Apple-app-site-association not found

Question

I\'m trying to pass the Apple Search Validation Tool, and I\'m having problems with the apple-app-site-association.

For some reason the bot can\'t find my file. But

Answer 1

I am currently contacting Microsoft Support over the same issue. My initial accessment is that Windows Server 2012 R2 has a bug in handling TLS 1.2, which is the HTTPS protocol that AppleBot uses crawl the pages.

Your apple-app-site-association looks perfectly fine

Edit

I found that even with the validation tool not working, when you visit the site on Safari on the iPad/iPhone, the Open in the xxx app does pop out

Update 2015-12-22

Microsoft has gotten back to me. The issue is that AppleBot sends the following Client Hello to initiate SSL connection

Signature Hash Algorithms (4 algorithms)
    Signature Hash Algorithm: 0x0401
        Signature Hash Algorithm Hash: SHA256 (4)
        Signature Hash Algorithm Signature: RSA (1)
    Signature Hash Algorithm: 0x0403
        Signature Hash Algorithm Hash: SHA256 (4)
        Signature Hash Algorithm Signature: ECDSA (3)
    Signature Hash Algorithm: 0x0201
        Signature Hash Algorithm Hash: SHA1 (2)
        Signature Hash Algorithm Signature: RSA (1)
    Signature Hash Algorithm: 0x0203
        Signature Hash Algorithm Hash: SHA1 (2)
        Signature Hash Algorithm Signature: ECDSA (3)

When you look at the certificate hierarchy of your SSL certificate, you see

COMODO RSA Organization Validation Secure Server CA
    Certificate signature algorithm
        PKCS #1 SHA-384 With RSA Encryption

When Windows Server receives the Client Hello from AppleBot, it sees that AppleBot supports SHA1 and SHA256, however, your certificate requires support for SHA384. Thus, according to http://tools.ietf.org/html/rfc5246#section-7.4.1.4.1, there is no way to fulfil the request and Windows Server resets the connection. AppleBot then reports as file not found.

Specifically, RFC5246 says

   If the client provided a "signature_algorithms" extension, then all
   certificates provided by the server MUST be signed by a
   hash/signature algorithm pair that appears in that extension.

Remedy suggested by Microsoft

When you need to use the validator, create a self-signed certificate. By default, Windows uses SHA1 as the certificate signature algorithm. Bind the self-signed cert to your HTTPS endpoint, then use the validator to ensure that your apple-app-site-association file is okay. You can then switch back to the actual SSL certificate you bought.

My warning

Do not put a self-signed cert on your production server. Create another server to test!