"Cannot install application because the certificate for *** is not valid" when installing Appeon Workspace on iOS 7.1 or later device

On a device running on iOS 7.1 or later, the following error occurs when downloading Appeon Workspace from the Appeon Workspace download center or the AEM login page.

Figure 8. Install error

Install error

Cause:

Start from iOS 7.1, Apple requires the enterprise apps manifest file (.plist) to be served over HTTPS. Attempts to install through HTTP cause the above message.

Analysis:

Actually only the .plist file needs to be served by HTTPS, the .ipa file does not. Therefore, you do not need to modify the .plist file, but only need to modify the OTA link to point to the HTTPS link of the .plist file, for example, itms-services://?action=download-manifest&url=https://app.xxx.com/AWS/6.8.0110.00.plist.

In downloadaws_template.html, the OTA link actually displays as 'itms-services://?action=download-manifest&url=' + ios_mobile_url, where you need to modify the value of "ios_mobile_url" to like this: https://app.xxx.com/AWS/6.8.0110.00.plist. With this change, iOS 7.1 or later will allow you to download and install Appeon Workspace. In fact, iOS 7.1 or later, iOS 7 and iOS 6.x all support the OTA link over HTTPS, which means if you make this change, it will work for all iOS devices.

Solution A:

This new requirement for HTTPS on the Web server is introduced starting from Apple iOS 7.1 and it cannot be worked around by PowerServer Mobile. The solution is either to configure the Web server to support HTTPS, or use a public HTTPS-enabled Web server like DropBox to work around this requirement.

Step 1: Configure to allow the .plist file to be accessed by HTTPS.

There are two ways to do this:

  • Install the SSL certificate on the Web site, and then add an HTTPS port to the Web site that hosts Appeon Workspace.

    The HTTPS URL of .plist will change to https://app.xxx.com/AWS/6.8.0110.00.plist.

    Note: The default HTTPS port is 443. Therefore, the following two URLs work the same:

    https://app.xxx.com/AWS/6.8.0110.00.plist

    https://app.xxx.com:443/AWS/6.8.0110.00.plist

    It is also important to aware that you cannot use a self-signed certificate to bindings HTTPS port unless the device trusts the CA it came from. You either need to use a "real" SSL certificate or you need to import and trust the certificate on any devices that will install the app.

    Figure 9. Configure HTTPS port

    Configure HTTPS port

  • If you do not want to apply for an SSL certificate in the Web site, you can work around this by taking advantage of DropBox to host the .plist file. Detail steps are below.

    1. Upload your .plist file to DropBox. Suppose the file name is 6.8.0110.00.plist.

    2. Get shared link of your .plist file, such as https://www.dropbox.com/s/0oef1fmmjsuj5hf/6.8.0110.00.plist.

    3. Replace www.dropbox.com with dl.dropboxusercontent.com in the shared link. So the HTTPS URL of your .plist file will be https://dl.dropboxusercontent.com/s/0oef1fmmjsuj5hf/6.8.0110.00.plist.

Step 2: Back up the downloadaws_template.html file under the aws folder (C:\inetpub\wwwroot\appeon\aws), and then change the value of "ios_mobile_url" in this file to point to the HTTPS URL of the .plist file. For example,

Change from

var ios_mobile_url = web_server + '/' + filename + '.plist';

To this (when .plist is on your own Web server):

var ios_mobile_url = 'https://app.xxx.com/AWS/6.8.0110.00.plist';

Or to this (when .plist is on DropBox):

var ios_mobile_url = 'https://dl.dropboxusercontent.com/s/0oef1fmmjsuj5hf/6.8.0110.00.plist';

Step 3: Access AEM using IP address or host name in the IE browser such as http://demo.appeon.com/AEM. Do not use localhost such as http://localhost/AEM. Once the AEM login page is opened, PowerServer will automatically update the downloadaws.html file in the aws folder.

Now any iOS-based device can successfully download and install Appeon Workspace via this HTTPS URL.

Note: If you are currently using the version 2013 R2 build 0110.00, then you will need to be aware that the above changes will resolve the download button in the Appeon Workspace download center, but will not resolve the download link in the AEM login page, which means, if you download Appeon Workspace from the Appeon Workspace download center, this problem is resolved, however if you download Appeon Workspace from the AEM login page (as shown below), this problem still persists.

Figure 10. AEM login page (in 2013 R2 build 0110.00)

AEM login page (in 2013 R2 build 0110.00)

Solution B:

If you do not want to configure the SSL certificate on your Web server or use DropBox to work around the requirement, you can download the .ipa file to the PC through IE browser (for example, you can download the .ipa file from the Appeon Workspace download center (e.g. http://hostname/aws/), and then synchronize it from the PC to the iOS device using iTunes.