Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Apple Push Notification service server certificate update #236

Open
bmueller opened this issue Oct 17, 2024 · 10 comments
Open

Apple Push Notification service server certificate update #236

bmueller opened this issue Oct 17, 2024 · 10 comments

Comments

@bmueller
Copy link

Apple just posted this story saying that the Certification Authority for APNs is changing. What do we need to do in order to make sure we have the correct certificate installed? I am running my push notification server on Heroku.
@neilmorton
Copy link
Contributor

neilmorton commented Oct 18, 2024
edited
Loading

Hi @bmueller.

I saw this too. It seems Apple are changing the server certificates again.

As a result we need to ensure that our push notification server Trust Stores include the new server certificate to prevent push notification delivery issues when the change occurs next year.

My understanding is that this means ensuring that SHA-2 Root : USERTrust RSA Certification Authority is included in your Trust Store (/etc/ssl/certs/ on linux).

e.g. USERTrust_RSA_Certification_Authority.pem -> /usr/share/ca-certificates/mozilla/USERTrust_RSA_Certification_Authority.crt

It is possible to verify certificates using openssl s_client -connect gateway.push.apple.com:2195 -CApath /etc/ssl/certs/ although as Apple are not yet using the new cert, it should pass based on existing certificates Apple Worldwide Developer Relations (WWDR) Intermediate Certificate.

When I try to verify with openssl s_client -connect gateway.push.apple.com:2195 -CAfile /usr/share/ca-certificates/mozilla/USERTrust_RSA_Certification_Authority.crt I get a verification error Verification error: unable to get local issuer certificate which I believe is because Apple are still using the current certificate until next year.

In short, I believe that if you make sure that the SHA-2 Root : USERTrust RSA Certification Authority is in your Trust Store, you should be good.

Although I will be testing it on Sandbox on/after 20th January 2025 to make sure.

@bmueller
Copy link
Author

bmueller commented Oct 18, 2024
edited
Loading

Thanks for the detailed reply, @neilmorton ! If I'm using Heroku to host my apns2 server, would they be the ones in charge of changing the certificate on their end? I don't remember adding a certificate for this when I first set up the server, but I might be remembering wrong.

@neilmorton
Copy link
Contributor

Hi @bmueller, I don't use Heroku, but if you open a console on there, can you run openssl version -d to get the configured certificate store (/usr/lib/ssl or /etc/ssl ?) and check the relevant directory to check the certificate is there?

I think you may be able to run something like openssl crl2pkcs7 -nocrl -certfile /etc/ssl/certs/ca-certificates.crt | openssl pkcs7 -print_certs -noout | grep "USERTrust RSA Certification Authority" which should return a couple of lines for subject/issuer if the certificate is installed?

@bmueller
Copy link
Author

Thanks for getting back to me, @neilmorton - here's the response from the server after I ran that command:

subject=C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
issuer=C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority

So looks like it's safely installed, then? Appreciate all the help, I'm completely lost when it comes to server-side stuff. I'm more of a front-end person 😝

@neilmorton
Copy link
Contributor

From what I understand, that looks like it should be good @bmueller.

I am going to check with the Sandbox on / after 20th January 2025 to make sure that is working with the new certificate. I will try remember to post an update here with what I see, so you can compare.

Keep up the great work!

@hector-espillco
Copy link

What happen if we read the certificate as file and attachment their value in the request, similar to that : cert, err := certificate.FromP12File("../cert.p12", "[password]"). Should we do any change?

@neilmorton
Copy link
Contributor

If I understand you correctly, it sounds like you are referring to your certificate. This is referring to the Apple Certificate Authority. So you would still need to check that the new certificate is on the server.

@hector-espillco
Copy link

This part is confused for us. If we created a certificate (Apple Push Notification service SSL) from the developer apple page and copy the certificate as file (not installed that) in our server. Why should we update the Apple Certificate Authority? Considering that we read the certificate as file from an internal api which send the notitification.
Unless that apns2 is using the certification manager of the server internally.

@neilmorton
Copy link
Contributor

As far as I know, the Apple Certificate Authority is needed to validate the chain?

@hector-espillco
Copy link

Ok. I understand. In any case, we should wait until on January 20. To start the test in sandbox because the current apple certificate authority is working without problems.

@appleboy appleboy mentioned this issue Jan 3, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@bmueller @neilmorton @hector-espillco