iOS端独有的SSL证书信任失败问题求助
2026-4-2
iOS端独有的SSL证书信任失败问题求助
各位大佬好,我遇到了一个iOS端特有的SSL证书信任问题,Android和网页端都能正常访问后端API,唯独iOS连不上,实在卡壳了,来求助大家!
问题背景
我开发了一个简单的App,后端用Node.js写的部署在Ubuntu服务器上,之前用HTTP协议一切正常,但切换到HTTPS后iOS端就出现了证书信任失败的问题。Android端和各类浏览器访问同一个REST API都完全没问题,只有iOS这边死活通不过系统的证书信任校验。
SSL检测情况
我用SSL检测工具对服务器证书做了检测,结果是A评级,但有几个小问题让我很疑惑——其中提到Sectigo的证书显示“自签名”,明明是正规CA机构签发的证书,怎么会被标自签名呢?这会不会是iOS校验失败的根源?
Xcode报错日志
开启ATS时的错误日志
2025-09-10 10:28:01.725091+0100 locateandclock[2291:1585213] ATS failed system trust 2025-09-10 10:28:01.725192+0100 locateandclock[2291:1585213] Connection 1: system TLS Trust evaluation failed(-9802) 2025-09-10 10:28:01.725291+0100 locateandclock[2291:1585213] Connection 1: TLS Trust encountered error 3:-9802 2025-09-10 10:28:01.725352+0100 locateandclock[2291:1585213] Connection 1: encountered error(3:-9802) 2025-09-10 10:28:01.726727+0100 locateandclock[2291:1585213] Task <4E41098F-6B71-4FB8-8753-78DD32961812>.<1> HTTP load failed, 0/0 bytes (error code: -1200 [3:-9802]) 2025-09-10 10:28:01.736504+0100 locateandclock[2291:1585213] Task <4E41098F-6B71-4FB8-8753-78DD32961812>.<1> finished with error [-1200] Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, NSErrorPeerCertificateChainKey=( "<cert(0x10681be00) s: *.xxxxxxxxxxx.co.uk i: Sectigo Public Server Authentication CA DV R36>", "<cert(0x10681c800) s: Sectigo Public Server Authentication CA DV R36 i: Sectigo Public Server Authentication Root R46>", "<cert(0x10681d200) s: Sectigo Public Server Authentication Root R46 i: Sectigo Public Server Authentication Root R46>" ), NSErrorClientCertificateStateKey=0, NSErrorFailingURLKey=https://xxxxxxxxxxxx.co.uk/insertclocking, NSErrorFailingURLStringKey=https://xxxxxxxxxxxx.co.uk/insertclocking, NSUnderlyingError=0x282361650 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x281cf4460>, _kCFNetworkCFStreamSSLErrorOriginalValue=-9802, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, kCFStreamPropertySSLPeerCertificates=( "<cert(0x10681be00) s: *.xxxxxxxxxxxxxco.uk i: Sectigo Public Server Authentication CA DV R36>", "<cert(0x10681c800) s: Sectigo Public Server Authentication CA DV R36 i: Sectigo Public Server Authentication Root R46>", "<cert(0x10681d200) s: Sectigo Public Server Authentication Root R46 i: Sectigo Public Server Authentication Root R46>" )}}, _NSURLErrorRelatedURLSessionTaskErrorKey=( "LocalDataTask <4E41098F-6B71-4FB8-8753-78DD32961812>.<1>" ), _kCFStreamErrorCodeKey=-9802, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <4E41098F-6B71-4FB8-8753-78DD32961812>.<1>, NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x281cf4460>, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made.}
临时关闭ATS后的错误日志
我试着把ATS的NSAllowsArbitraryLoads设为YES(只是测试用,不是长久方案),错误类型变了,但还是无法建立连接:
2025-09-12 12:33:32.650932+0100 locateandclock[2832:2071478] Connection 2: default TLS Trust evaluation failed(-9813) 2025-09-12 12:33:32.651119+0100 locateandclock[2832:2071478] Connection 2: TLS Trust encountered error 3:-9813 2025-09-12 12:33:32.651175+0100 locateandclock[2832:2071478] Connection 2: encountered error(3:-9813) 2025-09-12 12:33:32.706852+0100 locateandclock[2832:2071478] Task <C3EFDBE5-89D2-4948-A3F5-A731FDFFB47F>.<2> HTTP load failed, 0/0 bytes (error code: -1202 [3:-9813]) 2025-09-12 12:33:32.723928+0100 locateandclock[2832:2071541] Task <C3EFDBE5-89D2-4948-A3F5-A731FDFFB47F>.<2> finished with error [-1202] Error Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “xxxxxxxxxxx.co.uk” which could put your confidential information at risk." UserInfo={NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, NSErrorPeerCertificateChainKey=( "<cert(0x10881e600) s: *.xxxxxxxxxxxx.co.uk i: Sectigo Public Server Authentication CA DV R36>", "<cert(0x10881f000) s: Sectigo Public Server Authentication CA DV R36 i: Sectigo Public Server Authentication Root R46>", "<cert(0x10881fa00) s: Sectigo Public Server Authentication Root R46 i: Sectigo Public Server Authentication Root R46>" )}
我的核心疑问
- 为什么Android和浏览器都能正常信任这个证书,唯独iOS严格拒绝?
- SSL检测工具给出A评级,但又提示Sectigo证书是自签名,这到底是服务器证书链哪里配置错了?
- 两个错误码(-9802和-9813)分别指向什么具体问题?有没有针对性的排查方向?
有没有大佬遇到过类似的情况,或者能给我指个排查的方向?万分感谢!
