apns2 icon indicating copy to clipboard operation
apns2 copied to clipboard
verified publisher icon sideshow

Apple Push Notification service server certificate update

Open bmueller opened this issue 1 year ago • 15 comments

Apple just posted this story saying that the Certification Authority for APNs is changing. What do we need to do in order to make sure we have the correct certificate installed? I am running my push notification server on Heroku.

bmueller avatar Oct 17 '24 18:10 bmueller

Hi @bmueller.

I saw this too. It seems Apple are changing the server certificates again.

As a result we need to ensure that our push notification server Trust Stores include the new server certificate to prevent push notification delivery issues when the change occurs next year.

My understanding is that this means ensuring that SHA-2 Root : USERTrust RSA Certification Authority is included in your Trust Store (/etc/ssl/certs/ on linux).

e.g. USERTrust_RSA_Certification_Authority.pem -> /usr/share/ca-certificates/mozilla/USERTrust_RSA_Certification_Authority.crt

It is possible to verify certificates using openssl s_client -connect gateway.push.apple.com:2195 -CApath /etc/ssl/certs/ although as Apple are not yet using the new cert, it should pass based on existing certificates Apple Worldwide Developer Relations (WWDR) Intermediate Certificate.

When I try to verify with openssl s_client -connect gateway.push.apple.com:2195 -CAfile /usr/share/ca-certificates/mozilla/USERTrust_RSA_Certification_Authority.crt I get a verification error Verification error: unable to get local issuer certificate which I believe is because Apple are still using the current certificate until next year.

In short, I believe that if you make sure that the SHA-2 Root : USERTrust RSA Certification Authority is in your Trust Store, you should be good.

Although I will be testing it on Sandbox on/after 20th January 2025 to make sure.

neilmorton avatar Oct 18 '24 17:10 neilmorton

Thanks for the detailed reply, @neilmorton ! If I'm using Heroku to host my apns2 server, would they be the ones in charge of changing the certificate on their end? I don't remember adding a certificate for this when I first set up the server, but I might be remembering wrong.

bmueller avatar Oct 18 '24 20:10 bmueller

Hi @bmueller, I don't use Heroku, but if you open a console on there, can you run openssl version -d to get the configured certificate store (/usr/lib/ssl or /etc/ssl ?) and check the relevant directory to check the certificate is there?

I think you may be able to run something like openssl crl2pkcs7 -nocrl -certfile /etc/ssl/certs/ca-certificates.crt | openssl pkcs7 -print_certs -noout | grep "USERTrust RSA Certification Authority" which should return a couple of lines for subject/issuer if the certificate is installed?

neilmorton avatar Oct 28 '24 16:10 neilmorton

Thanks for getting back to me, @neilmorton - here's the response from the server after I ran that command:

subject=C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority issuer=C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority

So looks like it's safely installed, then? Appreciate all the help, I'm completely lost when it comes to server-side stuff. I'm more of a front-end person 😝

bmueller avatar Oct 29 '24 19:10 bmueller

From what I understand, that looks like it should be good @bmueller.

I am going to check with the Sandbox on / after 20th January 2025 to make sure that is working with the new certificate. I will try remember to post an update here with what I see, so you can compare.

Keep up the great work!

neilmorton avatar Oct 29 '24 19:10 neilmorton

What happen if we read the certificate as file and attachment their value in the request, similar to that : cert, err := certificate.FromP12File("../cert.p12", "[password]"). Should we do any change?

hector-espillco avatar Dec 10 '24 15:12 hector-espillco

If I understand you correctly, it sounds like you are referring to your certificate. This is referring to the Apple Certificate Authority. So you would still need to check that the new certificate is on the server.

neilmorton avatar Dec 10 '24 19:12 neilmorton

This part is confused for us. If we created a certificate (Apple Push Notification service SSL) from the developer apple page and copy the certificate as file (not installed that) in our server. Why should we update the Apple Certificate Authority? Considering that we read the certificate as file from an internal api which send the notitification. Unless that apns2 is using the certification manager of the server internally.

hector-espillco avatar Dec 10 '24 20:12 hector-espillco

As far as I know, the Apple Certificate Authority is needed to validate the chain?

neilmorton avatar Dec 10 '24 20:12 neilmorton

Ok. I understand. In any case, we should wait until on January 20. To start the test in sandbox because the current apple certificate authority is working without problems.

hector-espillco avatar Dec 10 '24 21:12 hector-espillco

From what I understand, that looks like it should be good @bmueller.

I am going to check with the Sandbox on / after 20th January 2025 to make sure that is working with the new certificate. I will try remember to post an update here with what I see, so you can compare.

Keep up the great work!

Hi, will the apns2 include the new SHA-2 Root (USERTrust RSA Certification Authority) automatically, or do we need to manually add it to the trust store? If manual addition is required, should the Readme file be updated accordingly?

keremoge avatar Feb 11 '25 11:02 keremoge

I am going to check with the Sandbox on / after 20th January 2025 to make sure that is working with the new certificate. I will try remember to post an update here with what I see, so you can compare.

@neilmorton did you get a chance to check that everything's working with the new certificate?

bmueller avatar Feb 11 '25 15:02 bmueller

@bmueller I did test it, and can see on my server that the Sandbox is working with the new certificate, albeit it appears that connections to the sandbox seem to be on a round robin of some nature, where I see approximately every other connection using the new certificate, and the others using the old certificate.

My assumption is that Apple have either not updated all servers, or, they are doing it specifically as part of the migration. That said, I have found no useful documentation on this from Apple, but given I am seeing some sandbox connections occur using the new certificate, and when the connections use the new certificate, those connections succeed, I am content that the certificate is on my server, and is used when the connection to Apple requires it.

Given this works in Sandbox, I must assume that it will work for production too. (Production is still the old certificate right now).

My intention is to keep a keen eye on the server on 24th February (although who knows what time), and test again with the production connections, to make 100% sure.

neilmorton avatar Feb 11 '25 15:02 neilmorton

Hi @neilmorton , any luck re-testing this?

gondo avatar Mar 12 '25 11:03 gondo

Hi @gondo , I have just looked again, and both sandbox and production are showing as working with the new certificate on my server, and they do so on every call (i.e. there is no flip flopping as I saw on the sandbox before).

So yes, all is working ok on my server, using APNS2, and I can see Apple is using the new certificate on both calls on every connection.

neilmorton avatar Mar 12 '25 13:03 neilmorton