Let’s Encrypt & iTunes podcasts

Two podcasts I run have disappeared from the iTunes podcast store. After a few baffling evenings spent debugging a rather frustrating “Can’t read feed” error, it turns out the problem is fairly simple.

The iTunes Store’s support for SSL is a bit disappointing, to say the least. To get a podcast into the iTunes store, you need to make sure your SSL set-up is supported by Java 6. That means:

  1. No SNI support;
  2. No support for more than 1024 bit DH parameters.

Note that neither of the above are required for iTunes itself to add your podcast manually via the URL – it’s just the backend of iTunes which appears to be seriously limited. The latter is particularly annoying – reducing the security of my sites just to placate iTunes. Sadly, downgrading to 1024 bit DH parameters didn’t help me in the slightest. I’d now got a valid Java 6 set-up, but still I couldn’t submit my podcast to the iTunes store.

The advice from Apple when I reported the problem (via podcastsupport@apple.com), though more responsive than I’d hoped, came in two parts:

The use of SSL within an RSS feed URL can cause errors, so please remove if possible to successfully submit this feed.

I didn’t fancy removing SSL from my site just for the sake of iTunes (and given the set-up of my site, removing it just from the podcast would be difficult), so I pushed back a little, and then received this:

At this time, SSL certificates from Lets Encrypt are not supported.

Consider an SSL certificate a different organization. Podcasters have found the following certificates work well:
https://www.godaddy.com/ssl/ssl-certificates.aspx
http://www.symantec.com/ssl-certificates
https://www.thawte.com/ssl/
https://www.globalsign.com/en/ssl/
http://www.entrust.net
https://www.geotrust.com/ssl/
http://www.affirmtrust.com
http://comnodo.com/

Here’s hoping this situation doesn’t last long.


Discussion on Hacker News.

3 Comments

  1. Thank you Dominic for confirming the same issue I had. I had to go back to the Comodo certificate on my CapicúaFM site (CapicúaFM.com redirects to https://tecnotur.us/capicuafm/) and now iTunes is happy again. I continue to use the Let’s Encrypt certificate in all other sites. Apparently, Apple misspelled Comodo response to you. It has no n.

  2. Any ideas of if we can just exclude the URL of the podcast from https? I was thinking a .htaccess rule that excludes (in my case) /feed/podcast/. That should do it. But I don’t understand .htaccess language well enough to figure that one out on my own.

Leave a Reply

Your email address will not be published. Required fields are marked *