in-app mobile safari silently fails when getting an invalid https certificate
Posted December 15, 2011on:
This marathon push is finally over — took me nearly three days. The most exasperating part? Mobile Safari silently fails, without a trace, when getting an invalid SSL certificate. Well, not when you open the browser on the phone. But when your app is making a ajax call. In the browser, it actually prompts you about the invalid/expired certificate and you have a choice to say continue and it will remember the choice for all subsequent calls. Not happening for the app.
Since we haven’t touched the mobile code for half a year and meanwhile the shared codebase and the production environment (apache configs etc) have changed so much, it took me a while to feel oriented and a whole other while to pinpoint the problem to the https certificate. In the end, the ajax call never reaches the server because the server is handing out a certificate the app (mobile browser) does not like.
Why did it work before? So back in the summer, the site was running http but only requiring https for signing in/up. But over the time, we moved the entire site under https for security concerns (mostly for making our lives easier, not need to do lots of gimmicks for potentially lethal but may never come security holes). The mobile site is hosted on the same server as the web. One physical server apparently can only have one ssl host so when we push this time, with an existing ssl host, the calls to the other host with https is giving out an invalid certificate (i suppose, this is speculation since i don’t know the exact reason why an ajax call would not reach the server and would not return, basically just do nothing).
I mean, mobile safari (in iphone app), cannot you say something when you get a certificate you don’t like???