Apple Support certificate error

I just had an…interesting…experience with Apple Support.

My AirPods Max conked out today. Wouldn’t connect to any of my devices, no noise cancelling or transparency. Tried restarting (hold down the noise cancelling button and digital crown until the LED flashes amber) and resetting them (hold down the buttons until the LED flashes amber, then white), neither of which worked.

I contacted Apple Support via Messages. They were very helpful, treating me like an adult and respecting the troubleshooting steps that I’d already performed. It didn’t take long for them to conclude I needed a replacement (they’re still covered by Apple Care until this December). I chose the “Express Replacement” option where Apple sends you a new device up front and puts a hold on your credit card for the cost of the replacement until you return the old device.

This is where it gets interesting. I get an email asking me for my payment info so they can put the hold on my card. However, when I click on the “Pay Securely” button the web page it takes me to has a certificate error. Comes up the same way on multiple devices and multiple browsers.

So I hop back on the Messages app and ask about this. They confirmed that it should be a legit email. They send me another email, same deal. I explain it’s the same with multiple devices/browsers. After I paste the link itself into the chat they say that it’s the correct link and I should go ahead and bypass the certificate error. Okaaay.

I went ahead and paid using the link. We’ll see if any issues arise. Even if they don’t the certificate error doesn’t exactly give me a warm, fuzzy feeling.

Do you use by any chance any man in the middle services? VPN, proxy, Private Relay?

No VPN or proxy. I have Private Relay turned on, but that’s Safari only, the certificate error showed up in Chrome as well.

That’s very odd, and I am completely surprised that the support team asked you to ignore the error. One of the main ideas behind certificates is identity verification, you ensure you communicate to Apple server by validating the certificate.

I see sometime problems like that on devices with a wrong time setting. I use always the automatic time-setting, to make sure, that the time is right.
Maybe this is an issue also here, for some reason?

It’s probably legit, but it’s a huge red flag. It’s really easy to set up auto renewal, so anyone who doesn’t spend the time or money to do so really shouldn’t be trusted with your credit card info.

Interesting. An expired cert still encrypts the traffic, so the “only” risk would be the MITM that mina mentioned. Plus the risk of developing a bad habit of ignoring cert warnings.

Many years ago a programmer in Nashville trying to log into his Hotmail account discovered that Microsoft had let the domain name expire. So he paid to renew the name, logged in and checked his mail. Then sent an email to MS. He was waiting for a reply when I hear about it.

Looks like they worked something out.

It didn’t appear to be a renewal issue. The cert existed and was not expired, it just didn’t trace back to a trusted root certificate.

Ah, then that’s most likely not on Apple’s side.

Probably Apple owns their own CA authority and root certificates. It’s on their side for sure.

Yep. It was an Apple root certificate that wasn’t trusted by Safari for some reason.

I’m an enterprise cloud architect, so I deal a lot in “as long as everyone does their job 100% correctly, of course”. Sounds like this might be a case of the other thing