Hi,
I’ve been putting up with this one for about 1 year and finally gotten around to trying to solve it. I’ve done much searching and fiddling, and have not gotten close to sorting it.
I have various push notifications with camera.snapshot image attachments which display fine on my iPhone, but display as an error in red text on my Apple Watch.
On the watch, the error says: Failed to load attachment Requests adaption failed with error: server trust evaluation failed due to reason: Custom trust evaluation failed with error: "has.jjpeet.com" certificate is not trusted"
As you can see in the image below, the attachment displays fine on the companion app on the phone, but errors on the watch.
I’ve been using a purchased certificate for my own domain for years - prior to Nabu Casa starting, and it has worked fine. Additionally, I plan to keep doing it this way as it’s much faster than Nabu Casa. Each year I update my certs etc and it works fine in every other way - so this one is a bit weird.
@zacwest do you have any thoughts on this one? I’m hoping it’s something simple…
> openssl s_client -connect has.jjpeet.com:443
CONNECTED(00000005)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = catchall-server-default.s404.sureserver.com
verify return:1
---
Certificate chain
0 s:/CN=catchall-server-default.s404.sureserver.com
i:/C=US/O=Let's Encrypt/CN=R3
1 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
It’s responding back with a hostname that doesn’t match the request one, hence the failing.
Are you giving a URL to the notification call? What does the notify call look like? It’s possible the app is using a different hostname via the URL settings.
Looks like that domain is missing the intermediate certificates in the response. You’ll want to include both your certificate and the RapidSSL intermediate. If you added the intermediate to your trust store on the iPhone, that’ll explain why it works there since the Watch won’t inherit it.
Righto thanks for that, I’ll have a dig around.
I’m using the Nginx reverse proxy add on, so will look there too and try and figure out what’s going on.
Thx
JP
The way SSL/TLS (or certs in general) work is that the chain up to the (trusted) root cert cannot be broken. So, your options usually are: fix the chain (which is what you did) or install the cert on the client device (what Zac was asking; typically done in the case of self-signed certs).
