I'm having troubles providing a passbook pass in my app. When the user taps the "add to passbook" button the app connects to the server, downloads the dynamically created .pkpass file and tries to show it. On iOS6 everything works fine, no errors, the pass displays as expected. But when I try it on iOS7 I get the following errors:
Invalid data error reading pass pass.com.domain.discount/2500000.
The passTypeIdentifier or teamIdentifier provided may not match your certificate, or the certificate trust chain could not be verified.
Error adding pass The pass cannot be read because it isn’t valid.
The webservice link is with https://, the URL returns a valid .pkpass file and the content-type is application/vnd.apple.pkpass. I also updated and checked all info (team identifier, passTypeIdentifier) certificates (also WWDR) as the error suggests, but nothing changes. It's just strange that it works on iOS6 but not on iOS7.
Any help would be greatly appreciated!
Your pass is failing to ingest on both iOS6 and iOS7 devices.
iOS7 Logs
Oct 21 12:11:23 passd[11897] <Warning>: Verifying structure and signature for pass pass.com.puma.trac.discount/2500000
Oct 21 12:11:23 passd[11897] <Warning>: Error evaluating trust: [leaf CheckLeafMarkerOid]
Oct 21 12:11:23 passd[11897] <Warning>: Signature validation: *** FAILED ***
Oct 21 12:11:23 passd[11897] <Warning>: Invalid data error reading pass pass.com.puma.trac.discount/2500000. The passTypeIdentifier or teamIdentifier provided may not match your certificate, or the certificate trust chain could not be verified.
iOS6 Logs
Oct 21 12:43:25 #pfr passd[185] <Error>: Oct 21 12:43:25 SecTrustEvaluate [leaf CheckLeafMarkerOid]
Oct 21 12:43:25 #pfr passd[185] <Warning>: Invalid data error reading pass pass.com.puma.trac.discount/2500000. The passTypeIdentifier or teamIdentifier provided may not match your certificate, or the certificate trust chain could not be verified.
Looking at your signature, as much as I can tell without your certificate, it appears that a WWDC certificate is included and that the team ID of the certificate used to sign equals the team ID in the pass.json.
I can see a couple of minor discrepancies between the WWDC certificate in a known good pass and yours so I would start by replacing your WWDC certificate with the latest from the Apple Website.
Also check your server time and the signing date and time and also that your Apple Developer subscription is still valid.
If you are using a third party library to sign the pass, check that it has been properly updated to meet both the signing date and WWDC certificate inclusion requirements - a number of public libraries have not been updated since these requirements became mandatory.
Related
I'm creating a VS Code extension with a webview that contains a React application. In the React code, I'm making a GET request to a REST API, but it keeps failing due to the following error:
Failed to load resource: net::ERR_CERT_AUTHORITY_INVALID
Any ideas on why this may be happening or a workaround? Maybe this is a restriction of webviews?
If I make the call in the extension code, it works fine.
I upgrade the version of my browser to the latest and it worked me.
find this below given link to know how to update browser version.
https://www.computerhope.com/issues/ch001388.htm
Assuming that you get this error about the certificate of the remote side (the one serving the REST API), you get this error because of one of the following:
the authority that signed the certificate is not recognized on the client side (ie : the authority is not installed on your PC)
the certificate has expired
your PC has a wrong date
You can correct the above, or as a workaround you can (depending on your tools) explicitly ignore the untrusted remote certificate. But this workaround should remain for test purpose only, as it is a security breach.
I am working on an Angular project on a SharePoint 2013 site. When using the console window in IE 11, I see 75 warnings like this:
SEC7132: The certificate protecting this web site uses weak cryptography,
SHA1. The web site should replace this certificate with a SHA2 certificate
before SHA1 is no longer allowed.
Now, please accept the premise that I have no control over my admins and I cannot force them to fix the certificate. I can't make the SOURCE of this warning go away.
I know I can disable showing all warnings. But I can't assume that my code will only generate errors, I will still have some warnings I want to see. How can I suppress a specific warning in the console?
You cannot. It has nothing to do with your code. It is Internet Explorer telling you on each request that the web server certificate using for the SharePoint zone you are hitting (IIS website) is using an obsolete and insecure algorithm. So best thing you can do, is make your admins aware they have some work to do :)
https://technet.microsoft.com/en-us/library/security/4010323.aspx
I just downloaded the latest version of xCode (9.0 beta (9M136h)).
However, when I try to make a request to my server in iOS 11 simulator (Using NSURLConnection sendAsynchronousRequest), an error is received:
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9807)
NSURLConnection finished with error - code -1202
NSError object contains the message - #"NSLocalizedDescription" : #"The certificate for this server is invalid. You might be connecting to a server that is pretending to be “***” which could put your confidential information at risk."
The plist contains:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key>
<true/>
</dict>
so it is not the problem in this case (I guess)
Needless to say that it is working in iOS 10/9/8
Any suggestions?
Thanks in advance!
You need to allow your application to run HTTP (no S) connections. By default, Apple only allows HTTPS:
go to your info.plist
then press the plus icon on any of them
Search for "App Transport Security Settings"
click the little arrow to the left and find "Allow arbitrary loads", by default it is set to "NO" change it to "YES"
For all of you who get this error in iOS 11, please make sure you're working against valid (secured) certificate in your server.
In our case, the certificate wasn't strict enough.
Once our server guy integrated new valid certificate, the problem has gone.
One way to check if the certificate is secured, is to past the problematic link in the browser.
As a result, you might see that the connection is not secured:
Since you've got an invalid certificate error, I'll make the following suggestion based on my personal security practice.
If you're still in your servicing terms with your CA, ask them to issue a new valid certificate for you.
Check your Keychain setting and make sure no CA cert is missing.
Alternatively, you can issue your own self-signed certificate for testing purposes, and add it to your local Keychain as trust anchor. A search for "how to create self-signed x509 certificate" will return something you might find useful.
I am trying to understand the specific connection and error states of the Azure IoT C SDK.
I can register with IoTHubClient_SetConnectionStatusCallback for the callback in order to receive the IOTHUB_CLIENT_CONNECTION_STATUS and the IOTHUB_CLIENT_CONNECTION_STATUS_REASON.
The value for the first one are IOTHUB_CLIENT_CONNECTION_AUTHENTICATED and IOTHUB_CLIENT_CONNECTION_UNAUTHENTICATED, which I assume simply means "connected" and "not connected". The reason is more interesting however:
IOTHUB_CLIENT_CONNECTION_EXPIRED_SAS_TOKEN
IOTHUB_CLIENT_CONNECTION_DEVICE_DISABLED
IOTHUB_CLIENT_CONNECTION_BAD_CREDENTIAL
IOTHUB_CLIENT_CONNECTION_RETRY_EXPIRED
IOTHUB_CLIENT_CONNECTION_NO_NETWORK
IOTHUB_CLIENT_CONNECTION_COMMUNICATION_ERROR
IOTHUB_CLIENT_CONNECTION_OK
So my first question is: What are the semantics for the respective reasons? When do they occur? What does the communication error entail? The error is so generic it could simply mean "any error we didn't want to specify explicitely".
My second question goes beyond that. I am trying to use X.509 certificates. However, due to certain requirements I may have certificates that are no longer valid or deleted device ids. Can I somehow distinguish those cases by using the available reasons? When I tried to connect with a non-existing Id I simply got IOTHUB_CLIENT_CONNECTION_COMMUNICATION_ERROR. From my point of view, I no longer need to try to connect to the IoT Hub, since my device doesn't exist. But a communication error may be anything at all. The same issue appeared when I tried to connect with an invalid certificate or private key.
Every time I try I simply get the errors:
Error: Time:Thu May 25 12:04:00 2017 File:~/azure-iot-sdk-c/iothub_client/src/iothubtransport_amqp_messenger.c Func:process_state_changes Line:1563 messagesender reported unexpected state 4 while messenger is starting
Error: Time:Thu May 25 12:04:00 2017 File:~/azure-iot-sdk-c/iothub_client/src/iothubtransport_amqp_device.c Func:device_do_work Line:848 Device 'MyDevice' messenger failed to be started (messenger got into error state)
From those information I cannot determine when to connect or reconnect.
thanks for your questions.
The reasons you listed above are triggered by the following conditions:
IOTHUB_CLIENT_CONNECTION_EXPIRED_SAS_TOKEN
The SAS token (provided by the user) expired, and no longer can be used to authenticate a device against the Azure IoT Hub. Solution: provide a new valid SAS token.
IOTHUB_CLIENT_CONNECTION_DEVICE_DISABLED
Device could not be authenticated because it is disabled by the user on the Azure IoT Hub (see field State in Device Explorer)
IOTHUB_CLIENT_CONNECTION_BAD_CREDENTIAL
Device key provided by the user was considered invalid based on response from Azure IoT Hub upon attempt to authenticate
IOTHUB_CLIENT_CONNECTION_RETRY_EXPIRED
The Azure IoT Hub Client has a feature called RetryPolicy (which can be set using IotHubClient_SetRetryPolicy). It has a property that limits the maximum time the client can attempt to reconnect when failures occur. If that maximum time is reached, the Connection Status is invoked with status UNAUTHENTICATED and reason RETRY_EXPIRED.
IOTHUB_CLIENT_CONNECTION_NO_NETWORK
IOTHUB_CLIENT_CONNECTION_COMMUNICATION_ERROR
If retry policy is disabled, these error reasons might be provided to indicate there is a network connection issue.
IOTHUB_CLIENT_CONNECTION_OK
Provided with status AUTHENTICATED.
Our GAE app has been serving from a custom domain for a year, using a GoDaddy SSL certificate that we uploaded a year ago. A few days ago they sent me an email saying we needed to renew it, so I did, and then I received an email on how to download it. They offered various server type choices, and since none were GAE, I chose "Other".
Next I tried to follow the instructions at https://cloud.google.com/appengine/docs/python/console/using-custom-domains-and-ssl#obtaining_a_certificate, the section "Obtaining a Certificate". (I started with https://www.digicert.com/ssl-certificate-installation-google-app-engine.htm, but that seemed useless to me because I have a Mac, not a PC).
The instructions under "Obtaining a Certificate" don't explicitly describe renewal. I was pretty sure I shouldn't create a new CSR, since I have to assume the renewal cert used my old CSR given that GoDaddy didn't ask for a new CSR. But I had saved the files from a year ago when I obtained the original cert.
So jumping to step 5, I proceeded as follows:
I unzipped the renewal certificate ZIP file I had obtained from GoDaddy.
I had already done step 6 a year ago and still had that file, so I skipped step 6.
I concatenated the CRT files from the renewal cert that had been inside the ZIP file.
I went to the "SSL" link in step 7. On that page:
I used the "Upload a new certificate" link, sending the two required files.
I tried pointing my browser to the domain, and it returned a warning page that that page was unsafe because the certificate was out of date.
So I deleted the old certificate.
Again I tried going to my domain, and now I'm getting a page that says "This webpage is not available." Presumably all the users of my app are getting that as well. :0(
I also used the "To verify that the private key and certificate match..." steps under "Obtaining a Certificate" and the two hex values matched.
I've tried a variety of online searches without finding anything that addresses my issue. I'm sorry if it's out there, but I couldn't find it. Anyone know how I can get my app serving again?
The solution was given in step 6 of a different section on the same page of my first link. After I had done everything else I described above, I still needed to do the following:
Click the name of the new certificate, which takes you to a new page.
Click the name of the domain.
Click Save.
None of this info appears on the SSL page, and the name you assigned to the uploaded certificate doesn't look like a link, but it is.