I am following this blog to create a mdm server link.
In the 7th step they are stripping password from the private key by running this command
openssl rsa -in key.pem -out private.key
But when I run this command on my terminal I am getting error
unable to load Private Key
routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: ANY PRIVATE KEY
I am working on mac. All the steps before that worked fine. In the previous step they asked to enter passphrase I pressed enter without passphrase, is this the reason for this error.
Hope you understand the problem
Thanks
I pressed enter without passphrase, is this the reason for this error.
Yes, you are correct — since you didn't use a passphrase there's nothing to strip out in that step.
Unfortunately the tutorial failed to mention anything about that before you arrived at your conclusion. A passphrase shouldn't (normally) be necessary anyway, as the important private key extracted earlier should be all that you would need.
MDM vendor CSR signing tips (a bit easier to understand in my opinion)
Apple Push Certificates Portal (related help documentation).
Related
I getting error "ERROR: Failed to run ssh-add"
I am trying to ssh into remote machine so
SSH credential are set
Pipeline script is calling ssh-agent
On executing the job I get error below
I have tried this reported bug https://issues.jenkins-ci.org/browse/JENKINS-50181 but it is not working and bug has been already resolved in latest version 1.17 which i have now.
Can anyone suggest how to fix this issue.
This is just a wild guess since this could have different reasons.
But I just had this error, and my problem was that when I created the credential in Jenkins I forgot to add a linebreak at the end of the input.
...
...<all the usual content>...
...
-----END OPENSSH PRIVATE KEY-----<linebreak needed here>
I got this error when I put the SSH public key into the Jenkins credential instead of properly putting the private key.
Note that the private key is the long one that looks like this:
-----BEGIN RSA PRIVATE KEY-----
... lots of unreadable random characters for many lines ...
-----END RSA PRIVATE KEY-----
I got this error when I didn't put they private key's passphrase into Jenkins.
I thought the key didn't have a passphrase because I wasn't having to enter it when using the key manually. It turns out my local keyring was automatically taking care of this.
I ran into this problem after copying the credentials.xml file from an old installation to a new one. The key appears to be stored in a hashed format in the credentials.xml file and may be the hash is unique based on the version of jenkins. I just had to find the private key on my system and then paste it in the UI along with the additional line break as suggested by #peedee
I had the same issue when I tried to use OpenSSH key format in Jenkins credentials - remote session always fails with ERROR: Failed to run ssh-add.
The solution was to provide a PEM key generated with -m PEM flag. So the private key format should be: "-----BEGIN RSA PRIVATE KEY-----" instead of "-----BEGIN OPENSSH PRIVATE KEY-----" etc.
I have created development and production pem files. I have followed this steps:
1) developer.apple.com : AppIDs section check Bundle id supports Development SSL Certificate
if no then create that certificate (which supports APNS)
2) open key chain
3) right click on our certificate and export certificate.
4) you will get .p12 file from here : like : hope_APNS.p12
5) open console(terminal) and run following command (use created .p12 file here as input)
openssl pkcs12 -in apns-dev-cert.p12 -out apns-dev-cert.pem -nodes -clcerts
6) you will get .pem file for the same. (like hope_APNS.pem)
Developement pem file is working fine. But there is some in production pem file. When i set production pem file and send push notification from console. I won't get push on my device.
That's an old thread but I was looking for the same answer and hope this solution help someone... worked for me.
You can test your PEM key using the following command, which should hang if successful until you press enter:
openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert pnpush.pem -key pnpush.pem
The above tests the PEM Key in sandbox mode. For production mode, use the following command:
openssl s_client -connect gateway.push.apple.com:2195 -cert pnpush.pem -key pnpush.pem
Thanks to Craig at https://www.pubnub.com/knowledge-base/discussion/234/how-do-i-test-my-pem-key
There are many reasons why you may not be getting push notifications via a production .pem certificate on your device. Besides making sure you generated the distinct production certificate correctly, here are few things to check:
You have an Ad-Hoc or Distribution build running on your test device
when testing a production certificate
You have successfully
collected the production push token of said device (which will
always be different from the development push token)
You are able to connect to Apple Push Notification PRODUCTION servers
(gateway.push.apple.com, port 2195) with the new certificate (ie/
you're able to open a socket connection and it does not close
immediately)
You have checked that your certificate is not expired
Failing all that, you really need to check what is going on at the network level when you send something via that certificate. If it's invalid, it won't connect at all to Apple. If it's valid but the push token you're sending is not recognized by Apple, an error code will be returned (if you are using the binary interface) or the connection will be severed. You may also want to look into the APNS Feedback API to gain more insight on what is going wrong.
You may want to check out this answer and this other answer for more tips.
Over the past few days, I've been working on getting CI working with an external mac mini running OS X Server. However, I have been having many problems with OS X Server 3.2.1 and XCode 6.1b3.
It looks like Apple fixed an issue in Xcode 6.1b3 which didn't put the correct provisioning profiles into Portal.keychain. However, my integrations aren't even running now.
After running a clean OS X build, XCode server won't integrate. I succesfully connected to the server and created a bot. If I visit "SERVER.local" on my development machine, I see the bot that I created.
Everything is set up properly (including the integrate immediately checkbox), however my integrations sit in the "pending" state. I checked the system.log, and nothing seems to be happening.
This could be completely unrelated, but every time I click on a pending integration, I receive this error in system.log:
NSFileCoordinator only handles URLs that use the file: scheme. This one does not:
x-code-xcsbot://XXX
I'm not sure if this is a new problem introduced in OS X server 3.2.1, or if it's just a set up issue. Apparently no one else has had this issue, couldn't find anything on Google/ SO.
This is still happening, but if you just want to nudge the server to wake up and run and aren't prepared to delete your x-code server configuration (provisioningProfiles, credentials and bots are deleted (as I recall)), simply run this terminal command
sudo -u _xcsbuildd /Applications/Xcode.app/Contents/Developer/usr/bin/xcsbuildd
Note that if you have multiple revs of Xcode in your Applications folder you may have named them differently, so the command may be slightly different. In my case, I've got a file named 'Xcode 6.1.1'. So the command would be
sudo -u _xcsbuildd /Applications/Xcode\ 6.1.1.app/Contents/Developer/usr/bin/xcsbuildd
This appears to happen when running XCode beta builds in OS X Server.
Note that this command will ❗️delete all your bots❗️
Run sudo xcrun xcscontrol --reset to reset.
https://devforums.apple.com/message/1051403#1051403
Here's a solution that may fix the problem without requiring to reset Xcode Server.
What's the problem?
First, check whether this answer applies by inspecting the xcsnginx.log log file:
sudo tail /Library/Developer/XcodeServer/Logs/xcsnginx.log
Search for the following line at the end of the log:
nginx: [emerg] SSL_CTX_use_PrivateKey_file("/Library/Developer/XcodeServer/Certificates/xcsnginx.key") failed (SSL: error:0906A068:PEM routines:PEM_do_header:bad password read error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib)
I you don't see that entry in the log, I'm afraid this answer won't help you. If you do see that entry, you may continue.
Why does it happen?
Xcode Server internally runs an Nginx web server (on port 20543) named xcsnginx that acts as a proxy between some services. This server uses a TLS/SSL certificate to ensure communications remain secure. The involved files are the following:
xcsnginx.crt: contains the PEM certificate.
xcsnginx.key: contains the private key for the certificate.
xcsnginx.pass: contains the passphrase for the private key.
As far as I understand, the private key is stored unencrypted, which means the xcsnginx.pass should be empty (and seems to be reset every time Xcode Server starts).
However for some reason, as some point, the private key in xcsnginx.key was exported as an encrypted key. I've no idea how and why this could happen but it did happen on my server so I'll assume it may happen on your server too. The consequence is that xcsnginx cannot load the certificate and fails to launch.
You can verify that xcsnginx is not running by executing:
pgrep xcsnginx || echo "Not running"
How to fix it?
Rather than resetting Xcode Server from scratch, we can:
export the identity again from the xcsnginx.keychain keychain or
restore the previous certificate and key or
create a new certificate and key for xcsnginx.
So let's have a look at each option.
Option 1
Copies of the certificate and private key are stored in the xcsnginx.keychain keychain located in /Library/Developer/XcodeServer/Keychains. This keychain is protected by a passphrase stored in a file named XCSNginxKeychainSharedSecret in the /Library/Developer/XcodeServer/SharedSecrets folder.
If you're familiar with OS X keychains, you may retrieve the certificate and the key from the keychain.
However manipulating keychains using the command-line is a real nightmare so I'll let this as an exercise for the reader (or an editor).
Option 2
The /Library/Developer/XcodeServer/Certificates folder may contains a backup of your certificate and key. Let's find out:
sudo find /Library/Developer/XcodeServer/Certificates -name "*.original"
If you're lucky, you should get the following result:
/Library/Developer/XcodeServer/Certificates/xcsnginx.crt.original
/Library/Developer/XcodeServer/Certificates/xcsnginx.key.original
/Library/Developer/XcodeServer/Certificates/xcsnginx.pass.original
Which mean you can restore the original files:
sudo cp /Library/Developer/XcodeServer/Certificates/xcsnginx.crt.original /Library/Developer/XcodeServer/Certificates/xcsnginx.crt
sudo cp /Library/Developer/XcodeServer/Certificates/xcsnginx.key.original /Library/Developer/XcodeServer/Certificates/xcsnginx.key
sudo cp /Library/Developer/XcodeServer/Certificates/xcsnginx.pass.original /Library/Developer/XcodeServer/Certificates/xcsnginx.pass
Option 3
If you cannot restore the previous certificate and keychains, you may decide to just generate new ones like this:
sudo openssl req -new -x509 -newkey rsa:2048 -nodes -out /Library/Developer/XcodeServer/Certificates/xcsnginx.crt -keyout /Library/Developer/XcodeServer/Certificates/xcsnginx.key -subj /CN=your-server.example.com -days 1000 -batch
where your-server.example.com is replaced with the DNS address of your server. Ideally the certificate should be issued by the Xcode Server Root Certificate Authority but using a single-signed certificate doesn't seem to be a problem (as far as I now / for the moment / your mileage may vary).
Finally
Now we just have to wait until the system starts xcsnginx again. That should happen automatically after a minute or less. You can verify that xcsnginx did start with:
pgrep xcsnginx || echo "Not running"
You can use restart instead of reset from the command line to restart the server. This will terminate the bot you are running that has frozen up.
sudo xcrun xcscontrol --restart
I've run into this several times. I've done the xcrun xcscontrol --reset and it does work, but I'm getting tired of that. As my bots get more complicated with pre/post integration triggers I don't want to set them up again.
What worked for me this time was just going through all mostly recent integrations and deleting any canceled ones. Cancelling a bot run can leave it in an odd state.
After I deleted a bunch of integrations I restarted the machine the server is running on and my integrations start working again!
Hope that helps someone.
I tried and tried to generate a .pem file, every time generating certificates from the client's account and then generating the .pem file using the terminal, but it's of no use. Can anyone give a step-by-step procedure?
To enable Push Notification for your iOS app, you will need to create and upload the Apple Push Notification Certificate (.pem file) to us so we will be able to connect to Apple Push Server on your behalf.
(Updated version with updated screen shots Here)
Step 1: Login to iOS Provisioning Portal, click "Certificates" on the left navigation bar. Then, click "+" button.
Step 2: Select Apple Push Notification service SSL (Production) option under Distribution section, then click "Continue" button.
Step 3: Select the App ID you want to use for your BYO app (How to Create An App ID), then click "Continue" to go to next step.
Step 4: Follow the steps "About Creating a Certificate Signing Request (CSR)" to create a Certificate Signing Request.
To supplement the instruction provided by Apple. Here are some of the additional screenshots to assist you to complete the required steps:
Step 4 Supplementary Screenshot 1: Navigate to Certificate Assistant of Keychain Access on your Mac.
Step 4 Supplementary Screenshot 2: Fill in the Certificate Information. Click Continue.
Step 5: Upload the ".certSigningRequest" file which is generated in Step 4, then click "Generate" button.
Step 6: Click "Done" to finish the registration, the iOS Provisioning Portal Page will be refreshed that looks like the following screen:
Then Click "Download" button to download the certificate (.cer file) you've created just now. - Double click the downloaded file to install the certificate into Keychain Access on your Mac.
Step 7: On your Mac, go to "Keychain", look for the certificate you have just installed. If unsure which certificate is the correct one, it should start with "Apple Production IOS Push Services:" followed by your app's bundle ID.
Step 8: Expand the certificate, you should see the private key with either your name or your company name. Select both items by using the "Select" key on your keyboard, right click (or cmd-click if you use a single button mouse), choose "Export 2 items", like Below:
Then save the p12 file with name "pushcert.p12" to your Desktop - now you will be prompted to enter a password to protect it, you can either click Enter to skip the password or enter a password you desire.
Step 9: Now the most difficult part - open "Terminal" on your Mac, and run the following commands:
cd
cd Desktop
openssl pkcs12 -in pushcert.p12 -out pushcert.pem -nodes -clcerts
Step 10: Remove pushcert.p12 from Desktop to avoid mis-uploading it to Build Your Own area. Open "Terminal" on your Mac, and run the following commands:
cd
cd Desktop
rm pushcert.p12
Step 11 - NEW AWS UPDATE: Create new pushcert.p12 to submit to AWS SNS. Double click on the new pushcert.pem, then export the one highlighed on the green only.
Credit: AWS new update
Now you have successfully created an Apple Push Notification Certificate (.p12 file)! You will need to upload this file to our Build Your Own area later on. :)
There's much simpler solution today — pem. This tool makes life much easier.
For example, to generate or renew your push notification certificate just enter:
fastlane pem
and it's done in under a minute. In case you need a sandbox certificate, enter:
fastlane pem --development
And that's pretty it.
$ cd Desktop
$ openssl x509 -in aps_development.cer -inform der -out PushChatCert.pem
Thanks! to all above answers.
I hope you have a .p12 file. Now, open terminal write following command. Set terminal to the path where you have put .12 file.
$ openssl pkcs12 -in yourCertifcate.p12 -out pemAPNSCert.pem -nodes
Enter Import Password: <Just enter your certificate password>
MAC verified OK
Now your .pem file is generated.
Verify .pem file
First, open the .pem in a text editor to view its content. The certificate content should be in format as shown below. Make sure the pem file contains both Certificate content(from BEGIN CERTIFICATE to END CERTIFICATE) as well as Certificate Private Key (from BEGIN PRIVATE KEY to END PRIVATE KEY) :
> Bag Attributes
> friendlyName: Apple Push Services:<Bundle ID>
> localKeyID: <> subject=<>
> -----BEGIN CERTIFICATE-----
>
> <Certificate Content>
>
> -----END CERTIFICATE----- Bag Attributes
> friendlyName: <>
> localKeyID: <> Key Attributes: <No Attributes>
> -----BEGIN PRIVATE KEY-----
>
> <Certificate Private Key>
>
> -----END PRIVATE KEY-----
Also, you check the validity of the certificate by going to SSLShopper Certificate Decoder and paste the Certificate Content (from BEGIN CERTIFICATE to END CERTIFICATE) to get all the info about the certificate as shown below:
Apple have changed the name of the certificate that is issued. You can now use the same certificate for both development and production. While you can still request a development only certificate you can no longer request a production only certificate.
it is very simple after exporting the Cert.p12 and key.p12,
Please find below command for the generating 'apns' .pem file.
https://www.sslshopper.com/ssl-converter.html
command to create apns-dev.pem from Cert.pem and Key.pem
openssl rsa -in Key.pem -out apns-dev-key-noenc.pem
cat Cert.pem apns-dev-key-noenc.pem > apns-dev.pem
Above command is useful for both Sandbox and Production.
According to Troubleshooting Push Certificate Problems
The SSL certificate available in your Apple Developer Program account contains a public key but not a private key. The private key exists only on the Mac that created the Certificate Signing Request uploaded to Apple. Both the public and private keys are necessary to export the Privacy Enhanced Mail (PEM) file.
Chances are the reason you can't export a working PEM from the certificate provided by the client is that you do not have the private key. The certificate contains the public key, while the private key probably only exists on the Mac that created the original CSR.
You can either:
Try to get the private key from the Mac that originally created the CSR. Exporting the PEM can be done from that Mac or you can copy the private key to another Mac.
or
Create a new CSR, new SSL certificate, and this time back up the private key.
Using this link for generate pem file for push notification, but I can't understand following steps...
Installing the SSL Certificate and Key on the Server
You should install the SSL distribution certificate and private
cryptographic key you obtained earlier on the server computer on which
the provider code runs and from which it connects with the sandbox or
production versions of APNs. To do so, complete the following steps:
Open Keychain Access utility and click the My Certificates category in the left pane.
Find the certificate you want to install and disclose its contents.
You'll see both a certificate and a private key.
Select both the certificate and key, choose File > Export Items, and export them as a Personal Information Exchange (.p12) file.
Servers implemented in languages such as Ruby and Perl often are better able to deal with certificates in the Personal Information
Exchange format. To convert the certificate to this format, complete
the following steps:
In KeyChain Access, select the certificate and choose File > Export Items. Select the Personal Information Exchange (.p12) option,
select a save location, and click Save.
Launch the Terminal application and enter the following command after the prompt: openssl pkcs12 -in CertificateName.p12 -out
CertificateName.pem -nodes.
Copy the .pem certificate to the new computer and install it in the appropriate place.
finally i sloved generate push notification certifcates
complete step for generate push notification certificates.....
1) open key chain and request certificate show in below image.
2) change common name as your project_name.
3) in keychain open key you can show two key public and private
4) write click on private key and export it.
5) make name project_name_key.p12
6) add password ex-1234
7) enter system login password and save it. now you have following certificates.
8) now goto developer account (https://developer.apple.com/devcenter/ios/index.action) and goto identifier create new if not exits. and edit setting.
if push notification disable then enable it from edit.
9) for development you can create first one and distribution you can select last one.
10) after select and generate download apns certificate and put into desktop and double click on it.
11) then open key chain and goto certificates. and you can show your push service open then you show private key.
export it with 1234 password.
12) now you have following file.
13) open terminal and goto desktop.
14) generate .pem file using following line for push_cert.p12 file
openssl pkcs12 -clcerts -nokeys -out apns-dev-cert.pem -in push_cert.p12
then enter password:-1234
15) generate .pem file using following line for project_name_key.p12 file
openssl pkcs12 -nocerts -out apns-dev-key.pem -in project_name_key.p12
then enter password:-1234
Enter PEM pass phrase:1234
Verifying - Enter PEM pass phrase:1234
16) enter following 3 line in terminal
openssl rsa -in apns-dev-key.pem -out apns-dev-key-noenc.pem
Enter pass phrase for apns-dev-key.pem:1234
cat apns-dev-cert.pem apns-dev-key-noenc.pem > apns-dev.pem
17) you have following certificate.
18) apns-dev.pem file send on server and it pass is 1234
19) for development you must use gateway.sandbox.push.apple.com server.
and distribution you can use gateway.push.apple.com server.
For **
Production Push Notification
**
I took reference from this link
To enable Push Notification for your iOS app, you will need to create and upload the Apple Push Notification Certificate (.pem file) to us so we will be able to connect to Apple Push Server on your behalf.
(Updated version with updated screen shots Here http://www.apptuitions.com/generate-pem-file-for-push-notification/)
Step 1: Login to iOS Provisioning Portal, click "Certificates" on the left navigation bar. Then, click "+" button.
Step 2: Select Apple Push Notification service SSL (Production) option under Distribution section, then click "Continue" button.
Step 3: Select the App ID you want to use for your BYO app (How to Create An App ID), then click "Continue" to go to next step.
Step 4: Follow the steps "About Creating a Certificate Signing Request (CSR)" to create a Certificate Signing Request.
To supplement the instruction provided by Apple. Here are some of the additional screenshots to assist you to complete the required steps:
Step 4 Supplementary Screenshot 1: Navigate to Certificate Assistant of Keychain Access on your Mac.
Step 4 Supplementary Screenshot 2: Fill in the Certificate Information. Click Continue.
Step 5: Upload the ".certSigningRequest" file which is generated in Step 4, then click "Generate" button.
Step 6: Click "Done" to finish the registration, the iOS Provisioning Portal Page will be refreshed that looks like the following screen:
Then Click "Download" button to download the certificate (.cer file) you've created just now. - Double click the downloaded file to install the certificate into Keychain Access on your Mac.
Step 7: On your Mac, go to "Keychain", look for the certificate you have just installed. If unsure which certificate is the correct one, it should start with "Apple Production IOS Push Services:" followed by your app's bundle ID.
Step 8: Expand the certificate, you should see the private key with either your name or your company name. Select both items by using the "Select" key on your keyboard, right click (or cmd-click if you use a single button mouse), choose "Export 2 items", like Below:
Then save the p12 file with name "pushcert.p12" to your Desktop - now you will be prompted to enter a password to protect it, you can either click Enter to skip the password or enter a password you desire.
Step 9: Now the most difficult part - open "Terminal" on your Mac, and run the following commands:
cd
cd Desktop
openssl pkcs12 -in pushcert.p12 -out pushcert.pem -nodes -clcerts
Step 10: By using this link(click here)
You can check weather the .PEM file is valid or not ---> if it's valid you will get success message with notification like:
For **
Development Push Notification
**
Just Watch the following Youtube link Click here and enjoy..
Here's a screenshot of what you have to select in step 3. It's not two certificates. It's a certificate + key.
I would suggest a much more simple solution. Just use Certifire.
Certifire is a macOS application that generates Apple Push Notification Certificates with just one click in a couple of seconds.
Here are the steps:
1. Download the app.
2. Log in using your Apple Developer Account credentials.
3. Choose the App-ID
4. Click "Generate" button
5. You're done!
You will get APN certificates in .pem format as well as in .p12 format.
Even more, you will get also combined .pem and .p12 too (key+cert)!
Much more, you will get no-passphrase versions of all these certificates also!
Just to add the #Nitin's very well described answer. After creating the pem, you can validate it with the
openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert MyKey.pem -key MyKey.pem
where MyKey is the name of your pem file.
Replace the gateway.sandbox.push.apple.com with gateway.push.apple.com, to connect to the live APNS.
Right click on your APNs certificate and click on export. This will generate the .p12 certificate on desktop
open terminal cd desktop and convert .p12 into .pem using following command
openssl pkcs12 -in Certificates.p12 -out Certificates.pem -nodes -clcerts