Cannot connect to HTTPS homeserver with valid cert, well-known

[kajarah]

Steps to reproduce

1. Set up a self-hosted homeserver with trusted SSL certificates (Let's Encrypt).
2. Add a .well-known/matrix/client entry with m.homeserver.base_url set properly to https://server:port.
3. Open Element iOS and select "I already have an account".
4. Edit where your conversations live, and type your server hostname.

Cannot send logs as the shake-to-log feature does not work on the login screen. Cannot determine Element iOS version because the settings menu is not accessible until logged in. Assuming 1.11.9.

Outcome

What did you expect?

Element iOS is able to proceed to the login screen.
The same configuration works on the web and on the desktop app. Android not tested.

What happened instead?

Element iOS times out for several minutes before erroring with a cannot connect message.

Your phone model

iPhone 13 Pro

Operating system version

iOS17.4.1

Application version

Cannot get to the version page; assuming 1.11.9

Homeserver

guardiansgate.games

Will you send logs?

No

[kajarah]

Federation test result:

{
  "WellKnownResult": {
    "m.server": "matrix.guardiansgate.games:8448",
    "CacheExpiresAt": 0
  },
  "DNSResult": {
    "SRVSkipped": true,
    "SRVCName": "",
    "SRVRecords": null,
    "SRVError": null,
    "Hosts": {
      "matrix.guardiansgate.games": {
        "CName": "falchion.pilot.ninja.",
        "Addrs": [
          "47.144.68.216"
        ],
        "Error": null
      }
    },
    "Addrs": [
      "47.144.68.216:8448"
    ]
  },
  "ConnectionReports": {
    "47.144.68.216:8448": {
      "Certificates": [
        {
          "SubjectCommonName": "guardiansgate.games",
          "IssuerCommonName": "R3",
          "SHA256Fingerprint": "fuhxyA94pLihBEvjDwXdbhff7ODKqzE5FTUqhxGbbTc",
          "DNSNames": [
            "*.guardiansgate.games",
            "guardiansgate.games"
          ]
        },
        {
          "SubjectCommonName": "R3",
          "IssuerCommonName": "ISRG Root X1",
          "SHA256Fingerprint": "Z63RFmsCCuYbj1/JaBPATCqliZYHloZVcqPH5zdhPf0",
          "DNSNames": null
        }
      ],
      "Cipher": {
        "Version": "TLS 1.3",
        "CipherSuite": "TLS_AES_256_GCM_SHA384"
      },
      "Checks": {
        "AllChecksOK": true,
        "MatchingServerName": true,
        "FutureValidUntilTS": true,
        "HasEd25519Key": true,
        "AllEd25519ChecksOK": true,
        "Ed25519Checks": {
          "ed25519:a_sYTT": {
            "ValidEd25519": true,
            "MatchingSignature": true
          }
        },
        "ValidCertificates": true
      },
      "Errors": [],
      "Ed25519VerifyKeys": {
        "ed25519:a_sYTT": "AdaAhO1l9vBWLlgi8xianAU0XEsr/kYZzgegVaab5b0"
      },
      "Info": {},
      "Keys": {
        "old_verify_keys": {},
        "server_name": "guardiansgate.games",
        "signatures": {
          "guardiansgate.games": {
            "ed25519:a_sYTT": "5FaeCPwbnfT9bZzbhRdqNLNRjxM1fU6IijUNuogbWMLbV7uZ6F/hmPUDjEWtVsDUOZF1Ppxy9s85zNlLQ5ssBQ"
          }
        },
        "valid_until_ts": 1714510708251,
        "verify_keys": {
          "ed25519:a_sYTT": {
            "key": "AdaAhO1l9vBWLlgi8xianAU0XEsr/kYZzgegVaab5b0"
          }
        }
      }
    }
  },
  "ConnectionErrors": {},
  "Version": {
    "name": "Synapse",
    "version": "1.105.0"
  },
  "FederationOK": true
}

[net47]

I have the exact same error, federation-test is also ok, web and desktop clients work fine.

My .well-known/matrix/client (censored):

{"m.homeserver":{"base_url":"https://chat.example.com/"},"io.element.e2ee":{"default":false,"secure_backup_required":false}}

My .well-known/matrix/server (censored):

{"m.server":"chat.example.com:443"}

The red error message is: No server found under this URL.

[net47]

At least in my case, I found the error: iCloud Private Relay (or any other traffic intercepting functionality on the device itself). Disabling it did the trick, after that it was possible to connect to the home matrix server without any issues.