Apple Push Notification service server certificate update

App & System Services Notifications
Apple Staff, Engineer
Engineer OP
Apple
Created Feb ’21
Replies 29
Boosts 0
Views 21k
Participants
On March 29, 2021, token and certificate-based HTTP/2 connections to the Apple Push Notification service must incorporate the new root certificate (AAACertificateServices 5/12/2020) which replaces the old GeoTrust Global CA root certificate.

You can find the full announcement including a link to he new certificate here: https://developer.apple.com/news/?id=7gx0a2lp

Your servers will need the new root certificate in order to be able to trust the APNs servers. To ensure a seamless transition and to avoid push notification delivery failures, verify that both the old and new root certificates for the HTTP/2 interface are included in the Trust Store of each of your notification servers before March 29.

You can add the new root certificate to your Trust Store at any point before the deadline, and do not have to wait until March 29th to do so.

Note that Apple Push Notification service SSL provider certificates issued to you by Apple DO NOT need to be updated at this time.

Please respond in this thread if you have further questions.

Replies  29
Boosts  0
Views  21k
Participants  
Apple Staff, Engineer
Engineer OP
Apple
Feb ’21
Question: Do I need to make any code changes on my server for this update?
Answer: No code changes are needed, and the use of the new certificate should be automatic once it is installed. But do keep in mind that on March 31st, the legacy binary protocol will no longer function, and if you are not using the new HTTP/2 protocol already, you will need code changes to support that change independent of the certificate update.

You can read about this protocol change here: https://developer.apple.com/news/?id=c88acm2b

1
Skyborg
Skyborg OP
Feb ’21
Since yesterday my push notifications doesnt work anymore. without changing anythine.
I am using Parse Server with Push Adapter and p8 certificate.
It suddenly stopped working without change on my side.
its using node and https/2 to establish the connection.

Getting this error when sending:
parse-server-push-adapter APNS VError: stream ended unexpectedly

Thank you.
0
Apple Staff, Engineer
Engineer OP
Apple
Feb ’21
Question: I don't use HTTP/2. Do I still need to update the certificate on my server?
Answer: If you are not using HTTP/2 by March 29th, you will have bigger problems 2 days after on March 31st. The legacy binary protocol will stop working on March 31st, and you will no longer be able to send push notifications using the old protocol. So, you will need to start working on moving to the HTTP/2 protocol ASAP.
0
johnlamhc
johnlamhc OP
Feb ’21
I also face the similar issue mentioned by Skyborg, push notifications were unable to be sent since yesterday.

I am using Node.js and received error "UNABLE_TO_GET_ISSUER_CERT_LOCALLY" every-time when I attempt to send notifications to both development and production environments.

Thank you.
0
johnlamhc
johnlamhc OP
Feb ’21
Update : my issue fixed by updating to latest Node.js (v14.15.5)
1
ousKobil
ousKobil OP
Feb ’21
Question: Is it sufficient to add the new root certificate AAACertificateServices 5/12/2020 or do I have to add the additional
certificates (USERTrustRSAAAACA 5/12/2020; COMODORSAAAACA 5/12/2020) which I found at https:// support.sectigo.com/Com_KnowledgeDetailPage?Id=kA03l00000117cL
as well?
1
GLJeffery
GLJeffery OP
Feb ’21
Question: If we are using the non-expiring Apple Push Notification service (APNs) key, do we need to create a new one to put on our server?
1
GLJeffery
GLJeffery OP
Feb ’21
Question: Just want to make sure I understand this message clearly,

Note that Apple Push Notification service SSL provider certificates issued to you by Apple DO NOT need to be updated at this time.

Does this mean that app developers do NOT need to re-create and re-upload these certificates using the latest Worldwide Developer Relations Certificate Authority (Expiring 02/20/2030), in order to continue serving push notifications from third party services? And that it is up to the third party service to update the certificate in their Trust Store? Example: Mixpanel push notifications

0
alexdoo
alexdoo OP
Feb ’21
Will you make connections to the Sandbox Server fail prior to the production server transition date for connections that do not include the new certificate? If yes, can you please publish the transition date for the Sandbox server?

Thank you!
0
jameswhite
jameswhite OP
Feb ’21
@skyborg We had similar issues to what you described, with Parse Server notifications suddenly starting to fail last week. We updated both Parse Server, and Node, and everything seems to be working now. Still unclear if this was related to this new certificate requirement. Our versions now are:
Node v14.15.5
@parse/node-apn 4.0.0
parse-server 4.5.0
0
ds_wrg
ds_wrg OP
Feb ’21
I'm using this package to send push notification with a .p8 file. As far as I know, I not using any certificates till now. So do I have to install the new AAA certificate in order to send push notifications?
1
Apple Push Notification service server certificate update
First post date Last post date
 
 
Q