Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
strongpigeon 8 hours ago

I'm getting invalid certificates from https://ppq.apple.com. I think that's probably the root cause?

astrostl 7 hours ago | parent | next [-]

Invalid certs according to what? Quoth Claude Code:

OpenSSL can't validate the cert because it contains a critical extension it doesn't recognize — specifically 1.2.840.113635.100.6.27.3.2, which is an Apple-proprietary OID marked as critical. Per X.509 rules, if a client encounters an unrecognized critical extension, it must reject the cert.

That said, this is likely intentional on Apple's part — browsers and Apple's own TLS stack (SecureTransport/Network.framework) almost certainly know how to handle this extension. It's a private Apple CA (Apple Server Authentication CA) signing an Apple-internal service endpoint, so it's designed to work within Apple's ecosystem rather than with generic OpenSSL.

In practice:

  - Works fine in Apple clients (Safari, curl on macOS using the system TLS stack, iOS apps)                                                          
  - Fails with raw OpenSSL or other non-Apple TLS implementations                                                                                     
  - Not a misconfiguration — it's Apple intentionally using a proprietary critical extension on their private PKI
strongpigeon 7 hours ago | parent [-]

That's fair. I've never attempted to reach this before so I can't compare and the explanation makes sense.

The intermittent 502s on the other hand are an issue.

gt565k 8 hours ago | parent | prev [-]

Hilarious... their provisioning profile query server has an expired SSL certificate?

Are you serious Apple?

strongpigeon 8 hours ago | parent | next [-]

It doesn't look expired per se:

  Issued On Wednesday, January 21, 2026 at 9:47:41 AM
  Expires On Wednesday, February 17, 2027 at 10:28:16 AM
What I get is: net::ERR_CERT_AUTHORITY_INVALID
gt565k 8 hours ago | parent | next [-]

Has some undisclosed error.

Says cannot be trusted when validating via SSL checker

https://decoder.link/sslchecker/ppq.apple.com/443

gt565k 8 hours ago | parent | prev [-]

SSL Error: Verify return code: 34 (unhandled critical extension)

xutopia 7 hours ago | parent | prev [-]

OMG my app just got rejected because I didn't have the right screenshots to their liking... an app specifically made to remember stuff like this LOL the irony!