app-distribution-server icon indicating copy to clipboard operation
app-distribution-server copied to clipboard
verified publisher icon significa

Install link is displaying a certificate error when trying to install IPA bundle

Open bwomsm1 opened this issue 1 year ago • 5 comments

I was running the docker as following:

docker run \
  -p 8000:8000 \
  -e APP_BASE_URL='http://192.168.98.106:8000' \
  -e UPLOADS_SECRET_AUTH_TOKEN="secret" \
  -v ./uploads:/uploads \
  ghcr.io/significa/app-distribution-server

And created the qr code url as following:

curl -X "POST" \\n  "http://192.168.98.106:8000/upload" \\n  -H "Accept: application/json" \\n  -H "X-Auth-Token: secret" \\n  -H "Content-Type: multipart/form-data" \\n  -F "[email protected]"

When I tried to install the app I was getting this issue: IMG_0004

bwomsm1 avatar Oct 01 '24 08:10 bwomsm1

I can confirm that I am able to install the same ipa with other CLI utils

bwomsm1 avatar Oct 01 '24 08:10 bwomsm1

@tofran can you please assist with this issue? thanks!

bwomsm1 avatar Oct 07 '24 06:10 bwomsm1

Humm I see. Thank you for the feedback.

In my testing I was successful using a local IP with plain HTTP.

Are you able to share the page URL and the link content? Right click the install button and copy the URL? Are you scanning the QR or clicking install on the device? Otherwise the QR content might also be useful.

If indeed all is correct it probably means that there might be a new restriction where the server must be behind an HTTPS certificate. If thats the case I can update the blog post. For it to work on your side you must deploy the Deploy the behind a TLS certificate (either on your server on any cloud provider).

tofran avatar Oct 09 '24 18:10 tofran

Humm I see. Thank you for the feedback.

In my testing I was successful using a local IP with plain HTTP.

Are you able to share the page URL and the link content? Right click the install button and copy the URL? Are you scanning the QR or clicking install on the device? Otherwise the QR content might also be useful.

If indeed all is correct it probably means that there might be a new restriction where the server must be behind an HTTPS certificate. If thats the case I can update the blog post. For it to work on your side you must deploy the Deploy the behind a TLS certificate (either on your server on any cloud provider).

Thanks for the response @tofran , I must say that I am not able to share the qa code page URL, Tell me what data you need from the server? I can switch to another branch if you want to create some debug branch.

bwomsm1 avatar Oct 10 '24 05:10 bwomsm1

Humm I see. Thank you for the feedback. In my testing I was successful using a local IP with plain HTTP. Are you able to share the page URL and the link content? Right click the install button and copy the URL? Are you scanning the QR or clicking install on the device? Otherwise the QR content might also be useful. If indeed all is correct it probably means that there might be a new restriction where the server must be behind an HTTPS certificate. If thats the case I can update the blog post. For it to work on your side you must deploy the Deploy the behind a TLS certificate (either on your server on any cloud provider).

Thanks for the response @tofran , I must say that I am not able to share the qa code page URL, Tell me what data you need from the server? I can switch to another branch if you want to create some debug branch.

@tofran something else we can do here? Thanks!

bwomsm1 avatar Oct 11 '24 13:10 bwomsm1

Raising back this issue, is there anything we can do with the certification error?

bwomsm1 avatar Nov 26 '24 10:11 bwomsm1

@tofran any news on this? having the same issue. QR code and the install button makes a link "itms-services://?action=download-manifest&url=https://192.168.1.11:8000/get/guid/app.plist", but the server is running http

Sega-Zero avatar Dec 03 '24 12:12 Sega-Zero

ok, I managed to run the server via https, but still no luck with local certificate trust. Tried to generate them with mkcerts as recomended in uvicorn documentation looks like itms-services:// does not respect ios trust settings and needs only valid certificates?

Sega-Zero avatar Dec 03 '24 20:12 Sega-Zero

did some research. looks like itms-services:// link now wants only valid ssl certificate for a specified global domain. mkcerts certificate is not working. so, yeah, with my patch + global domain + ssl works fine uvicorn wants a certificate and a key in pem format

Sega-Zero avatar Dec 10 '24 15:12 Sega-Zero

@bwomsm1 @Sega-Zero sorry for the long wait.

If the iOS devices is requiring a valid certificate the solution is actually deploying the server with a valid certificate on your end.

There's nothing that we can fix on the app-distribution-server side.

It is cumbersome for local development, but for most use cases it should not be a problem. You can always put it behind development tunnels like ngrok if you don't have an actual deployment.

Is there anything that this app is laking or making it hard for you to deploy with a valid certificate?

tofran avatar Dec 16 '24 17:12 tofran

an option for running with ssl certificate/key would be nice. I made a fork, but I'm not sure I did everything correctly.

Sega-Zero avatar Dec 16 '24 17:12 Sega-Zero

@Sega-Zero if you want to override the Docker CMD to use --ssl-keyfile and --ssl-certfile options for uvicorn you should do this within your container runtime. Ex: docker command argument, kubernetes command option, etc, etc. This way the app-distribution-server does not need to be configurable for all the 1001 ways of setting up TLS.

For example, I usually do this outside the application level, with a load balancer / cloud provider infrastructure on top of the application, and not directly on it.

tofran avatar Dec 16 '24 18:12 tofran