverCertificate: "dashboard.appcelerator.com.der"
    },
    {
        url: "https://www.wellsfargo.com",
        serverCertificate: "wellsfargo.der"
    }
]);

// Create an HTTP client the same way you always have
// but pass in the optional Security Manager that was created previously.
httpClient = Ti.Network.createHTTPClient({
    onload: function(e) {
        Ti.API.info("Received text: " + this.responseText);
    },
    onerror: function(e) {
        Ti.API.error(e.error);
    },
    timeout : 5000,
    // Set this property before calling the `open` method. 
    securityManager: securityManager
});

// Prepare the HTTPS connection in the same way you always have
// and the Security Manager will authenticate all servers for
// which it was configured before any communication happens.
httpClient.open("GET", "https://dashboard.appcelerator.com");

// Send the request in the same way you always have.
// Throws a Security Exception if authentication fails.
httpClient.send();

Answer 2

I found the reason why in my case the connection was refused. The catch was that I hadn't concatenated the two cert files given by godaddy, which doesn't seem to be a problem on browser, but was breaking the chain of trust for the app. Correcting that part fixed the issue, using:

cat gd_bundle-g1-g2.crt >> my_server.crt

to create the full crt file.

Note: The first cert file is downloadable on Godaddy's website, but is also attached when you download your crt file.