Site not working on iPhone, does work on PC

Security
#1

Hi all,

I’m kinda at a loss with this problem, and found a similar problem on the forum, however that turned out to be a typo, and i’ve checked it with my setup and things seem to be allright;

Situation:
I have a webshop running on Vultr with the Origin Certificates (Authenticated Origin Pulls: ON) from CF installed. Running Apache2 with php 7.2(-fpm), maria db and for the shop prestashop. I started with Let’s encrypt but because I want to use CF I decided to use the CF certificates instead.

I’ve got an advanced cert on the edge with settings:

Always Use HTTPS: ON
HTTP Strict Transport Security (HSTS): DISABLED
Minimum TLS Version: TLS1.2
Opportunistic Encryption: ON
TLS 1.3: ON
Automatic HTTPS Rewrites: ON
Certificate Transparency Monitoring: ON
Disable Universal SSL: DISABLED

So the problem
When I have the mode set to Flexible everyting works. However once I go to Full or Full-Strict the site does not work on my iPhone anymore. I’ve checked in Chrome and it gives a “ERR_FAILED” message.

Once I go back to Flexible the site starts working straight away again.

I’ve tried:

  • Turning H2 off on Apache, no luck.
  • CURL-ing:
sudo curl -v --http2 https://blackcoffeeandsupplies.shop
*   Trying 172.67.207.170...
* TCP_NODELAY set
* Connected to blackcoffeeandsupplies.shop (172.67.207.170) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-ECDSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=CA; L=San Francisco; O=Cloudflare, Inc.; CN=blackcoffeeandsupplies.shop
*  start date: Jun 19 00:00:00 2020 GMT
*  expire date: Jul 19 12:00:00 2020 GMT
*  subjectAltName: host "blackcoffeeandsupplies.shop" matched cert's "blackcoffeeandsupplies.shop"
*  issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc ECC CA-3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0xa0b010)
> GET / HTTP/2
> Host: blackcoffeeandsupplies.shop
> User-Agent: curl/7.63.0
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
* HTTP/2 stream 0 was not closed cleanly: PROTOCOL_ERROR (err 1)
* stopped the pause stream!
* Connection #0 to host blackcoffeeandsupplies.shop left intact
curl: (92) HTTP/2 stream 0 was not closed cleanly: PROTOCOL_ERROR (err 1)

and one Flexible:

sudo curl -v --http2 https://blackcoffeeandsupplies.shop

  • Trying 172.67.207.170…
  • TCP_NODELAY set
  • Connected to blackcoffeeandsupplies.shop (172.67.207.170) port 443 (#0)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
  • successfully set certificate verify locations:
  • CAfile: /etc/ssl/certs/ca-certificates.crt
    CApath: none
  • TLSv1.2 (OUT), TLS header, Certificate Status (22):
  • TLSv1.2 (OUT), TLS handshake, Client hello (1):
  • TLSv1.2 (IN), TLS handshake, Server hello (2):
  • TLSv1.2 (IN), TLS handshake, Certificate (11):
  • TLSv1.2 (IN), TLS handshake, Server key exchange (12):
  • TLSv1.2 (IN), TLS handshake, Server finished (14):
  • TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
  • TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
  • TLSv1.2 (OUT), TLS handshake, Finished (20):
  • TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
  • TLSv1.2 (IN), TLS handshake, Finished (20):
  • SSL connection using TLSv1.2 / ECDHE-ECDSA-AES128-GCM-SHA256
  • ALPN, server accepted to use h2
  • Server certificate:
  • subject: C=US; ST=CA; L=San Francisco; O=Cloudflare, Inc.; CN=blackcoffeeandsupplies.shop
  • start date: Jun 19 00:00:00 2020 GMT
  • expire date: Jul 19 12:00:00 2020 GMT
  • subjectAltName: host “blackcoffeeandsupplies.shop” matched cert’s “blackcoffeeandsupplies.shop”
  • issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc ECC CA-3
  • SSL certificate verify ok.
  • Using HTTP2, server supports multi-use
  • Connection state changed (HTTP/2 confirmed)
  • Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
  • Using Stream ID: 1 (easy handle 0x1538010)

GET / HTTP/2
Host: blackcoffeeandsupplies.shop
User-Agent: curl/7.63.0
Accept: /

  • Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
    < HTTP/2 200
    < date: Fri, 19 Jun 2020 11:03:45 GMT
    < content-type: text/html; charset=utf-8
    < set-cookie: __cfduid=d38d86dbcab270b6b1f8b8bc1d6b7edf21592564625; expires=Sun, 19-Jul-20 11:03:45 GMT; path=/; domain=.blackcoffeeandsupplies.shop; HttpOnly; SameSite=Lax; Secure
    < expires: Thu, 19 Nov 1981 08:52:00 GMT
    < cache-control: no-store, no-cache, must-revalidate
    < pragma: no-cache
    < set-cookie: PHPSESSID=6h8c9tas88k62uvghv4jpk0ppc; path=/
    < set-cookie: PrestaShop-63a90b2ec8a45103117197e609fd836f=def50200d8089ec1773acf95668af5e80ad96a945d07897a7f1602240a591112b6443808b8830932a832f603a57f927632e4d7246b58d45f4faae577c22722f8274ad6b10a0776818d16e5075b41f3228c18f59af97745e16e9232309fc04dcc9a55c0c6d9b9d17a4915bc5ee245cc754d21e76f1f501c2da85eaf73bb8cdafc6bbf38df65c98ce196403734eeb110216f35d4a985ae546abc3bff2d9a70ef; expires=Thu, 09-Jul-2020 11:03:45 GMT; Max-Age=1728000; path=/; domain=blackcoffeeandsupplies.shop; secure; HttpOnly
    < set-cookie: PrestaShop-63a90b2ec8a45103117197e609fd836f=def50200c90afd5060474ce98271a5d6c44cda1e2f612d3087a49a2f5d5165783014eab8ea1a1af643e55a21cc1f4ea152bc6ff03d9317b4bc18010977541a5228b2a2a4703e59ccfb1167927ae3a9ae72d81bca342543551405f2a2ed5572ce4352e1f56da8b38d70f4eb9071f858dd1dc1a4c6ceb2e4dc4a359502a0785b0da6c20be0a3aee341e3ba10d9816bff592773d18c0d8f97c607b159e2c4c30df20115c8b06ad53cef3a9f76ffff49d35830be125b94007401c098409df210c049ec015e2d99; expires=Thu, 09-Jul-2020 11:03:45 GMT; Max-Age=1728000; path=/; domain=blackcoffeeandsupplies.shop; secure; HttpOnly
    < strict-transport-security: max-age=63072000; includeSubDomains; preload
    < x-frame-options: SAMEORIGIN
    < x-content-type-options: nosniff
    < vary: Accept-Encoding
    < cf-cache-status: DYNAMIC
    < cf-request-id: 036dd8c7da0000d9056628f200000001
    < expect-ct: max-age=604800, report-uri=“https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
    < server: cloudflare
    < cf-ray: 5a5cc3ec9c20d905-AMS

So i’m kinda certain it has something to do with:

* Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
* HTTP/2 stream 0 was not closed cleanly: PROTOCOL_ERROR (err 1)
* stopped the pause stream!
* Connection #0 to host blackcoffeeandsupplies.shop left intact
curl: (92) HTTP/2 stream 0 was not closed cleanly: PROTOCOL_ERROR (err 1)

However I can’t find the answer anywhere.

Hope some can help me/point me in the right direction.
Let me know if you need anything else!

Thanks and Best Regards,
Henk-Jan

A quick update via this way because I’m at the post limit for today:

It’s strange situation but I’ve solved it for now i guess? On my iPhone i’m able to load and Curl also works.

As @michael suggested it was in the VHOST config:
The vhost in apache had:
Protocols: h2 HTTP/1.1 (as in documentation of Apache2).

However after removing HTTP/1.1 it worked. It seems that something was confliciting with it?
Love to discuss more about it tomorrow, but for now I can’t post anymore due to the limit.

update 2:
It’s getting weirder and weirder.

So the problem wasn’t with the VHost settings, just after I tried @michael his suggestion, the site stayed online however images wouldn’t load.

So I went back to:
Protocols h2

And went in to the settings on CF, just to try and mess with the always https etc. Just to try something out. I thought I’d purge cache and notices that always online was on. So I turned it off and instant the images got visible again.

Next step was to try and go to vhost settings with the http/1.1 and guess what everything works now!

I don’t know if this is something that would never work, and I was stupid for turning always online on and thinking it would work with strict? But it looks like everything works now!

Thanks everyone!

1 Like
#2

I believe you, but that should not happen as that setting only applies to the second leg of the connection and is completely irrelevant for the first leg.

Right now the site loads fine for me and at sitemeer.com/#https://blackcoffeeandsupplies.shop/. Which mode do you currently have selected?

#3

Site right now is on Flexible, and the strange thing is that when on Strict it loads perfectly on pc, just the iPhone that shows a white screen and is unable to load it. Just switched it to Strict. and indeed sitemeer shows it’s online.

However i can’t understand that its not loading on mobile and find it kind of strange that the curl gives an error to on this mode.

#4

Can you switch to Full strict now?

#5

just switched it

#6

Still loads for me and on Sitemeer.

For you too, except for the iOS device?

#7

seems to load on every desktop browser, just doesn’t load on (my) iPhone (Safari, Chrome and Firefox) Just don’t have a seccond device to check it with.

And i’m wondering if it’s just my iPhone what could cause it.

#8

Well, it does seem to be iOS specific as it loads everywhere else fine, however that setting should be completely irrelevant for the client and the client shouldn’t even be aware.

We’d need to debug this, but that’s a bit tricky on a mobile device. You don’t have an Apple notebook? There’d be Safari. The three browsers on your Iphone are all Safaris too.

A few of the @MVP have iOS devices.

#9

Not right now, however at home i do have multiple apple devices, as soon as I get back home i’ll check.

Just got note that the site doesn’t open on someone elses iphone either. So does at least seems to be related to iOS Safari.

#10

I don’t have any iOS device, so I can’t reproduce it I am afraid.

My best guess at this point would be to try it on MacOS. Should it be reproducible there, it will be a lot easier to debug.

#11

On MacOS with cURL I get an error if I use H2:

% curl https://blackcoffeeandsupplies.shop --http1.1 --dump-header - -o  /dev/null -s
HTTP/1.1 200 OK

 % curl https://blackcoffeeandsupplies.shop --http2 --dump-header - -o  /dev/null
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
curl: (92) HTTP/2 stream 0 was not closed cleanly: PROTOCOL_ERROR (err 1)
1 Like
#12

I am currently running an older version of macOS (due to reasons…) on an older device, but it doesn’t work on HTTPS, even on the terminal using curl.

#13

I’ll try when i get home;

It seems that on iOS 9/10 it does not work, however sometimes it sort-a-works:

website
website473×1024 59.2 KB

#14

Exactly the same here, was just pasting in the error.

#15

Looking at the headers there seem to be an Upgrade one that shouldn’t be there… I would expect it comes from the origin server.

$ curl -I --http1.1 https://blackcoffeeandsupplies.shop/
HTTP/1.1 200 OK
Date: Fri, 19 Jun 2020 11:47:16 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Set-Cookie: __cfduid=db6df64a7cd8b52b5774714f0f28412841592567235; expires=Sun, 19-Jul-20 11:47:15 GMT; path=/; domain=.blackcoffeeandsupplies.shop; HttpOnly; SameSite=Lax; Secure
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: PHPSESSID=eqapdlcc2jrhjnnpcr7r4v7r2r; path=/
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Upgrade: http:/1.1
set-cookie: PrestaShop-63a90b2ec8a45103117197e609fd836f=def5020038f722ef5435ec06b7f79c9e80a084e6056cbb53a0632b95d400ae23831df4b4b26e790d2f0b4b0c26d092530755e0a50061b8a0996cb71e147d1c18d647fce58f46aaebba6c24d7f602e6046d7f8bdf6a6293bb716fa5a61d1cb95a39d477588b33fe5fd1292f9cc2c37f726da58e8e4f08f2fee985cceb2ba540b8ea5655c7d2bc5bd7ae49646c80b4124cc009692732a4892250371a1725dd; expires=Thu, 09-Jul-2020 11:47:15 GMT; Max-Age=1727999; path=/; domain=blackcoffeeandsupplies.shop; secure; HttpOnly
set-cookie: PrestaShop-63a90b2ec8a45103117197e609fd836f=def502005d6a0ec44097ff3d3a8fc69a80cdf194a1a47ddc0de6393904f7589de5e8de96df780b27e5b2c939a11c26695b163011ff2e4017cdfcebbe45f9d3ff09cd715d45b365543c828b48904d4294d5706b829a6921389beee4813af9ccfae9821e53e1b84193b7893d9cc9d549d3a88bf9b34c1851f4da38dcad473a6ac0c45b7e057ab8e2ec51467acdbe2df3bb287dbde25e9952cf588f0258c4c2b9aed2b796fdf9f9d315dff563cd16377585d41fb903b142e04c659f51f0f6696c92e11ce3077a; expires=Thu, 09-Jul-2020 11:47:15 GMT; Max-Age=1727999; path=/; domain=blackcoffeeandsupplies.shop; secure; HttpOnly
CF-Cache-Status: DYNAMICcf-request-id: 036e009b8d0000f923e9a2b200000001
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Server: cloudflare
CF-RAY: 5a5d03a5acdef923-MXP
#16

Is there an specific place I could search for that. It’s a bit above my level…

#17

That is a good point. If server returns different content on HTTP than on HTTPS that could be the reason, though I am still surprised that would only hit Apple devices.

#18

@henk-jan, did you switch back?

Right now requests on HTTP 2 work just fine

image

#19

No I did nothing

#20

Then I am afraid I cant fully confirm an HTTP 2 issue. HTTP 2 does appear to work.