Jabber in iPhone 11 pro getting Certificate error

Rocky8971 — Thu, 26 Mar 2020 11:31:01 GMT

When our clients are logged in to Jabber there are 2 pop-ups for certificate warning when he accepts all the certificate pop-ups again error gets pop-up(Repeatedly for every 2 min).
How is it possible to disable this warning? Can anyone help me? Is it still a bug or am I doing something wrong?
The only certificate alerts I see are for when the Client connects internally.
CUCM Version:- 11.5.1
Using a Self-signed certificate.
The Screenshot attached shows errors from what looks like the TFTP Server.
The Client is also connected to WiFi, looks like they may be able to reach the internal network.
Configurations in Android and CUCM are the same in both situations. Nothing is changed.
Please find in attachment the error message.

2020-03-24 16:44:24,277 INFO [0x000000010718d840] [i/ui/cert/YLCInvalidCertAlertView.m(118)] [UI.Action.User] [-[YLCInvalidCertAlertView initWithDerCertificate:referenceID:certName:response:allowUserAccept:persistAcceptedDecision:]_block_invoke] - user accpet the Certificate Alert for NILcucmsub2.nilesuq.com,and persistAcceptedDecision value is 1

2020-03-24 16:44:24,277 DEBUG [0x000000010718d840] [/InvalidCertNotificationManager.cpp(372)] [csf.cert] [acceptInvalidCert] - User has accepted the request with fingerprint b5 d4 bf 78 bf 7e 10 53 b9 3a 5e 54 61 39 6f 24

2020-03-24 16:44:24,277 DEBUG [0x000000010718d840] [/InvalidCertNotificationManager.cpp(396)] [csf.cert] [acceptInvalidCert] - Signal has been sent.

2020-03-24 16:45:25,989 INFO [0x000000010718d840] [i/ui/cert/YLCInvalidCertAlertView.m(118)] [UI.Action.User] [-[YLCInvalidCertAlertView initWithDerCertificate:referenceID:certName:response:allowUserAccept:persistAcceptedDecision:]_block_invoke] - user accpet the Certificate Alert for nilesuq.in,and persistAcceptedDecision value is 1

2020-03-24 16:45:25,989 DEBUG [0x000000010718d840] [/InvalidCertNotificationManager.cpp(372)] [csf.cert] [acceptInvalidCert] - User has accepted the request with fingerprint cb fd bb 66 cb 7c f1 69 82 49 bf af 19 bd 2e f7

2020-03-24 16:45:25,989 DEBUG [0x000000010718d840] [/InvalidCertNotificationManager.cpp(396)] [csf.cert] [acceptInvalidCert] - Signal has been sent.

2020-03-24 17:12:21,073 INFO [0x0000000106f7d840] [i/ui/cert/YLCInvalidCertAlertView.m(118)] [UI.Action.User] [-[YLCInvalidCertAlertView initWithDerCertificate:referenceID:certName:response:allowUserAccept:persistAcceptedDecision:]_block_invoke] - user accpet the Certificate Alert for NILCUCMSUB2.nilesuq.com,and persistAcceptedDecision value is 1

Line 23099: 2020-03-25 14:22:23,636 INFO [0x0000000107001840] [i/ui/cert/YLCInvalidCertAlertView.m(118)] [UI.Action.User] [-[YLCInvalidCertAlertView initWithDerCertificate:referenceID:certName:response:allowUserAccept:persistAcceptedDecision:]_block_invoke] - user accpet the Certificate Alert for NILIMPSUB2.nilesuq.com,and persistAcceptedDecision value is 1

Line 35503: 2020-03-25 14:23:29,569 INFO [0x000000010b905840] [i/ui/cert/YLCInvalidCertAlertView.m(118)] [UI.Action.User] [-[YLCInvalidCertAlertView initWithDerCertificate:referenceID:certName:response:allowUserAccept:persistAcceptedDecision:]_block_invoke] - user accpet the Certificate Alert for NILCUCMSUB3.nilesuq.com,and persistAcceptedDecision value is 1

Line 35504: 2020-03-25 14:23:29,569 DEBUG [0x000000010b905840] [/InvalidCertNotificationManager.cpp(372)] [csf.cert] [acceptInvalidCert] - User has accepted the request with fingerprint b5 d4 bf 78 bf 7e 10 53 b9 3a 5e 54 61 39 6f 24

Line 35505: 2020-03-25 14:23:29,569 DEBUG [0x000000010b905840] [/InvalidCertNotificationManager.cpp(396)] [csf.cert] [acceptInvalidCert] - Signal has been sent.

Line 43890: 2020-03-25 14:23:31,406 DEBUG [0x000000010b905840] [/InvalidCertNotificationManager.cpp(372)] [csf.cert] [acceptInvalidCert] - User has accepted the request with fingerprint cb fd bb 66 cb 7c f1 69 82 49 bf af 19 bd 2e f7

Line 43891: 2020-03-25 14:23:31,406 DEBUG [0x000000010b905840] [/InvalidCertNotificationManager.cpp(396)] [csf.cert] [acceptInvalidCert] - Signal has been sent.

looking into the logs i noticed :-

020-03-25 11:37:52,791 INFO [0x000000010706d840] [i/ui/cert/YLCInvalidCertAlertView.m(175)] [UI.Cert] [-[YLCInvalidCertAlertView isCertificateAlreadySaved]] - Certificate for NILIMPSUB2.NIL.comnot exists
2020-03-25 11:37:52,791 INFO [0x000000010706d840] [ui/util/YLCAlertControllerManager.m(392)] [UI.Action.System] [-[YLCAlertControllerManager showAlertController:onView:withRect:]] - jabber show alert to user (Cisco Jabber cannot confirm the identity of the server NILIMPSUB2.NIL.com. Do you want to continue?

Also, could notice the following:

2020-03-24 16:44:20,905 ERROR [0x000000016fecb000] [ls/src/cert/ios/iOSCertVerifier.cpp(186)] [csf.cert.ios] [verifyCertificatePolicy] - Policy verification failed, the urls of CRL Distribution Points and Authority Information Access might be unreachable, result=5

Re: Jabber in iPhone 11 pro getting Certificate error

Jaime Valencia — Thu, 26 Mar 2020 15:10:40 GMT

Do you see the certificates in the device´s trust store (I think apple calls it a different way, but you get the idea) after you accept them?

If not, try to install them before using Jabber either manually or via MDM

Also, have you confirmed that those are indeed your certificates and that they do match the CN and the actual server's FQDN/hosntame?

Re: Jabber in iPhone 11 pro getting Certificate error

Rocky8971 — Fri, 27 Mar 2020 07:22:25 GMT

Hi @Jaime Valencia

Thank you so much for all your time and response, I really do appreciate it.

Yes, i do see the certificates in the device´s trust store after accepting them.

Also, have you confirmed that those are indeed your certificates and that they do match the CN and the actual server's FQDN/hosntame?

"Yes"

My friend has suggested me to follow below steps, I will try this & ll let you know whether its work for me /not

" Reset the Jabber on the iPhone Pro 11, which should go ahead and erase all the existing certificates from the device.
As soon as you have the fresh prompt on the application, Login to your Jabber Client, and Click OK on the prompt. This might just add the certs automatically to your Jabber Client’s Trust List. If not, then go to step 3.
Then go to: Settings > General > About > Certificate Trust Settings. Under "Enable full trust for root certificates," turn ON trust for the certificate.
Confirm the same on the device, if it shows as on the link: https://support.apple.com/en-in/HT204477 "

topic Re: Jabber in iPhone 11 pro getting Certificate error in IP Telephony and Phones

Jabber in iPhone 11 pro getting Certificate error

Re: Jabber in iPhone 11 pro getting Certificate error

Re: Jabber in iPhone 11 pro getting Certificate error