SYMPTOM:
When attempting to configure a mobile device (either iPad, iPhone, or Android) using a mobile configuration link in a new environment by clicking on a mobile configuration link from the mobile device, all users get the error below:
The certificate for this server is invalid. You might be connecting to a server that is pretending to be https://YourWebsite.com which could put your confidential information at risk.
However, users notice that they can successfully log into Strategy Web using a URL that is identical to the
https://YourWebsite.com URL which is seen in the error message. It can even be seen that connecting to Strategy Web from the mobile device itself - i.e. accessing Strategy Web through an internet browser on the mobile device - works. The issue is present only when clicking a mobile configuration link on the mobile device.
Also note that the webserver is set to use
https via an SSL certificate and
YourWebsite.com corresponds to the lowest level certificate or the "issued certificate" by the certificate issuer. Examples of common certificate issuers are
Thawte or
Go Daddy.
CAUSE:The problem is that the issued certificate is not able to be validated by the mobile application.
Since no certificate issues or warnings are thrown when connecting to the Strategy Web URL, the issued certificate likely does not have a problem. However, one important concept that can often lead to a resolution of this issue is an understanding of how
Certificate Chains work. A certificate chain can be thought of as a hierarchical certificate structure which can be used to establish a
Chain of Trust. Most certificate providers use the following chain structure:
Highest Level:
Root CertificateIntermediate Level:
Intermediate CertificateLowest Level:
Issued Certificate Whenever an application connects to the DNS address specified in the lowest level issued certificate, a link is established up to the intermediate certificate and then up to the root certificate which allows the application to establish the chain of trust and ultimately trust the site that is being connected to. In order for this to occur, the application must be able to successfully traverse the whole certificate chain - if it can't then in a Web browser a warning will usually be seen, and applications such as Strategy Mobile will simply not permit the untrusted connection.
However, in the scenario described above, users/developers are actually able to connect to Web but not Mobile. This means that through Web, the trust is being successfully established through the full certificate chain, but not in mobile. In this case, the difference lies in out-of-the-box certificate bundles that come prepackaged into internet browsers such as Internet Explorer and Chrome. The prepackaged bundles will often include the intermediate and root certificates for the most common certificate providers. Therefore, for Strategy Web connection to work, these higher level certificates don't need to be installed on the web/mobile servers or any intermediary used to connect to them, such as an F5 load balancer (although the issued certificate will).
On the other hand, when connecting from the Strategy Mobile app, there is no internet browser in the picture. This means that there is no prepackaged set of higher level certificates that can be used to help establish trust chains. Therefore, the error above will be thrown when trying to configure the mobile app using a mobile configuration link if only the issued certificate is installed on the webserver.
ACTION:The intermediate and root level certificates need to be installed in the same location as the issued certificate. This location will correspond to the SSL offload point of the implementation, for example an F5 load balancer or the web/mobile server itself. This will allow the full certificate chain to be trusted when connecting from the mobile app and will prevent the error above from being thrown.
9600 KB409600
