iTunes does not trust Let’s Encrypt when fetching podcast feeds
| Originator: | chris | ||
| Number: | rdar://29139592 | Date Originated: | 2016-11-07 |
| Status: | Open | Resolved: | |
| Product: | Other | Product Version: | |
| Classification: | Other Bug | Reproducible: | Always |
Squarespace, a popular podcast hosting site, now issues SSL certificates for its clients using the new, free Lets Encrypt CA. This CA is cross-signed by IdenTrust's "DST Root CA X3". However, this is not included in Java's default trust store, and thus these certificates are not trusted by iTunes when it tries to fetch podcast feeds. Squarespace users must turn off HTTPS or proxy their feeds elsewhere to allow iTunes to fetch their feeds. iTunes's Java trust store should be configured to trust this IdenTrust root. This root is supported by iOS and OS X, so this does not represent a policy shift for Apple; it would correct an oversight in the configuration of iTunes servers. I wrote about this problem here: https://www.dzombak.com/blog/2016/11/Let-s-Encrypt-vs--iTunes--anatomy-of-an-error-delivering-Fatal-Error.html Steps to Reproduce: 1. Add an HTTPS podcast feed, with a Lets Encrypt certificate, to Podcasts Connect. Expected Results: iTunes servers can fetch the podcast feed. Actual Results: iTunes servers cannot fetch the feed. The following error is reported in Podcasts Connect: Can’t read your feed. sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!