Lazarus.9716:

I’ve just started having a problem loading data from the API. Last time I tried was about a month ago. I’m trying to find a way to get around it under iOS, but a public API really should have a valid, trusted certificate.

Here’s the information from Firefox:
api.guildwars2.com uses an invalid security certificate. The certificate is not trusted because the issuer certificate is not trusted. (Error code: sec_error_untrusted_issuer)

Archomeda.6472:

It’s valid according to my Firefox on Windows 7. Which OS or environment are you using? I recall something about Java not trusting the certificates from the API, but don’t take my word for it.

Khisanth.2948:

It’s valid according to my Firefox on Windows 7. Which OS or environment are you using? I recall something about Java not trusting the certificates from the API, but don’t take my word for it.

They changed the certificate a while ago because of that.

As for the OP, sounds like some root certificates are missing from the system.

smiley.1438:

Perhaps the machine you are querying from doesn’t have some standard root certificates installed. Ensure the GeoTrust Global CA cert in installed on your machine.

https://forum-en.guildwars2.com/forum/community/api/Connection-issue/
https://forum-en.guildwars2.com/forum/community/api/Java-access-to-the-api/
https://forum-en.guildwars2.com/forum/community/api/Certificate-problems-with-Android-Apps/

You may also want to check out the list of API Wrappers and dig through some code to see how others handled this problem

Lazarus.9716:

Perhaps the machine you are querying from doesn’t have some standard root certificates installed. Ensure the GeoTrust Global CA cert in installed on your machine.

https://forum-en.guildwars2.com/forum/community/api/Connection-issue/
https://forum-en.guildwars2.com/forum/community/api/Java-access-to-the-api/
https://forum-en.guildwars2.com/forum/community/api/Certificate-problems-with-Android-Apps/

You may also want to check out the list of API Wrappers and dig through some code to see how others handled this problem

Thanks for the info all. The links above provide the info I need. I was thinking the cert itself was expired or self-signed, but it’s the CA authority itself that’s not recognized by iOS.

There is a code workaround to allow you to tell iOS to accept a certificate for a specific auth session, but that didn’t work. I’ll see if I can install the correct CA certificate in the app, which would be the right way do fix the problem.

Luckily, I had a snapshot of the database from about a month ago, so I was able to submit the app yesterday.

Thanks for the posts all.

Killer Rhino.6794:

Lazarus,

Author of GW2Kit here, and I can not reproduce your certificate issue (just pulled Events using GW2Kit’s iOS test app, both on the simulator and the device).

I would highly discourage you from modifying your NSURLConnection delegate to ignore certificate checks. Please review that SSL post; it contains some very relevant links for someone like you, who is developing with Cocoa-technologies.

Lazarus.9716:

Lazarus,

Author of GW2Kit here, and I can not reproduce your certificate issue (just pulled Events using GW2Kit’s iOS test app, both on the simulator and the device).

I would highly discourage you from modifying your NSURLConnection delegate to ignore certificate checks. Please review that SSL post; it contains some very relevant links for someone like you, who is developing with Cocoa-technologies.

Odd that you couldn’t reproduce it, especially on the device. (If you had the CA cert installed locally the simulator probably would have used it.)

I read through all the threads and I’m aware of the security issues. I did use the delegate workaround, but ONLY for api.guildwars2.com. Granted, there is still some small chance of a man-in-the-middle attack, since there’s no user-auth or user info exposed I don’t see it as particularly likely to be harmful (if even attempted).

I’m still at a loss at why my machine (and device) aren’t seeing the same thing yours is though. I’ll double check GW2Kit and see what you did. (But from my knowledge of the Cocoa APIs, if a CA isn’t trusted there’s nothing you can really do but ignore the auth check for that host.)

Lazarus.9716:

Lazarus,

I would highly discourage you from modifying your NSURLConnection delegate to ignore certificate checks. Please review that SSL post; it contains some very relevant links for someone like you, who is developing with Cocoa-technologies.

Just read that post. Thanks for the write-up. I’ll implement pinning as recommended in the next version. Cheers.

Killer Rhino.6794:

Lazarus,

I would highly discourage you from modifying your NSURLConnection delegate to ignore certificate checks. Please review that SSL post; it contains some very relevant links for someone like you, who is developing with Cocoa-technologies.

Just read that post. Thanks for the write-up. I’ll implement pinning as recommended in the next version. Cheers.

In GWKit, networking is obfuscated behind RestKit (which, in turn, relies on AFNetworking for its networking layer).

Although I’m not cert pinning, if you want reliable, easy cert pinning in a shortest amount of time, AFNetworking can provide you that.