I wrote a python app that sends push notification to Apple devices.
Suddenly notifications are no longer received, on all the iOS apps.
It looks like Apple returns an error after sending the notification.
I would like to know if the following response looks normal?, or if there is an issue with the certificates?
$ openssl s_client -connect gateway.push.apple.com:2195 -cert /home/ubuntu/webapps/notification/certificates/relax_app/production/apns-dev-cert.pem -key /home/ubuntu/webapps/notification/certificates/relax_app/production/apns-dev-key-noenc.pem
CONNECTED(00000003)
depth=1 C = US, O = "Entrust, Inc.", OU = www.entrust.net/rpa is incorporated by reference, OU = "(c) 2009 Entrust, Inc.", CN = Entrust Certification Authority - L1C
verify error:num=20:unable to get local issuer certificate
verify return:0
140149704410784:error:14094415:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate expired:s3_pkt.c:1195:SSL alert number 45
140149704410784:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:591:
---
Certificate chain
0 s:/C=US/ST=California/L=Cupertino/O=Apple Inc./OU=iTMS Engineering/CN=gateway.push.apple.com
i:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
1 s:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
i:/O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority (2048)
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFEzCCA/ugAwIBAgIETBzSBzANBgkqhkiG9w0BAQUFADCBsTELMAkGA1UEBhMC
VVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xOTA3BgNVBAsTMHd3dy5lbnRydXN0
Lm5ldC9ycGEgaXMgaW5jb3Jwb3JhdGVkIGJ5IHJlZmVyZW5jZTEfMB0GA1UECxMW
KGMpIDIwMDkgRW50cnVzdCwgSW5jLjEuMCwGA1UEAxMlRW50cnVzdCBDZXJ0aWZp
Y2F0aW9uIEF1dGhvcml0eSAtIEwxQzAeFw0xMjA1MDMxODIyMjhaFw0xNDA1MzEw
OTI5MDZaMIGHMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTESMBAG
A1UEBxMJQ3VwZXJ0aW5vMRMwEQYDVQQKEwpBcHBsZSBJbmMuMRkwFwYDVQQLExBp
VE1TIEVuZ2luZWVyaW5nMR8wHQYDVQQDExZnYXRld2F5LnB1c2guYXBwbGUuY29t
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt4u3gyk9GeQGIH7pmYSA
604LxMLvaUZkgeXOLRzH/48LZgPD5megHhsvjj6du2xzOQKb7iCVYF4HnHf3k00R
3iXtvEmqRU87uw8K2LPu9ZfoNcJpu2e45eF27dXjvjCmvlMDsPxFBer9nAex3P4o
mGCld73SfcZuIB3bQ6BFTIM6je+0nNwP9yuSF4XjOrOx+1+ifgGwyl9T/qa1TYWW
K/LmObAmpbBYwklu33NVOR4BBrZ+GAdj1irdZqh3s3R+b/ANaAAbx2YYrScnIP15
OG7oYNKO3zzIQ0KaBjJjv30j5dXFQaIiphUWhuhQ3rRMmG7xV5UWVqHMriMLD4bS
PQIDAQABo4IBWTCCAVUwCwYDVR0PBAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB
BggrBgEFBQcDAjAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3JsLmVudHJ1c3Qu
bmV0L2xldmVsMWMuY3JsMGUGCCsGAQUFBwEBBFkwVzAjBggrBgEFBQcwAYYXaHR0
cDovL29jc3AuZW50cnVzdC5uZXQwMAYIKwYBBQUHMAKGJGh0dHA6Ly9haWEuZW50
cnVzdC5uZXQvbDFjLWNoYWluLmNlcjBABgNVHSAEOTA3MDUGCSqGSIb2fQdLAjAo
MCYGCCsGAQUFBwIBFhpodHRwOi8vd3d3LmVudHJ1c3QubmV0L3JwYTAfBgNVHSME
GDAWgBQe8auJBvhJDwEzd+4Ueu4ZfJMoTTAdBgNVHQ4EFgQULkkf+RyRucrBgaw2
Iu+V+aUctU4wCQYDVR0TBAIwADANBgkqhkiG9w0BAQUFAAOCAQEAPSQnfPByAF+Y
ML2kwujhbKMZw81oF3HGkdSG756Jt5cqiBJB+KS+4ZThpTgAr9EytfHtl4NPoBwZ
I0a2gLvmO2HNe5OqVSdOqyPCCFN0aBZTYwLVHM3HmoUbPn+Zh19g7Me4AC69IR9i
RoJmzSkagR+Z7z7veiSzfeUHaGa0YUsyc7iMerF1rFfYJvXFVp4D1gA672nTzctZ
0e0yItFXJrN6FL/K+NKCk/O3HCn95oVEPtnEWF2Qm91AZKoCYV1u3VzWtlZsyjQL
wqfQNpr+VUe1SQ1DInr2enCQrCBnH7R3JVscj91cfEiH1SydpRrNFICT40nphEWK
higEADTWUQ==
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Cupertino/O=Apple Inc./OU=iTMS Engineering/CN=gateway.push.apple.com
issuer=/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
---
No client certificate CA names sent
---
SSL handshake has read 2670 bytes and written 2047 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : AES256-SHA
Session-ID:
Session-ID-ctx:
Master-Key: F2FEDB49795DA0B3084B850521A514EB60EE9959C40753AB79B799CA4F6225DAA4FE7084B8CF6D7BF9A4AEB92B9B3A06
Key-Arg : None
PSK identity: None
PSK identity hint: None
Start Time: 1385498375
Timeout : 7200 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
Note
The response returns the following:
verify error:num=20:unable to get local issuer certificate
Does this error prevent sending push notifications? or can it be ignored?
Thanks in advance.
SOLUTION
The issue was related with expired and revoked certificates.
New certificates were generated according to this great tutorial:
http://www.raywenderlich.com/32960/
Related
I issued my own CA certificate to enable https for my development environment.
On my Windows PC i was able to add my root CA. On iOS i can install it and it shows that it is verified but when i go to General -> About -> Certificate Trust Settings the certificate does not show up.
Some information about the root CA.
Input:
openssl x509 -in ca.pem -text -noout
Output:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
[...]
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = Some-Country, ST = Some-State, O = Some-Company
Validity
Not Before: Jul 7 18:45:56 2022 GMT
Not After : Jul 4 18:45:56 2032 GMT
Subject: C = Some-Country, ST = Some-State, O = Some-Company
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
Modulus:
[...]
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
[...]
X509v3 Authority Key Identifier:
keyid:[...]
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
[...] ```
My mistake was that the root CA I created was valid for 10 years. Since 1st September 2020 Apple limits the validity period to a maximum of 397 days.
Source: https://support.apple.com/en-us/HT211025
I followed this document:
https://developer.zendesk.com/embeddables/docs/ios-chat-sdk/push_notifications
And combined Cert PEM and Key PEM.
I used openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert Certificates.pem -key PrivateKey.pem
openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert
Certificates.pem -key PrivateKey.pem
CONNECTED(00000007) depth=1 C = US, O = "Entrust, Inc.", OU = See
www.entrust.net/legal-terms, OU = "(c) 2012 Entrust, Inc. - for
authorized use only", CN = Entrust Certification Authority - L1K
verify error:num=20:unable to get local issuer certificate verify
return:0
--- Certificate chain 0 s:/C=US/ST=California/L=Cupertino/O=Apple Inc./CN=gateway.sandbox.push.apple.com i:/C=US/O=Entrust,
Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2012 Entrust, Inc. -
for authorized use only/CN=Entrust Certification Authority - L1K 1
s:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2012
Entrust, Inc. - for authorized use only/CN=Entrust Certification
Authority - L1K i:/O=Entrust.net/OU=www.entrust.net/CPS_2048
incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net
Limited/CN=Entrust.net Certification Authority (2048)
--- Server certificate
-----BEGIN CERTIFICATE----- MIIHSDCCBjCgAwIBAgIQWxjih7/N45IAAAAAUOIMDDANBgkqhkiG9w0BAQsFADCB
ujELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xKDAmBgNVBAsT
H1NlZSB3d3cuZW50cnVzdC5uZXQvbGVnYWwtdGVybXMxOTA3BgNVBAsTMChjKSAy
MDEyIEVudHJ1c3QsIEluYy4gLSBmb3IgYXV0aG9yaXplZCB1c2Ugb25seTEuMCwG
A1UEAxMlRW50cnVzdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEwxSzAeFw0x
ODA0MjQwMjUyNTNaFw0yMDA0MjAwMzIyNTJaMHQxCzAJBgNVBAYTAlVTMRMwEQYD
VQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQHEwlDdXBlcnRpbm8xEzARBgNVBAoTCkFw
cGxlIEluYy4xJzAlBgNVBAMTHmdhdGV3YXkuc2FuZGJveC5wdXNoLmFwcGxlLmNv
bTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALGgtoDaNuLjk9KpFkLp
xK1RhWdXMkGJlZeut40b4DabOUNsgmL9w0pGvFRa4u79Lzn8mDLQ06u71Ko5oVwV
da1VyI6+QX2naiTbAKVYB9qCdDim/TmXvnQUzhA5E4qXwmJlJd1QDCsV5kiy0SXJ
YNNXe/TAtO66t+zzT6WO9cVgqkeiEHq71khG5y4ST7E3uuPrlfHc/fcepneGNFnk
Y00ENxsTqPffvuTadKRXTdH3XKEUznrSCmi7wLQVAy3jvOJQ8q/tkuKl3ESbPZuW
qHHHN4VQFY+p9zdhGrmucIC7BvaEkZeDAvyYUCnJ8dtxLaCumR47esrEA3/p6YTN
Tn0CAwEAAaOCA40wggOJMCkGA1UdEQQiMCCCHmdhdGV3YXkuc2FuZGJveC5wdXNo
LmFwcGxlLmNvbTCCAfQGCisGAQQB1nkCBAIEggHkBIIB4AHeAHUAVYHUwhaQNgFK
6gubVzxT8MDkOHhwJQgXL6OqHQcT0wwAAAFi9aztYAAABAMARjBEAiBJbsuBQS+U
zNNArriSL0K9eKpZgmsQzvNlNxDqAZFLdwIgS61d6HuV9+UOkZ30HajpgL0raI+m
EvRyLAK6dzfIy+sAdwDd6x0reg1PpiCLga2BaHB+Lo6dAdVciI09EcTNtuy+zAAA
AWL1rO1iAAAEAwBIMEYCIQDc6OHQPat4UNQ6z0pbM6s7YEXWCuO0LUfDTlHGmCbw
dwIhAN/qlMFUciYP2o1gTKD9LtBc8hFQ1c35n4c7L2Cw47cuAHUAu9nfvB+KcbWT
lCOXqpJ7RzhXlQqrUugakJZkNo4e0YUAAAFi9aztgwAABAMARjBEAiBgEzNNxFKL
FS/9Ix29xIjpGZd2lXNz31iwdQl5eTwfggIgBKe3Hqk0KTn0aaTWu8y7+3ZzSv0I
svstJ/uaLlTbeUkAdQCkuQmQtBhYFIe7E6LMZ3AKPDWYBPkb37jjd80OyA3cEAAA
AWL1rO2HAAAEAwBGMEQCIGUEnyBQyHZ/JaJ9LRQqqQ0h2Ez9fzqhIaHk6nO4lYnf
AiBeuRikWxw8yuYkXd+n0i97cagfVDoi1AHRitCvk8zUmTAOBgNVHQ8BAf8EBAMC
BaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMDMGA1UdHwQsMCowKKAm
oCSGImh0dHA6Ly9jcmwuZW50cnVzdC5uZXQvbGV2ZWwxay5jcmwwSwYDVR0gBEQw
QjA2BgpghkgBhvpsCgEFMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly93d3cuZW50cnVz
dC5uZXQvcnBhMAgGBmeBDAECAjBoBggrBgEFBQcBAQRcMFowIwYIKwYBBQUHMAGG
F2h0dHA6Ly9vY3NwLmVudHJ1c3QubmV0MDMGCCsGAQUFBzAChidodHRwOi8vYWlh
LmVudHJ1c3QubmV0L2wxay1jaGFpbjI1Ni5jZXIwHwYDVR0jBBgwFoAUgqJwdN28
Uz/Pe9T3zX+nYMYKTL8wHQYDVR0OBBYEFER7zAX8nlMJjpQL8PV9MYeeWpMOMAkG
A1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggEBAJGeRI1Wht6YTfvdz2wKmZS8TFpX
gBRUUUNFFG0ihXuK48XKkKJviKikWl+qvExZqQN44aaIB5CHDgwUL6udQDZg7E27
rdC72tL79zHWbt/ukm6ffGa9SIIwtcJh+apfSA2YI5cmS9Da5v12VTkKizumgGVQ
pxP3EPnriAaj93BLVou5IUmuXOAbFqB2ZfhaX3kyiB+Hj87DGIU6qW8LnmKL22xi
77ksB4zbOm3FK71xwEOpakcC7rLbivRuB1iBV2TggXWvPf5snTV3jRTi8Cmqam4A
S+74TbYXfUQHBWIRQMktF+I/N9camXrf9ZfFTPzCO9GD6hbl6ae//zWDhh0=
-----END CERTIFICATE----- subject=/C=US/ST=California/L=Cupertino/O=Apple
Inc./CN=gateway.sandbox.push.apple.com issuer=/C=US/O=Entrust,
Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2012 Entrust, Inc. -
for authorized use only/CN=Entrust Certification Authority - L1K
--- Acceptable client certificate CA names /C=US/O=Apple Inc./OU=Apple Certification Authority/CN=Apple Root CA /C=US/O=Apple Inc./OU=Apple
Worldwide Developer Relations/CN=Apple Worldwide Developer Relations
Certification Authority /CN=Apple Application Integration 2
Certification Authority/OU=Apple Certification Authority/O=Apple
Inc./C=US /C=US/ST=CA/L=Cupertino/O=Apple Inc./OU=Internet Software
and Services/CN=iCloud Test/emailAddress=APNS-Dev#group.apple.com
/C=US/ST=California/L=Cupertino/O=Apple
Inc./CN=gateway.sandbox.push.apple.com /C=US/O=Apple Inc./OU=Apple
Certification Authority/CN=Apple Application Integration Certification
Authority
--- SSL handshake has read 4165 bytes and written 2411 bytes
--- New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion:
NONE No ALPN negotiated SSL-Session:
Protocol : TLSv1.2
Cipher : DES-CBC3-SHA
Session-ID:
Session-ID-ctx:
Master-Key: 947F3D735AEEFB1633D0E18CD8CAFF5F6AB789DC518AEED4913382554437C2EE686F50A9267B285E798AB40FAEC389FD
Start Time: 1552990882
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Then I upload to Zendesk Dashboard successfully. But after that I can not receive push notification.
This question already has an answer here:
How to set TLS context options in Ruby (like OpenSSL::SSL::SSL_OP_NO_SSLv2)
(1 answer)
Closed 6 years ago.
So, basically im trying to run this script https://github.com/JeffreyATW/mbfc_crawler and it gives me this error:
C:/Ruby23-x64/lib/ruby/2.3.0/net/http.rb:933:in `connect_nonblock': SSL_connect SYSCALL returned=5 errno=0 state=SSLv2/v3 read server hello A (OpenSSL::SSL::SSLError)
from C:/Ruby23-x64/lib/ruby/2.3.0/net/http.rb:933:in `connect'
from C:/Ruby23-x64/lib/ruby/2.3.0/net/http.rb:863:in `do_start'
from C:/Ruby23-x64/lib/ruby/2.3.0/net/http.rb:858:in `start'
from C:/Ruby23-x64/lib/ruby/gems/2.3.0/gems/net-http-persistent-2.9.4/lib/net/http/persistent.rb:700:in `start'
from C:/Ruby23-x64/lib/ruby/gems/2.3.0/gems/net-http-persistent-2.9.4/lib/net/http/persistent.rb:631:in `connection_for'
from C:/Ruby23-x64/lib/ruby/gems/2.3.0/gems/net-http-persistent-2.9.4/lib/net/http/persistent.rb:994:in `request'
from C:/Ruby23-x64/lib/ruby/gems/2.3.0/gems/mechanize-2.7.5/lib/mechanize/http/agent.rb:274:in `fetch'
from C:/Ruby23-x64/lib/ruby/gems/2.3.0/gems/mechanize-2.7.5/lib/mechanize.rb:464:in `get'
from C:/Ruby23-x64/lib/ruby/gems/2.3.0/gems/wombat-2.5.1/lib/wombat/processing/parser.rb:61:in `public_send'
from C:/Ruby23-x64/lib/ruby/gems/2.3.0/gems/wombat-2.5.1/lib/wombat/processing/parser.rb:61:in `parser_for'
from C:/Ruby23-x64/lib/ruby/gems/2.3.0/gems/wombat-2.5.1/lib/wombat/processing/parser.rb:44:in `parse'
from C:/Ruby23-x64/lib/ruby/gems/2.3.0/gems/wombat-2.5.1/lib/wombat/crawler.rb:30:in `crawl'
from C:/Ruby23-x64/lib/ruby/gems/2.3.0/gems/wombat-2.5.1/lib/wombat.rb:13:in `crawl'
from crawler.rb:21:in `block in <main>'
from crawler.rb:20:in `each'
I have installed Ruby 2.3.3 from Ruby Installer for Windows.
I have also installed the DevKit-mingw64-64-4.7.2-20130224-1432-sfx.exe for my machine(from the same site).
What am i doing wrong? Thanks for your time.
Perhaps it needs a CA certificate.
Save it in your m/c from here: https://curl.haxx.se/ca/cacert.pem
And set path of it by using below command:
setx SSL_CERT_FILE path_where_you_have_placed_above_file
Stop using SSLv3, and start using TLS 1.0 (or above) and Server Name Indication (SNI).
Here's what you are doing with Ruby:
$ openssl s_client -connect github.com:443 -ssl3
CONNECTED(00000003)
3069617360:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1275:SSL alert number 40
3069617360:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:598:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
...
Here's what you should be doing with Ruby. Notice TLS 1.0 and SNI:
$ openssl s_client -connect github.com:443 -tls1 -servername github.com
CONNECTED(00000003)
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 Extended Validation Server CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=5157550/street=88 Colin P Kelly, Jr Street/postalCode=94107/C=US/ST=California/L=San Francisco/O=GitHub, Inc./CN=github.com
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHeTCCBmGgAwIBAgIQC/20CQrXteZAwwsWyVKaJzANBgkqhkiG9w0BAQsFADB1
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMTQwMgYDVQQDEytEaWdpQ2VydCBTSEEyIEV4dGVuZGVk
IFZhbGlkYXRpb24gU2VydmVyIENBMB4XDTE2MDMxMDAwMDAwMFoXDTE4MDUxNzEy
MDAwMFowgf0xHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRMwEQYLKwYB
BAGCNzwCAQMTAlVTMRkwFwYLKwYBBAGCNzwCAQITCERlbGF3YXJlMRAwDgYDVQQF
Ewc1MTU3NTUwMSQwIgYDVQQJExs4OCBDb2xpbiBQIEtlbGx5LCBKciBTdHJlZXQx
DjAMBgNVBBETBTk0MTA3MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5p
YTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEVMBMGA1UEChMMR2l0SHViLCBJbmMu
MRMwEQYDVQQDEwpnaXRodWIuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA54hc8pZclxgcupjiA/F/OZGRwm/ZlucoQGTNTKmBEgNsrn/mxhngWmPw
bAvUaLP//T79Jc+1WXMpxMiz9PK6yZRRFuIo0d2bx423NA6hOL2RTtbnfs+y0PFS
/YTpQSelTuq+Fuwts5v6aAweNyMcYD0HBybkkdosFoDccBNzJ92Ac8I5EVDUc3Or
/4jSyZwzxu9kdmBlBzeHMvsqdH8SX9mNahXtXxRpwZnBiUjw36PgN+s9GLWGrafd
02T0ux9Yzd5ezkMxukqEAQ7AKIIijvaWPAJbK/52XLhIy2vpGNylyni/DQD18bBP
T+ZG1uv0QQP9LuY/joO+FKDOTler4wIDAQABo4IDejCCA3YwHwYDVR0jBBgwFoAU
PdNQpdagre7zSmAKZdMh1Pj41g8wHQYDVR0OBBYEFIhcSGcZzKB2WS0RecO+oqyH
IidbMCUGA1UdEQQeMByCCmdpdGh1Yi5jb22CDnd3dy5naXRodWIuY29tMA4GA1Ud
DwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwdQYDVR0f
BG4wbDA0oDKgMIYuaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL3NoYTItZXYtc2Vy
dmVyLWcxLmNybDA0oDKgMIYuaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL3NoYTIt
ZXYtc2VydmVyLWcxLmNybDBLBgNVHSAERDBCMDcGCWCGSAGG/WwCATAqMCgGCCsG
AQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMAcGBWeBDAEBMIGI
BggrBgEFBQcBAQR8MHowJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0
LmNvbTBSBggrBgEFBQcwAoZGaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0Rp
Z2lDZXJ0U0hBMkV4dGVuZGVkVmFsaWRhdGlvblNlcnZlckNBLmNydDAMBgNVHRMB
Af8EAjAAMIIBfwYKKwYBBAHWeQIEAgSCAW8EggFrAWkAdgCkuQmQtBhYFIe7E6LM
Z3AKPDWYBPkb37jjd80OyA3cEAAAAVNhieoeAAAEAwBHMEUCIQCHHSEY/ROK2/sO
ljbKaNEcKWz6BxHJNPOtjSyuVnSn4QIgJ6RqvYbSX1vKLeX7vpnOfCAfS2Y8lB5R
NMwk6us2QiAAdgBo9pj4H2SCvjqM7rkoHUz8cVFdZ5PURNEKZ6y7T0/7xAAAAVNh
iennAAAEAwBHMEUCIQDZpd5S+3to8k7lcDeWBhiJASiYTk2rNAT26lVaM3xhWwIg
NUqrkIODZpRg+khhp8ag65B8mu0p4JUAmkRDbiYnRvYAdwBWFAaaL9fC7NP14b1E
sj7HRna5vJkRXMDvlJhV1onQ3QAAAVNhieqZAAAEAwBIMEYCIQDnm3WStlvE99GC
izSx+UGtGmQk2WTokoPgo1hfiv8zIAIhAPrYeXrBgseA9jUWWoB4IvmcZtshjXso
nT8MIG1u1zF8MA0GCSqGSIb3DQEBCwUAA4IBAQCLbNtkxuspqycq8h1EpbmAX0wM
5DoW7hM/FVdz4LJ3Kmftyk1yd8j/PSxRrAQN2Mr/frKeK8NE1cMji32mJbBqpWtK
/+wC+avPplBUbNpzP53cuTMF/QssxItPGNP5/OT9Aj1BxA/NofWZKh4ufV7cz3pY
RDS4BF+EEFQ4l5GY+yp4WJA/xSvYsTHWeWxRD1/nl62/Rd9FN2NkacRVozCxRVle
FrBHTFxqIP6kDnxiLElBrZngtY07ietaYZVLQN/ETyqLQftsf8TecwTklbjvm8NT
JqbaIVifYwqwNN+4lRxS3F5lNlA/il12IOgbRioLI62o8G0DaEUQgHNf8vSG
-----END CERTIFICATE-----
subject=/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=5157550/street=88 Colin P Kelly, Jr Street/postalCode=94107/C=US/ST=California/L=San Francisco/O=GitHub, Inc./CN=github.com
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
---
No client certificate CA names sent
---
SSL handshake has read 3652 bytes and written 384 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : ECDHE-RSA-AES128-SHA
Session-ID: DD4041221B8CA5DAE8275F48D228A9CF6CE1EB8CCE58208877391CB061E8FE34
Session-ID-ctx:
Master-Key: 52979B9BF613EEC54C1F51364C1DA6FF88B9A7D419A66A8216E9A1B0FA0790DEB1B469ADD9AD881B6852913CE607E365
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1485151489
Timeout : 7200 (sec)
I am trying to send push notifications through Appcelerator's Arrow service to my Alloy app. Currently I try to get it to work on iOS, but it fails. I have followed the Appcelerator Tutorials for generating the iOS certificate and for registering my device. I am using the latest Appcelerator Titanium release as of writing which is 5.1.2.GA.
In the notification logs inside the platform, the message looks like this:
56cb19af13d239090f0914aa --- --- Failure Feb 22, 2016 2:22 PM
It has an ID, but no values for iOS and Android, neither for the Devices column. The (real) iOS device I am deploying to is registered for the push channel o***l though.
Checking the reasons for the failure through the API yields this:
{
"meta": {
"code": 200,
"status": "ok",
"more": false,
"method_name": "queryPushLogDetails"
},
"response": {
"push_log_details": [
{
"_id": "56cb0756e4b0d71f12be298f",
"msg_id": "328eadef-f048-4b7f-bfff-7f360de11823",
"push_id": "56cb07504e8d4309050800ab",
"type": "ios",
"token": "f2815de63052d8b5965f88124c8***",
"channel": "o***l",
"app_id": "5***3",
"send_status": 2,
"sent_at": "2016-02-22T13:04:21+0000",
"updated_at": "2016-02-22T13:04:22+0000",
"error_message": "Exception Type: APNS; Error Code: 1001; Error Message: General Problem; Catched Exception: Remote host closed connection during handshake",
"created_at": "2016-02-22T13:04:22+0000",
"locked_at": "2016-02-22T13:04:23+0000",
"pem_sent_at": "2016-02-22T13:04:23+0000"
}
]
}
}
Googling for "error_message": "Exception Type: APNS; Error Code: 1001; Error Message: General Problem; Catched Exception: Remote host closed connection during handshake" returned this post, but my case seems to be different as I can connect to the Apple Sandbox successfully:
openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert keyStore.pem
CONNECTED(00000003)
depth=1 /C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=US/ST=California/L=Cupertino/O=Apple Inc./CN=gateway.sandbox.push.apple.com
i:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
1 s:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
i:/O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority (2048)
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFMzC***U2MxV
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Cupertino/O=Apple Inc./CN=gateway.sandbox.push.apple.com
issuer=/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
---
Acceptable client certificate CA names
/C=US/O=Apple Inc./OU=Apple Certification Authority/CN=Apple Root CA
/C=US/O=Apple Inc./OU=Apple Worldwide Developer Relations/CN=Apple Worldwide Developer Relations Certification Authority
/C=US/O=Apple Inc./OU=Apple Certification Authority/CN=Apple Application Integration Certification Authority
---
SSL handshake has read 3160 bytes and written 2153 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID:
Session-ID-ctx:
Master-Key: F29F1914F74141A29F182AA3B4C4F480B2C2D388E872023774614281E34773E0F856F4A724F7C3AE8F206AF1945C351B
Key-Arg : None
Start Time: 1456152076
Timeout : 300 (sec)
Verify return code: 0 (ok)
I have already regenerated the SSL key for the push notifications. Sending the push message through the API is all the same than sending it from within the web interface of the platform.
What else could I try? Is there known issues?
After building my own eventmachine/thin with SSL support on windows (Install OpenSSL with Ruby for eventmachine on Windows 7 x86) I got another problem with SSL certificate: when I use build-in self-signed one thin works fine but it does not respond to any request while using corporate certificate
Here is my path for obtaining the certificate:
I generated private key with puttygen (ssl-private.key)
I generated CSR using following command:
openssl req -out ssl.csr -key ssl-private.key -new
I sent CSR to CA and received P7B file
I converted P7B using following command:
openssl pkcs7 -inform DER -outform PEM -in cert.p7b -print_certs > cert.crt
What could go wrong here?
What have I checked:
openssl rsa -in ssl-private.key -check
says "RSA key ok"
openssl x509 -in cert.crt -text -noout
says
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
***
Signature Algorithm: sha1WithRSAEncryption
Issuer: ***
Validity
Not Before: Feb 16 08:47:25 2004 GMT
Not After : Feb 16 08:55:36 2024 GMT
Subject: ***
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
***
Exponent: 3 (0x3)
X509v3 extensions:
X509v3 Key Usage:
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
***
1.3.6.1.4.1.311.21.1:
...
Signature Algorithm: sha1WithRSAEncryption
***
while the same check made on self-signed cert, created using
openssl genrsa -des3 -out server.orig.key 2048
openssl rsa -in server.orig.key -out server.key
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
says
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
***
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=PL, ST=-, O=Internet Widgits Pty Ltd, CN=test.org
Validity
Not Before: Jun 24 14:42:07 2015 GMT
Not After : Jun 23 14:42:07 2016 GMT
Subject: C=PL, ST=-, O=Internet Widgits Pty Ltd, CN=test.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
***
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
***
ok some change: I have changed certs order in crt file so that final cert is not last but first and the result is different: chrome drops an error of NET::ERR_CERT_INVALID, IE similar and both does not navigate further
openssl s_client output (looks ok, *** Root CA 1 is trusted in windows):
Loading 'screen' into random state - done
CONNECTED(000001E8)
depth=1 DC = com, DC = ***, CN = *** Enterprise CA 1
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
0 s:/C=***/ST=***/O=***/CN=***.com
i:/DC=com/DC=***/CN=*** Enterprise CA 1
1 s:/DC=com/DC=***/CN=*** Enterprise CA 1
i:/DC=com/DC=***/CN=*** Root CA 1
---
Server certificate
-----BEGIN CERTIFICATE-----
***
-----END CERTIFICATE-----
subject=/C=***/ST=***/O=***/CN=***.com
issuer=/DC=com/DC=***/CN=*** Enterprise CA 1
---
No client certificate CA names sent
---
SSL handshake has read 3404 bytes and written 665 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : AES256-GCM-SHA384
Session-ID: ***
Session-ID-ctx:
Master-Key: ***
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket: ***
Start Time: 1435319943
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
read:errno=0
I have made a simple https server (lib/emtestssl):
require 'rubygems'
require 'bundler/setup'
Bundler.require
class ServerHandler < EM::Connection
def post_init
puts "post_init"
start_tls :private_key_file => 'private.key', :cert_chain_file => 'comb.crt', :verify_peer => false
end
def receive_data(data)
puts "Received data in server: #{data}"
send_data("HTTP/1.1 200 OK\n\nHello world!")
close_connection_after_writing
end
end
EventMachine.run do
puts 'Starting server...'
EventMachine.start_server('145.245.202.233', 443, ServerHandler)
end
it works fine without tls, with tls browser won't allow to connect :(
as per http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#verify private key and certificate do match
it looks like (patched) eventmachine is completely fine: i have taken key/cert pair from existing server and (after a url mismatch warning from the browser) it works fine
after comparing the certificates it looks like my CA has failed and brought me a cert with wrong properties: working one is described as Server Authentication (1.3.6.1.5.5.7.3.1) while failing one is Client Authentication (1.3.6.1.5.5.7.3.2)
i will issue another csr and charge them for lost day... :/
maybe one important discovery is an order of certificates within cert file: one must go from the final cert to the root being at the end of the chain