What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general.

Learn more

PRTG Network Monitor

Intuitive to Use. Easy to manage.
More than 500,000 users rely on Paessler PRTG every day. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free Download

Top Tags


View all Tags

PRTG App on iPadOS SSL Certificate problem after Certificate replacement on PRTG Server

Votes:

0

Hello,

I used a internally issued SSL Certificate on my PRTG Server for years. Had the iPadOS App running, accepted the SSL certificate back then and all was good. Recently, the SSL Certificate on the PRTG Server was renewed/replaced (before it expired) and all is good (website works fine) but the App on my iPad complains about the new certificate being untrusted. Normally, you say "accept anyway -> yes" and then it should be good. But the error message keeps popping up every 15 seconds. It drives me crazy.

I uninstalled the app and all related data and re-installed the app from scratch. Still complains every 15 seconds. Uninstalled, power-cycled the iPad, re-installed again. Still same problem.

I tried to find the certificate in the device's certificate store, looked at its root certificate store (it hold the still valid root CA certificate from the internal certificate authority). This is all a bit cumbersome on iPadOS.

How can the iPad App and I become friends again? I needs it to respect my "yes accept the new certificate" permanently, instead of forgetting about it 15 seconds later (It acts like a goldfish :-)

Kind regards, Steve

app certificate ipad ssl untrusted warning

Created on Aug 30, 2022 9:39:05 AM



6 Replies

Votes:

0

Hello Steven,

Thank you for your message.

We have received a few cases regarding certificate issues on IOS, those are mostly due to the certificate requirements required by Apple. Therefore, I invite you to have a look at them and make sure the certificate used is valid: https://support.apple.com/en-us/HT210176.

Kind regards.

Created on Sep 2, 2022 5:32:51 AM by Florian Lesage [Paessler Support]



Votes:

0

Hello,

I am aware of those requirements and our certs. meet them all. If I open the normal website on the same device, Safari is happy with the certificate. I think the problem is that the PRTG App does not (cannot?) store the new certificate in it's keystore? Not sure how it works. But the certificate itself is compliant to all those requirements. I think it comes down to this: "It needs to respect my "yes accept the new certificate" permanently"

Created on Sep 2, 2022 7:33:40 AM



Votes:

0

Thank you Steven for your feedback.

In a similar case, a customer found out that the issue came from the intermediate certificate which was expiring soon (in his case the certificate was generated from Let's Encrypt via a script and the intermediate one was lets-encrypt-x3-cross-signed which expired end of September last year, instead of Let's Encrypt R3: https://letsencrypt.org/certificates/). Can you check the intermediate certificate and make sure it is valid for a while.

Besides that, here is a support article from Apple which might help to stop the confirmation message to appear: https://support.apple.com/en-us/HT204477.

Created on Sep 5, 2022 1:26:23 PM by Florian Lesage [Paessler Support]

Last change on Sep 5, 2022 1:31:41 PM by Florian Lesage [Paessler Support]



Votes:

0

Hi,

There is no real intermediate CA. It's an internal, Active Directory based Enterprise root CA and it's certificate is valid until sometime in 2036.

Is there a way to see what the IOS App "does not like" about the new certificate? A debug mode or Logfile of some sort?

No matter how I look at it, the certificate and the root CA that issued it comply with all the rules. Webbrowsers like Safari on MacOS, iPhone or iPad all "like" the new certificate. The IOS App is the only one that has issues with it.

The old certificate was one that was valid for 5 years. Way more than those 825 days allowed nowadays. Funny thing is, before this PRTG Server received the new certificate, the old one, valid for 5 years, was happily accepted by the IOS App. I remember installing the App a long time ago on this iPad and it complained about the certificate once (probably because iPad does not contain the internal root CA's certificate), I said "yes accept" and it was happy. Never complained about a certificate once during all those years. As those 5 years where almost over, this PRTG server got a new certificate and then the problem started.

New certificates we issue here are all based on a template called "WebServer-OS13andMacOSCatalinacompatible" (the name already suggest I created it to satisfy those new rules that where implemented a couple of years ago) and have the FQDN in the Subject Alternate Name (as well as the Common Name) and are valid for 824 days (1 day less that the required 825 days).

Created on Sep 5, 2022 1:55:06 PM



Votes:

0

Update: I answered my own question «Does the App really require the root CA’s to be present in the device’s trust store?». The answer is yes. I added the root CA’s certificate via Apple Configurator and now, the App works fine.

So I have no clue why the App never complained about the old certificate. But at least it works now.

Kind regards, Steven Rodenburg

Created on Sep 6, 2022 9:46:35 AM



Votes:

0

Thank you very much for sharing the information. Glad to hear that the root certificate fixed the issue!

I will therefore close the case on our side, but do not hesitate to contact us again if needed.

Have a nice day.

Created on Sep 6, 2022 11:29:07 AM by Florian Lesage [Paessler Support]




Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.