I'm trying to set up a Rails application using the Rapns library to send push notifications. The project already has this gem configured, I am working toward upgrading it to Rpush. However, I'm having a lot of trouble setting up my certificates.
I've generated all the key pairs and certificates I need with much help from the following articles:
Apple Push Notifications, how do I properly export my cert?
http://quickblox.com/developers/How_to_create_APNS_certificates
http://www.raywenderlich.com/32960/apple-push-notification-services-in-ios-6-tutorial-part-1
Running the following command
openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert /path/to/my/sandbox.pem -debug -showcerts
returns the following
Verify return code: 20 (unable to get local issuer certificate)
So with help from Apple's docs I downloaded a CA certificate and ran the following
openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert /path/to/my/sandbox.pem -debug -showcerts -CAfile /path/to/my/entrust_2048_ca.cer
and got
Verify return code: 0 (ok)
Success! However, my call to run the notifying application
bundle exec rapns development
Outputs 2 lines initially
[2014-08-04 14:29:42] [my app ID] Started, 1 handler.
[2014-08-04 14:29:43] [my app ID] Connected to feedback.sandbox.push.apple.com:2196
but then does nothing as I attempt to trigger notifications. Additionally it will re-prompt me for my PEM pass phrase periodically, making me think it's not really authenticating (which may be a symptom of the return code 20 from before).
I didn't actually fix the certificate itself (I don't think) by downloading the CA certificate. How do I incorporate that into the PEM so this works, or otherwise configure Rapns such that I don't need the CA cert?
Related
The following code worked fine on Heroku-18 stack
p12_file = File.read(uploaded_p12_file_path)
pkcs12 = OpenSSL::PKCS12.new p12_file, password
but after upgrading to Heroku-22 Stack the same code throws the following error:
PKCS12_parse: unsupported
The user can upload its p12 file with its password via an input form on the web.
We're using Ruby 3.1.2. Strangely, it works on the local development machines but not on Heroku. Does anyone have a clue? Any help is appreciated.
I just got bit with the same error. There were a number of updates to the PKCS12 API in OpenSSL 3, among them a deprecation of legacy algorithms and that's what got us. Depending on your setup, if you are able to convert your certificate to X509 you should be able to get back on track. First thing is this: a p12 certificate contains both the certificate and its key in the same file. With X509 certificates, they need to be separate files. You can export them both with these commands:
# Export certificate
openssl pkcs12 -legacy -in my_certificate.p12 -clcerts -nokeys -out my_certificate.pem
# Export key
openssl pkcs12 -legacy -in my_certificate.p12 -clcerts -nocerts -out my_certificate.key
I'm using them in an SSLContext which is the place where I add the private key:
OpenSSL::SSL::SSLContext.new.tap do |ctx|
ctx.add_certificate(
OpenSSL::X509::Certificate.new(File.read("my_certificate.pem")),
OpenSSL::PKey::RSA.new(File.read("my_certificate.key"), #cert_password),
[#root_cert]
)
end
I hope you can use the same concepts in your app.
I did a protection for my Web Service calls with Man-in-the-Middle Attacks in iOS with SSL Pinning tuto
I would like to renew my certificate on the iOS each two month because this the time my server has to renew his certificate.
For now I do it manually by taping on my mac command line:
openssl s_client -connect <server>:443 </dev/nullsl x509 -outform DER -out <name.der> with OpenSSL under Swift ?
The problem is that I have to send to my customer a new app for install, with a new certificate in the bundle each month.
For this, I would like to use the OpenSSL GitHub for iOS to generate it locally on the ipad/iphone.
I cannot find the way to use it, do you know what is the code I must write to execute that command in Swift by using this github?
Thanks in advance.
I'm attempting to follow these instructions to set up my S3 API to send push notifications to my iOS app.
I'm making a mess of the certificate issues, so I was hoping someone could help sort me through them.
So far, I've created a CSR, uploaded it to Apple Dev portal, and downloaded a .cer file. I then converted the cer into a pem
openssl x509 -in apns-dev.cer -inform DER -out apns-dev.pem
Then I ran into the instruction to "Open Keychain Access, select Keys, and then highlight your app private key." Not knowing what my "app private key" was, I've tried a couple things:
Grabbing the preexisting private-key file in the app's cert folder (an RSA private key which was not, to my knowledge, used to generate the above CSR).
Exporting my default system private key as a p12 and then converting it, per AWS instructions, into a pem key.
Trying to generate a new CSR directly from my system private key in Keychain Access
However, whenever I follow the instructions to "test" the private/public key pair (openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert apns-dev.pem -key apns-private.pem), I get this:
error setting private key
41047:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59.60.1/src/crypto/x509/x509_cmp.c:406:
I've looked at the following questions, but haven't been able to use their answers to figure this out:
Does the apple push notification distribution certificate signing request need to be the same as that used for the distribution cert to sign the app? - When I try to "expand" the cert in Keychain Access, all I see is info. There is no private key info, and I can't "Export 2 items"
Apple Push Notification error setting private key (the self-given answer here conflicts with the above, and at any rate, I no longer have the original CSR)
Unable to load client certificate private key file - My private key file isn't empty, and I did enter the passphrase correctly
Any idea what could be going on? I'm just shooting in the dark here.
Don't use Apple's instructions to generate the CSR.
Generate key:
openssl genrsa -out $app.key 2048
Generate CSR:
openssl req -new -key $app.key -out $app.csr
And enter the relevant data.
Upload CSR to Apple. Download certificate.
Convert certificate to PEM:
openssl x509 -inform DER -in $app.cer -out $app.pem
Now you have the key in $app.key, and a PEM-encoded certificate in $app.pem. You can then install both on the box that will be connecting to APNS (depending on the software you use, they might be separate files, or you may just append the key to the certificate file).
I have created development and production pem files. I have followed this steps:
1) developer.apple.com : AppIDs section check Bundle id supports Development SSL Certificate
if no then create that certificate (which supports APNS)
2) open key chain
3) right click on our certificate and export certificate.
4) you will get .p12 file from here : like : hope_APNS.p12
5) open console(terminal) and run following command (use created .p12 file here as input)
openssl pkcs12 -in apns-dev-cert.p12 -out apns-dev-cert.pem -nodes -clcerts
6) you will get .pem file for the same. (like hope_APNS.pem)
Developement pem file is working fine. But there is some in production pem file. When i set production pem file and send push notification from console. I won't get push on my device.
That's an old thread but I was looking for the same answer and hope this solution help someone... worked for me.
You can test your PEM key using the following command, which should hang if successful until you press enter:
openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert pnpush.pem -key pnpush.pem
The above tests the PEM Key in sandbox mode. For production mode, use the following command:
openssl s_client -connect gateway.push.apple.com:2195 -cert pnpush.pem -key pnpush.pem
Thanks to Craig at https://www.pubnub.com/knowledge-base/discussion/234/how-do-i-test-my-pem-key
There are many reasons why you may not be getting push notifications via a production .pem certificate on your device. Besides making sure you generated the distinct production certificate correctly, here are few things to check:
You have an Ad-Hoc or Distribution build running on your test device
when testing a production certificate
You have successfully
collected the production push token of said device (which will
always be different from the development push token)
You are able to connect to Apple Push Notification PRODUCTION servers
(gateway.push.apple.com, port 2195) with the new certificate (ie/
you're able to open a socket connection and it does not close
immediately)
You have checked that your certificate is not expired
Failing all that, you really need to check what is going on at the network level when you send something via that certificate. If it's invalid, it won't connect at all to Apple. If it's valid but the push token you're sending is not recognized by Apple, an error code will be returned (if you are using the binary interface) or the connection will be severed. You may also want to look into the APNS Feedback API to gain more insight on what is going wrong.
You may want to check out this answer and this other answer for more tips.
using this link i try to make push notification apps .
but, this used old apple panel for generate ssl and provision certificate.
any one generate ssl and provision using new apple panel?
below step for generate ck.pem
1) $ openssl x509 -in aps_developer_identity.cer -inform der -out
PushChatCert.pem
2) $ openssl pkcs12 -nocerts -out PushChatKey.pem -in PushChatKey.p12
Enter Import Password:
MAC verified OK
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
3) $ cat PushChatCert.pem PushChatKey.pem > ck.pem
4) $ telnet gateway.sandbox.push.apple.com 2195
Trying 17.172.232.226...
Connected to gateway.sandbox.push-apple.com.akadns.net.
Escape character is '^]'.
is this correct step?
please help me......
thanks
You can still use the Provisioning and Development guide. They haven't modified it for the new Certificates, Identifiers & Profiles page (which replaced the iOS Provisioning Portal) yet, but it doesn't make much difference.
In the following screen click on Identifiers :
Then click on the relevant App ID (or create a new one if it doesn't exist).
Then click Edit.
Then make sure the check box next to Push Notifications is enabled (check it if it's not).
Then click Create Certificate... for either Development or Production.
The rest of the process should be identical to the way it was before the portal change, so you can either use the instructions in the link I provided, or instructions from other tutorials (such as the one in the link you provided).