Problems arose when we were trying to connect an iPhone (IOS v15.x) to a NextCloud CalDAV server. The same device worked well on a second server, but would fail with the message
"Cannot connect using SSL"
on the problematic one. Android devices using DAVx5 and Microsoft Outlook using CalDAV Synchronizer had no problem.
The solution (see https://help.nextcloud.com/t/caldav-and-carddav-ios-issues/73801) is to manually enter the https port number (443) in the URL
https://example.com:443/remote.php/dav/principals/users/yourusername
Replacing example.com with the URL of your server, and yourusername with your NextCloud username.
It appears IOS, by default, attempts port 8443 (alternate https port) first. If your server is firewalled and does a DROP (vs REJECT), IOS abandons the attempt and does not retry port 443. If, however, your firewall passes through, or does a REJECT (untested), IOS retries on port 443 and the setup is successful.
Test the server with nmap. The first sample shows the port is filtered, and can be corrected.
nmap -p 8443 example.com PORT STATE SERVICE 8443/tcp filtered https-alt
This sample shows the port is closed, in which case IOS will correctly retry port 443 and succeed. If you have the problem and the port is showing closed, this is unlikely to help.
nmap -p 8443 example.com PORT STATE SERVICE 8443/tcp closed https-alt
This solution requires no changes to your users, but requires a little work on your part. Somehow, you need to have port 8443 closed, which can be done by explicitly telling your firewall to REJECT, or by passing the port through to the server and letting it respond the port has nothing on it. NOTE: We have not tested the REJECT.
This is more difficult on the non-technical user, but does not require modifying your firewall. By explicitly adding :443 to your URL, IOS will not try port 8443 at all, and the configuration will succeed.
https://example.com:443/remote.php/dav/principals/users/yourusername