Getting Certificate trust Issue

[Python-Just-Do-It]

Check List

Thanks for considering to open an issue. Before you submit your issue, please confirm these boxes are checked.

• I have read the wiki page and cheat sheet, but there is no information I need.
• I have searched in existing issues, but did not find a same one.
• I want to report a problem instead of asking a question. It'd better to use kingfisher tag in Stack Overflow to ask a question.

Issue Description

Invalid certificate Issue

What

I am part of iOS developer group from USBank and we are using Kingfisher for our image rendering and caching mechanisms. We have some public facing image URL in the app for example(https://www.usbank.com/dam/images/nba/anticipate/template6/HELOC_Illustration3x.png). The issue is the image is getting rendered sometimes but the same image url is giving us back the certificate issue. I couldn't understand what exactly is causing this issue. I know adding "www.usbank.com" as trusted domain works but If you can guys provide a reason why it's failing sometimes it would be helpful for me to answer my management. The user experience in this error scenario is very bad from app perspective.

Complete Error details:
A URL session error happened. The underlying error: Error Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “www.usbank.com” which could put your confidential information at risk." UserInfo={NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, NSErrorPeerCertificateChainKey=(\n    "<cert(0x7ff11009e000) s: www.usbank.com i: web-proxy.us.bank-dns.com>",\n    "<cert(0x7ff11002d800) s: web-proxy.us.bank-dns.com i: web-proxy.us.bank-dns.com>"\n), NSErrorClientCertificateStateKey=0, NSErrorFailingURLKey=https://www.usbank.com/dam/images/nba/anticipate/template4/HELOC_Illustration3x.png, NSErrorFailingURLStringKey=https://www.usbank.com/dam/images/nba/anticipate/template4/HELOC_Illustration3x.png, NSUnderlyingError=0x6000023d0300 {Error Domain=kCFErrorDomainCFNetwork Code=-1202 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x600001e60c60>, _kCFNetworkCFStreamSSLErrorOriginalValue=-9813, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9813, kCFStreamPropertySSLPeerCertificates=(\n    "<cert(0x7ff11009e000) s: www.usbank.com i: web-proxy.us.bank-dns.com>",\n    "<cert(0x7ff11002d800) s: web-proxy.us.bank-dns.com i: web-proxy.us.bank-dns.com>"\n)}}, _NSURLErrorRelatedURLSessionTaskErrorKey=(\n    "LocalDataTask <6726D1C3-B2DB-4A31-BADD-D825E03547EC>.<1>"\n), _kCFStreamErrorCodeKey=-9813, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <6726D1C3-B2DB-4A31-BADD-D825E03547EC>.<1>, NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x600001e60c60>, NSLocalizedDescription=The certificate for this server is invalid. You might be connecting to a server that is pretending to be “www.usbank.com” which could put your confidential information at risk.}

We are using version 5.6
We are rending this image inside a view controller.
xcode version 11.3

Thanks in advance.

[onevcat]

Not sure what can cause it. This error is given out by URLSession from iOS.

Is this happening on the same device with the same settings? Say, good for a while, and then failed later on? Or is it happening on different devices?

I suggest you can check:

1. Whether the date and time setting on the device are correct.
2. Is it a DNS or CDN failing when delivering the correct cert to the client?

[aerialkoala]

same issue

[knight2010]

Hi, @aerialkoala did you see the comment before , ref : #226 .
@onevcat mentioned that we need to use authenticationChallengeResponder, but did not say how to use it.
I have tried many times and different ways, and at last find one way may get work.

Implement extension of UIImageView, you can call the setImage function, in other places.

import Kingfisher

extension UIImageView {
    
    func setImage(_ urlStr: String? = nil, placeholder: UIImage? = nil, indicator:Bool = true, _ callback: ((UIImage?) -> Void)? = nil) {
        guard let urlStr = urlStr, let bkUrl = URL(string: urlStr) else {
            self.image = placeholder
            callback?(nil)
            return
        }
        if indicator {
            self.kf.indicatorType = .activity
        }
        self.kf.setImage(with: bkUrl, placeholder: placeholder, completionHandler:  { (result) in
            switch(result){
            case .success(let imageResult): callback?(imageResult.image)
            case .failure: callback?(nil)
            }
        })
    }
}

How do we use AuthenticationChallengeResponder, you may notice the class ImageDownloader,
but you can not use ImageDownloader.default.authenticationChallengeResponder , you need to use

KingfisherManager.shared.downloader.authenticationChallengeResponder = <#self#>

And you can implement another class,

class ImageHandler: NSObject,  AuthenticationChallengeResponsable {
   static let singleton = ImageHandler()

    func downloader(_ downloader: ImageDownloader, didReceive challenge: URLAuthenticationChallenge, completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void) {
print("downloader invoked.....")
        completionHandler(URLSession.AuthChallengeDisposition.useCredential, URLCredential(trust: challenge.protectionSpace.serverTrust!))
    }
}

At last, you may set KingfisherManager.shared.downloader.authenticationChallengeResponder = ImageHandler.singleton in AppDelegate.

Run the project and watch the console, if print any debug info there.

Hopefully, it will work for you.

[onevcat]

There is actually some sample code in the wiki: https://github.com/onevcat/Kingfisher/wiki/Cheat-Sheet#authentication-with-nsurlcredential

But it is surprising that you need to set it to KingfisherManager.shared.downloader. Unless you are using a different downloader, by default, KingfisherManager.shared.downloader and ImageDownloader.default should point to the same thing in memory:

https://github.com/onevcat/Kingfisher/blob/master/Sources/General/KingfisherManager.swift#L106-L108

[onevcat]

Maybe your <#self#> is released for some reason. Remember the authenticationChallengeResponder is similar to other delegate, is a weak reference and the downloader won't hold it for you.