Xcode Server CI builds fail to install with iOS 7.1

Asked 12/3, 2014 at 13:12 Answered 13/2, 2015 at 14:25

Solved ios xcode continuous-integration osx-mavericks xcode-server

We currently have our Xcode server set up for our CI build.

When trying to download the builds on a device i am greeted with 'Cannot connect to server.local' when visited over SSL.

When i try to download over http i am created with 'cannot install application because the certificate for server.local is not valid'

I believe this is to do with the the SSL validation for OTA downloads within iOS 7.1 however i am using a self assigned certificate.

Is this a bug or a limitation of Xcode server. Do we need a certificate that is not self assigned?

Thanks

Dan

Sulphurbottom answered 12/3, 2014 at 13:12 Comment(2)

I'm having the same problem with a regular SSL cert (validated both by chrome and safari) – Kellda 12/3, 2014 at 20:1

Have you filled a bug? – Sulphurbottom 13/3, 2014 at 15:32

Your best solution is to create a custom CA and install that on the device and then create a certificate for your specific domain and install that on the Xcode server.

First create a CA.

openssl genrsa -out Custom-CA.key 2048
openssl req -x509 -new -key Custom-CA.key -out Custom-CA.cer -days 730 -subj /CN="Company Name Certificate Authority"

Now you need to create a certificate signed with the above authority.

IMPORTANT: server.local should be replaced by whatever your host name of the machine is (the original question was using server.local). IP addresses will not work.

openssl genrsa -out xcode-server.key 2048
openssl req -new -out xcode-server.req -key xcode-server.key -subj /CN=server.local
openssl x509 -req -in xcode-server.req -out xcode-server.cer -CAkey Custom-CA.key -CA Custom-CA.cer -days 730 -CAcreateserial -CAserial xcode-server_serial.txt

You then need to install Custom-CA.cer on all devices you want to use with the server. The easiest way is to email the Custom-CA.cer to those devices.

In OS X server you need to import the Custom-CA.cer, xcode-server.key and xcode-server.cer and use the server.local certificate as the servers SSL certificate.

(Info from this guide)

E.g. If you machine host name was xcodeserver.companyname.com you would put /CN=xcodeserver.companyname.com

Iconography answered 26/3, 2014 at 11:57 Comment(8)

I followed this and it worked, but whenever I click on Product I still get certificate is invalid, If I go through https I get cannot connect to server, any ideas? – Hailee 24/4, 2014 at 14:43

Can you access any pages on the sever in Safari if you go to them with HTTPS? – Iconography 24/4, 2014 at 14:47

I'm able to open the bots site and I can browse around fine enough, it even asked me to trust the certificate that I made, which I did, but whenever I tap on Product, using HTTPS I get Cannot connect to server. I debugged it with Charles and it seems that I get "SSLHandshake: Remote host closed connection during handshake". Also I'm not the only one with such an issue - devforums.apple.com/message/961471#961471 – Hailee 24/4, 2014 at 15:25

Ah it shouldn't have asked you to trust the certificate - thats the whole point of this step "You then need to install Custom-CA.cer on all devices you want to use with the server. The easiest way is to email the Custom-CA.cer to those devices." - doing that means that the certificate is already added to the devices store. Did you do that? – Iconography 24/4, 2014 at 15:28

I did and in Settings it looks exactly like this one (from the five tips post) - blogcdn.httpwatch.com/wp-content/uploads/2013/12/custom_CA.png – Hailee 24/4, 2014 at 15:30

If going to a HTTPS server page still asked you to trust the certificate even after installing it then something went wrong with the above steps. What URLs are you using, and what CN parameter are you providing? – Iconography 24/4, 2014 at 15:33

let us continue this discussion in chat – Hailee 24/4, 2014 at 15:36

I've updated the answer to explain what CN name should be used. – Iconography 24/4, 2014 at 15:44

You are correct. In 7.1 OTA installs from xcode server need SSL validation. So, you can either get an SSL cert for your xcode server or do this workaround.

Go to your xcode server bots screen on a desktop browser.
Download the Product(.ipa) from the bot you want.
Open iTunes with your device connected.
Drag the .ipa file into iTunes.

You should be able to replace/install your build onto your device.

Not as easy as OTA builds, but it works.

Forgave answered 13/3, 2014 at 19:5 Comment(2)

I have a self signed SSL cert. this was autocreated by the server. As mentioned above even with a validated SSL cert it seems to be broken. – Sulphurbottom 13/3, 2014 at 22:14

Thanks for your comments but this is no easier than plugging the devices in to instal on the dev machine. – Sulphurbottom 13/3, 2014 at 22:15

I Have found the solution. I can confirm that steps 4 & 5 worked for me!

http://blog.httpwatch.com/2013/12/12/five-tips-for-using-self-signed-ssl-certificates-with-ios/#comments

Sulphurbottom answered 1/4, 2014 at 12:26 Comment(0)

had the exact same issue and it was a browser caching issue on Safari.

I went into Settings -> Safari -> Advanced -> Website Data, then left swiped on my Xcode server website to reveal the Delete button and clicked on it for just that website.

The next time I browsed to the Xcode server in Safari and attempted to install a build, I received the prompt to install the OTA certificate and when accepted done that I could install applications.

Tunic answered 13/2, 2015 at 14:25 Comment(0)

Recommended topics

Hot tags