AzoftCase StudiesHow to Fix ‘Certificate is not valid’ Error for Enterprise Apps on iOS 7.1

How to Fix ‘Certificate is not valid’ Error for Enterprise Apps on iOS 7.1

By Anton Demenev on March 19, 2014

how to fix certificate is not valid error on ios 7 How to Fix Certificate is not valid Error for Enterprise Apps on  iOS 7.1

The recent Apple’s update to iOS 7.1 has brought down our local distribution channels hosted on iphone.example.com. Any installation attempt caused the ‘Cannot install applications because the certificate is not valid’ error. Here's how we solved the problem.

What happened

The 7.1 update forced all software installation services to use the HTTPS protocol, also covering non-standard itms-services:// URLs.

How to fix

Changing the protocol type will do the trick:

itms-services://?action=download-manifest&url=http://yourdomain.com/manifest.plist
-->
itms-services://?action=download-manifest&url=https://yourdomain.com/manifest.plist

To solve the problem, we used the Class 1 StartSSL certificate. Below you’ll find the Apache config that adds certificate support and a code snippet for changing links in existing *.plist files automatically.

Apache config

  • example.com.ssl.decrypt.key – the decrypted private key
  • iphone.example.com.ssl.crt  – your subdomain certificate
  • sub.class1.server.ca.pem – the certificate chain

Since the old services used the HTTP protocol, you need to enable Apache server name options for VirtualHost.

Add the following line to the httpd.conf file:

NameVirtualHost *:443

Now you need to duplicate the VirtualHost config and set a redirect from HTTP to HTTPS. Clone the file and add the line to first copy:

Redirect permanent / https://iphone.example.com/

Adding the following certificates directives to the in second config file (change VrtualHost port and instance name, if needed.):

<VirtualHost *:443>
  ServerName iphone.example.com

  SSLEngine on
   SSLProtocol all -SSLv2
   SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM

   SSLCertificateFile /etc/apache2/ssl/iphone.example.com.ssl.crt
   SSLCertificateKeyFile /etc/apache2/ssl/example.com.ssl.decrypt.key
   SSLCertificateChainFile /etc/apache2/ssl/sub.class1.server.ca.pem
….
</VirtualHost>

Make sure that the VirtualHost files have ServerName parameters.

Save files and restart Apache. For centOS:

# service apache2 restart

Now you can edit old *.plist files. This step will work only if you have XML *.plists.

Run terminal:

$ cd <your server root>
$ find ./ -name \*.plist -type f -print0 | xargs -0 perl -pi -e 's/http:/https:/'

This command changes URLs in all *.plist files stored in a local directory.

Note. If you’ve got SVN services hosted on this server, you might see an error on a MacOS SVN client: Client is not working with ‘SSL handshake error’. To fix, add the following SSL directives for the SVN VirtualHost.

SSLProtocol all -SSLv2
   SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
VN:F [1.9.22_1171]
Rating: 5.0/5 (11 votes cast)
VN:F [1.9.22_1171]
Rating: +5 (from 11 votes)
How to Fix 'Certificate is not valid' Error for Enterprise Apps on iOS 7.1, 5.0 out of 5 based on 11 ratings

Content created by Anton Demenev