my app use apns to send notifications, after one year, the cert file had expired,
but my CSR(.certSigningRequest) cannot been found, here is the question.
If i create a new CSR file, and new ios aps_distribution, do i need submit a new
app to AppStore?
No you don't.
You certificate is only used to access Apple's APNS from your server (or your PUSH service provider's). Your app will not expire.
Edit:
i use javapns-2.2 to send notification to my app, when use
aps_development cert, i can receive the message, but when i use the
new created aps_distribution, it shows send success, but my app cannot
receive msg, do you know why? or do you know how to test production
push?
As Aanabidden stated, don't forget that you can't use a production certificate for development and a development certificate for production. Apple's servers are separated for those schemes and an invalid certificates won't work.
Related
We already have existing valid APNS certificate for push notifications in production which will be expiring in a month. If I generate new certificate now, will it make existing certificate invalid?
Note:- I want to do this to get rid of window between the time certificate expires and generating a new certificate, so that push notifications do not get missed.
Edit:- With current architecture, it is not easy to immediately start using new certificate
No, generating a new APNS certificate will not invalidate your existing active certificate, and it will not affect your current push notification functionality. Push notification certificates are not part of your build, so you only need to change certificates on your server.
You can also check this answer and discussion to better understand how this works:
Renew Push certificate and keep current App Store App working
I'm developing an iOS MDM Server as my project and I have almost completed.
I created all the necessary files manually including the mobileconfig file and installed the profile.
The device polls the URL mentioned in Server URL often with an Idle message.I read that the Idle message indicates that the device is checking the server for commands and we can send plist response as a command.
My question is, if all the devices poll the MDM Server frequently, what is need for .pem file and APNs certificate. Should we send push notification to the device like below like we send push notifications to our iOS apps.
{
"aps": {
"id": 10,
"message": "Hello world!",
"from": "Ram"
}
}
If this is what we should do, what should we send in the payload?
EDIT :
I found out the solution for sending push notifications.
com.notnoop.apns.ApnsService apnsservice = com.notnoop.apns.APNS.newService().withCert(<pushCertStream>,<pushCertPass>).withProductionDestination().build();
apnsservice.push(token, com.notnoop.apns.APNS.newPayload().mdm(pushMagic)).build());
When push notification is sent like this, the device responds with an Idle Message and we can send commands to the device.
Few more doubts :
1) When does apple check the SSL Certificate of the profile? I'm sure it checks during profile installation because my profile installation has failed many times due to wrong SSL Certificat. Does Apple also check the SSL Certificate when sending push notification as I have noticed a class com.notnoop.exceptions.InvalidSSLConfig? Does it check whether the server sending push notification has the SSL Certificate specified in the profile?
EDIT
When server send push notification to the device, the device responds with an Idle Message to the URL specified in Server URL. What happens if the SSL Certificate is invalid at this point. Does it produce an error?
2) Can multiple servers have the same push notification certificate to reduce the load on a single server to send push notification and send commands to devices? Will there be any conflict?
3) Is there any limit to the no. of push notifications sent using a single push notification certificate? If not, can it handle any number of push notifications?
4) Can the Check-in URL and Server URL in the profile be different?
EDIT
Can the Check-in URL and Server URL be of different servers i.e .,
CheckIN URL : https://www.domainone.com/MDM/
Server URL : https://www.domaintwo.com/MDM/
5) First question in this link(Least important) Though the solution talks about expiration of SSL Certificate, it does not say about changing of SSL Certificate.
EDIT 2
When a push notification certificate is renewed, how does a device with profile already installed update the certificate details in the device's profile?
1) When MDM Server sends push notification to the device, the device responds to the Server by contacting the Server URL. The SSL Certificate of the server has to match the SSL Certificate Payload in the profile. If there are any conflicts, there will be an error. So, the SSL Certificate is checked everytime the device contacts Serverl URL. The below error will be produced if there are any conflicts.
Desc : The Server Certificate for "Server URL" is invalid.
Domain : MCHTTPTransactionErrorDomain
2) Yes, multiple servers can have the same push notification certificate. Each server just need to know the password of the certificate.
3) I don't think there is any limit to the no. of push notifications sent. Check below links.
Reference 1
Reference 2
4) Your Server URL and Check-in URL can be different but should be of same host.
5) If the SSL Certificate is changed, the profile has to be deleted and a new profile has to be installed.
1) hmm AFAIK if your server has a SSL certificate then signing the profile with that certificate only verifies it. In terms of functionality I don't think it does anything. However, you do also need a certificate that is related to your server this is the one that goes inside the plist as part of the payload. It'll need to be the same one that server has. (Usually in a .p12 format)
2) Yes you can have multiple servers because essentially sending a push notification is just a request to apple with proper credentials.
3) I don't believe there is a limit to how many push notifications a certificate can send... but more so how frequently you're sending them. (for e.g. flooding apple with push notification requests)
4) Yes I strongly believe so but you should double check this
5) Again SSL certificate only just makes the profile verified AFAIK (if we're strictly talking about mdm). (edit: I forgot that there was another .p12 certificate that you could embed inside the profile. This provides authentication between the device and the server and will need to be the same SSL cert).
Recently our Azure Notification Hub became a very mysterious entity. When Apple devices register we can see them in Service Bus Explorer and as soon as we try sending any notifications (from SBE or Azure Portal) we get a "Notification Successful" message, but nothing appears on the device. Refreshing registration list uncovers the fact that the registrations were deleted.
We are not removing them anywhere in code, and the TTL has not expired.
Any suggestions?
Notification hub cleans up registrations with invalid tokens during the send flow. Looks like for some reasons APNS rejects your tokens and NH just removes registrations. Make sure:
you are getting token from physical device (not emulator);
APNS certificate uploaded to NH is not expired;
APNS certificate uploaded to NH corresponds APNS endpoint you are
using in application (sandbox or production).
Turns out the front end guys were unsubscribing too eagerly. Removing the unsubscribe code sorted out the issue. Also there was a problem with the APNS certificate, in order to run the front end app in debug it requires a sandbox certificate, not a production one, for the messages to be delivered properly.
We had this exact error, but it turned out we were accidently using a "distribution" provisioning profile with a "development"/ sandbox push notification certificate. After switching to a development provisioning profile, push notifications worked!
I have implemented APNS in my iOS application project (by following Ray Wenderlich's tutorial).
After installing app on my device I am getting an alert that "AppName" would like to send you Push Notification". press "OK" or "Don't allow". I pressed OK.
Now after running code I successfully get device token and then send that device token to my server.
The server guy is saving my device token and sends me a push message, and then he is getting message message sent successfully, but my device is not receiving any message.
It's really becoming difficult for me to figure out where I am going wrong. Some say your certificate might be corrupt. If my certificate is corrupt then how is my app getting a device token?
I am using iPhone3GS(iOS6) device (I know it's really old model).
I have been trying to figure this out for more than a week, but no success.
So guys I need your help to figure where I am going wrong.
Thanks
The app doesn't use the certificate in order to register to APNS and get a device token. Only the server uses the certificate. Therefore it is possible the certificate is corrupt or expired.
It's also possible the server is trying to push to on push environment (sandbox or production) while the app was built with a provisioning profile that contains push entitlements for the other environment.
In addition, make sure the certificate being used by the server belongs to the same push environment that the server is connecting to.
My app is already on the app store and with push notifications active and working (using production certificate). Now I need to add badges (before their were only alerts) in the application (already implemented on the server side). So for testing I would need a development SSL certificate. So following are my queries:
Do I have to install the development SSL certificate on my server so that I can test on iPhone using development cert?
Will it not conflict with the already installed production SSL cert on the server.
Do I have to add badges in both didReceiveRemoteNotification: and didFinishLaunchingWithOptions: delegates using below code:
code section:
NSString* alertValue = [[userInfo valueForKey:#"aps"] valueForKey:#"badge"];
NSLog(#"my message-- %#",alertValue);
int badgeValue= [alertValue intValue];
[[UIApplication sharedApplication] setApplicationIconBadgeNumber:badgeValue];
Any suggestions?
Just to add some additional color to the Certificate/Server/SSL questions and answers that have been proposed:
Prod/Sandbox APNS Picked Based on Codesign Settings
For the sake of being thorough, lets start with a quick review of the APNS environment:
Applications that are Code Signed with an iOS Development certificate connect to and wait for Push Notifications to be delivered from the Sandbox APNS Environment
Applications that are Code Signed with an iOS Distribution certificate (AppStore or Distribution > Ad-Hoc) connect to and wait for Push Notification to be delivered from the Production APNS Environment.
This setting is automatically determined by Xcode during the build process and is only configurable by selecting the type of certificate used in the CodeSign step.
Question 1: Do I have to install the Development SSL Certificate on my Server to Test Development Certificate Signed Apps Push Notifications?
Yes, once and app is Code Signed, its APNS setting is sealed into the binary using the rules in the previous section. It is then up to the Developer's server code to know that the APNS token that device will generate goes with the Sandbox APNS environment and that the server should route that request for a push notification to gateway.sandbox.push.apple.com instead.
Some developers choose to setup a single server that is capable of making these distinctions while others choose to setup side-by-side instances of their servers one set to send to Production and another set to send to the Sandbox.
Either way, the decision resides with the individual developer and what their server-side code is capable of doing and the relative complexity of setting up a second server. Either way, users might get upset if you accidentally disabled Production push notifications while testing out upcoming features then forgot to reenable them later, so definitely be careful when poking around production code!
Question #2: Will the Development and Production SSL Certificate Conflict?
From the raw SSL standpoint no they won't conflict -- you should be able to download and open/examine both of those certificates on a machine other than the server and see that the contents of the certificates are in fact different. Importing them into the same server environment (again from an SSL perspective) is perfectly allowable. To ensure they are different, when requesting the certificates make absolutely sure you create two different certificateSigningRequests and you'll inherently wind up with different data.
From the Developer's Server-side Push Code standpoint -- It depends. See the conversation in Question 1 regarding server-side code capabilities. If the server-code was designed with this in mind then in theory the answer is also 'No they will not conflict', but that is a determination the individual developer needs to make about their own server-side code capabilities.
Yes, you should install the development SSL certificate on server. You also have to use sandbox push-notification service (gateway.sandbox.push.apple.com) with this certificate.
I guess they won't conflict. You should just use production SSL for AppStore app, and development SSL for test app.
It's better not to increment or decrement or set badge value in code. Your server should return badge value in notifications body. For example, You can't handle push when your app is not running, thus you cant change badge value in code. But if your push contains badge value, it will be set and displayed correctly any way.
Here is the notification body example. Pass badge value for key "badge":
{"aps":{"alert":"This is message.","badge":7}}
By the way, didReceiveRemoteNotification: method always called when you app receives push. Even if the app is down, it will be called when you launch the app from push.
I just wanted to add something to the existing answers. While the development cert won't conflict with the production cert installed on the same server, you might get conflicts with the device tokens stored in your DB. When you use a development cert, you get development device tokens from Apple, which are not the same as the production device tokens you'll get for your production cert. If you keep both development and production device tokens in the same database (which you probably will if you use the same server for both development and production), you will have trouble if you send notifications with development device token using the production cert or vica versa.
That's why it is recommended by Apple to use separate servers for development and production.
This quote is taken from Troubleshooting Push Notifications, which is a very useful document :
The most common problem is an invalid device token. If the token came
from the sandbox environment, such as when you are testing a
development build in house, you can't send it to the production push
service. Each push environment will issue a different token for the
same device or computer. If you do send a device token to the wrong
environment, the push service will see that as an invalid token and
discard the notification.
Note: It is recommended that you run a separate instance of your
provider for each push environment to avoid the problem of sending
device tokens to the wrong environment.