ios9corespotlightios-universal-links

Apple-app-site-association not found


I'm trying to pass the Apple Search Validation Tool, and I'm having problems with the apple-app-site-association.

For some reason the bot can't find my file. But if you open the URL it's there.

It's not a formatting problem, because the file isn't even found. I have https so it's not needed to sign my file.

I don't have any extension on my file, as asked in the documentation.

Someone had a similar problem and asked on the Apple Developer foruns, but it didn't help me.

My url is https://ps3looke.ottvs.com.br/apple-app-site-association

I tried to check it with cUrl and everything seems normal:

Caios-MacBook-Air:~ caiocoan$ curl -I https://ps3looke.ottvs.com.br/apple-app-site-association
HTTP/1.1 200 OK
Content-Length: 135
Content-Type: application/json
Last-Modified: Tue, 27 Oct 2015 15:36:52 GMT
Accept-Ranges: bytes
ETag: "f81e714dcd10d11:0"
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Date: Wed, 04 Nov 2015 20:43:25 GMT

Any ideia of what I could be doing wrong, or what I need to do?


Solution

  • I am currently contacting Microsoft Support over the same issue. My initial accessment is that Windows Server 2012 R2 has a bug in handling TLS 1.2, which is the HTTPS protocol that AppleBot uses crawl the pages.

    Your apple-app-site-association looks perfectly fine

    Edit

    I found that even with the validation tool not working, when you visit the site on Safari on the iPad/iPhone, the Open in the xxx app does pop out

    Update 2015-12-22

    Microsoft has gotten back to me. The issue is that AppleBot sends the following Client Hello to initiate SSL connection

    Signature Hash Algorithms (4 algorithms)
        Signature Hash Algorithm: 0x0401
            Signature Hash Algorithm Hash: SHA256 (4)
            Signature Hash Algorithm Signature: RSA (1)
        Signature Hash Algorithm: 0x0403
            Signature Hash Algorithm Hash: SHA256 (4)
            Signature Hash Algorithm Signature: ECDSA (3)
        Signature Hash Algorithm: 0x0201
            Signature Hash Algorithm Hash: SHA1 (2)
            Signature Hash Algorithm Signature: RSA (1)
        Signature Hash Algorithm: 0x0203
            Signature Hash Algorithm Hash: SHA1 (2)
            Signature Hash Algorithm Signature: ECDSA (3)
    

    When you look at the certificate hierarchy of your SSL certificate, you see

    COMODO RSA Organization Validation Secure Server CA
        Certificate signature algorithm
            PKCS #1 SHA-384 With RSA Encryption
    

    When Windows Server receives the Client Hello from AppleBot, it sees that AppleBot supports SHA1 and SHA256, however, your certificate requires support for SHA384. Thus, according to https://www.rfc-editor.org/rfc/rfc5246#section-7.4.1.4.1, there is no way to fulfil the request and Windows Server resets the connection. AppleBot then reports as file not found.

    Specifically, RFC5246 says

       If the client provided a "signature_algorithms" extension, then all
       certificates provided by the server MUST be signed by a
       hash/signature algorithm pair that appears in that extension.
    

    Remedy suggested by Microsoft

    When you need to use the validator, create a self-signed certificate. By default, Windows uses SHA1 as the certificate signature algorithm. Bind the self-signed cert to your HTTPS endpoint, then use the validator to ensure that your apple-app-site-association file is okay. You can then switch back to the actual SSL certificate you bought.

    My warning

    Do not put a self-signed cert on your production server. Create another server to test!