Troubleshooting

Self-signed certificates, the home-lab login killer.

A server that works in your desktop browser can still fail on iPhone: iOS enforces stricter transport security than a browser where you clicked past a warning. Here is what reliably works.

Last verified

01

Why the browser works and the app does not

On the desktop you accepted the certificate warning once, and the browser remembered. iOS apps go through Apple's transport security, which requires a certificate the system actually trusts: complete chain, matching hostname, valid dates. A bare self-signed certificate fails those checks before the app sees a single byte of Deck data.

02

The fix that removes the problem class: a real certificate

A free Let's Encrypt certificate on a public hostname makes every device trust your server with zero per-device setup. If your Nextcloud must stay unreachable from the internet, a DNS-01 challenge issues valid certificates without exposing anything: your reverse proxy (Caddy, Traefik, Nginx Proxy Manager) proves domain ownership through your DNS provider instead of an open port.

03

If you must keep a private certificate authority

Install your CA's root certificate on the iPhone (Settings, General, VPN & Device Management), then enable full trust for it under Settings, General, About, Certificate Trust Settings. Both steps are required; the second is the one everyone misses. The server certificate must be issued by that CA with the exact hostname you type into the app.

04

Checks before blaming the certificate

Open the server URL in Safari on the iPhone itself. Safari's error tells you which rule is broken: untrusted issuer, hostname mismatch, or expired. If Safari on the phone loads the site cleanly with a lock icon, certificates are fine and your problem is elsewhere, usually DNS or reachability.

FAQ

Practical questions

Can Deckloud just ignore certificate errors?

Bypassing TLS validation would silently break the security your self-hosted setup exists for. The durable fix is a certificate iOS trusts; both options above are free.

Does Let's Encrypt work for a LAN-only server?

Yes, via the DNS-01 challenge. You need a domain you control and a DNS provider with API support; the server itself never has to be reachable from the internet.

Why did it stop working after months of working?

Certificates expire. Self-signed and private-CA certificates are usually issued with long lifetimes and then forgotten; check the expiry date in Safari first.

Get Deckloud

Work with your Nextcloud Deck boards natively

Download Deckloud for iPhone or macOS and keep boards, cards, and due work on the server you already trust.

Choose your Mac download

Apple Silicon Macs use the M-series build. Intel Macs use the Intel build.