SSL证书在iOS上无效

Question

I have a simple backend for my iOS application. It used to work perfectly but recently SSL connection started to fail only on iOS.

The strange part is that it started fail on Friday at some point and then started work again. Now I can't use my backend on iOS.

All certificate checks I did shows that everything is ok and TLS 1.2 is working. But iOS (and only iOS, macOS is fine) says that SSL cert is invalid.

Tried to renew certificate - didn't help. Certificate is not self-signed (it is from letsencrypt.org)

This is a test link: https://api.dartoapp.com:9001/station/test1

SSL Lab report: https://www.ssllabs.com/ssltest/analyze.html?d=api.dartoapp.com

NSURLRequest error:

Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x1d430dec0>, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, NSErrorPeerCertificateChainKey=(
    "<cert(0x1400cec00) s: api.dartoapp.com i: Let's Encrypt Authority X3>"
), NSUnderlyingError=0x1d084bc40 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x1d430dec0>, _kCFNetworkCFStreamSSLErrorOriginalValue=-9802, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, kCFStreamPropertySSLPeerCertificates=(
    "<cert(0x1400cec00) s: api.dartoapp.com i: Let's Encrypt Authority X3>"
)}}, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made., NSErrorFailingURLKey=https://api.dartoapp.com:9001/station/test1, NSErrorFailingURLStringKey=https://api.dartoapp.com:9001/station/test1, NSErrorClientCertificateStateKey=0}

curl output:

~ ⟩ curl -kvI https://api.dartoapp.com:9001/station/test1
*   Trying 54.154.203.139...
* TCP_NODELAY set
* Connected to api.dartoapp.com (54.154.203.139) port 9001 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=api.dartoapp.com
*  start date: Mar 11 18:18:58 2018 GMT
*  expire date: Jun  9 18:18:58 2018 GMT
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7ffeac806c00)
> HEAD /station/test1 HTTP/2
> Host: api.dartoapp.com:9001
> User-Agent: curl/7.54.0
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
< HTTP/2 200
HTTP/2 200
< content-type: application/json; charset=utf-8
content-type: application/json; charset=utf-8
< content-length: 471
content-length: 471
< date: Sun, 11 Mar 2018 19:38:24 GMT
date: Sun, 11 Mar 2018 19:38:24 GMT

Answer 1

Ok, so the issue was that my server wan't sending intermediate cert. If was OK before but recent LetsEncrypt changes made it mandatory.