Apple Push Notification service server certificate update

Question

Engineer OP

Apple

Created Feb ’21

Replies 29

Boosts 0

Views 19k

Participants 19

On March 29, 2021, token and certificate-based HTTP/2 connections to the Apple Push Notification service must incorporate the new root certificate (AAACertificateServices 5/12/2020) which replaces the old GeoTrust Global CA root certificate.

You can find the full announcement including a link to he new certificate here: https://developer.apple.com/news/?id=7gx0a2lp

Your servers will need the new root certificate in order to be able to trust the APNs servers. To ensure a seamless transition and to avoid push notification delivery failures, verify that both the old and new root certificates for the HTTP/2 interface are included in the Trust Store of each of your notification servers before March 29.

You can add the new root certificate to your Trust Store at any point before the deadline, and do not have to wait until March 29th to do so.

Note that Apple Push Notification service SSL provider certificates issued to you by Apple DO NOT need to be updated at this time.

Please respond in this thread if you have further questions.

Boost

Answer 1

Engineer OP

Apple

Feb ’21

Question: Do I need to make any code changes on my server for this update?
Answer: No code changes are needed, and the use of the new certificate should be automatic once it is installed. But do keep in mind that on March 31st, the legacy binary protocol will no longer function, and if you are not using the new HTTP/2 protocol already, you will need code changes to support that change independent of the certificate update.

You can read about this protocol change here: https://developer.apple.com/news/?id=c88acm2b

1

Answer 2

Skyborg OP

Feb ’21

Since yesterday my push notifications doesnt work anymore. without changing anythine.
I am using Parse Server with Push Adapter and p8 certificate.
It suddenly stopped working without change on my side.
its using node and https/2 to establish the connection.

Getting this error when sending:
parse-server-push-adapter APNS VError: stream ended unexpectedly

Thank you.

0

Answer 3

Engineer OP

Apple

Feb ’21

Question: I don't use HTTP/2. Do I still need to update the certificate on my server?
Answer: If you are not using HTTP/2 by March 29th, you will have bigger problems 2 days after on March 31st. The legacy binary protocol will stop working on March 31st, and you will no longer be able to send push notifications using the old protocol. So, you will need to start working on moving to the HTTP/2 protocol ASAP.

0

Answer 4

johnlamhc OP

Feb ’21

I also face the similar issue mentioned by Skyborg, push notifications were unable to be sent since yesterday.

I am using Node.js and received error "UNABLE_TO_GET_ISSUER_CERT_LOCALLY" every-time when I attempt to send notifications to both development and production environments.

Thank you.

0

Answer 5

johnlamhc OP

Feb ’21

Update : my issue fixed by updating to latest Node.js (v14.15.5)

1

Answer 6

ousKobil OP

Feb ’21

Question: Is it sufficient to add the new root certificate AAACertificateServices 5/12/2020 or do I have to add the additional
certificates (USERTrustRSAAAACA 5/12/2020; COMODORSAAAACA 5/12/2020) which I found at https:// support.sectigo.com/Com_KnowledgeDetailPage?Id=kA03l00000117cL
as well?

1

Answer 7

GLJeffery OP

Feb ’21

Question: If we are using the non-expiring Apple Push Notification service (APNs) key, do we need to create a new one to put on our server?

1

Answer 8

GLJeffery OP

Feb ’21

Question: Just want to make sure I understand this message clearly,

Note that Apple Push Notification service SSL provider certificates issued to you by Apple DO NOT need to be updated at this time.

Does this mean that app developers do NOT need to re-create and re-upload these certificates using the latest Worldwide Developer Relations Certificate Authority (Expiring 02/20/2030), in order to continue serving push notifications from third party services? And that it is up to the third party service to update the certificate in their Trust Store? Example: Mixpanel push notifications

0

Answer 9

sal_from_new_york OP

Feb ’21

Hello!
We use curl on a Windows box to send low volume APN payloads to Apple's server. We DON'T have the GeoTrust Global CA or the new AAACertificateServices in that Windows box's trust store. Can we just add the AAACertificateServices to the curl option --cacerts CACertsFile?

I'm not clear why the AAACertificateServices is necessary. The api.push.apple.com SSL certificate is authorized by the Apple Root CA, not GeoTrust Global CA or AAACertificateServices Root CA. So why is it necessary to add it?

The curl command line we're using consists of the following options:

curl -x http://somePROXY -U X:X -v -d "{\"aps\":{\"alert\":\"Success!\",\"sound\":\"default\"}}" -k --cert <path to cert PEM> --key <path to cert key> --pass "XXXX" --cacert <path to Apple Root CA> -H "apns-topic:
<APNS topic>" --http2 https://api.push.apple.com/XX/device/YYYYYYYYYYY

With the -v curl option we get the following output:
<HTTP/1.1 200 Connected
<

Proxy replied OK to CONNECT request
ALPN, offering h2
ALPN, offering http/1.1
Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
successfully set certificate verify locations:
CAfile: <path to CA.pem file>

CApath: none

SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
ALPN, server accepted to use h2
Server certificate:
subject: CN=api.push.apple.com; OU=management:idms.group.533599; O=Apple Inc.; ST=California; C=US
start date: Mar 14 17:50:10 2019 GMT
expire date: Apr 12 17:50:10 2021 GMT
issuer: CN=Apple IST CA 2 - G1; OU=Certification Authority; O=Apple Inc.; C=US
SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
Using HTTP2, server supports multi-use
Connection state changed (HTTP/2 confirmed)
Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
Using Stream ID: 1 (easy handle 0x1eeb1e8)

POST /x/device/YYYYYYYYYYYYYYYYYYYY HTTP/1.1
Host: api.push.apple.com
User-Agent: <Our user Agent>
Accept: */*
apns-id: <AN APNS ID>
apns-topic: <OUR APNS Topic>
Content-Length: 208
Content-Type: application/x-www-form-urlencoded
Connection state changed (MAX_CONCURRENT_STREAMS updated)!
We are completely uploaded and fine
< HTTP/2 200

< apns-id: <some APNS ID>

Thanks

0

Answer 10

KJZZZ OP

Feb ’21

Question: I am currently using FireBase CloudMessaging(FCM) for ios notification, I just want to confirm if this update is something third party provider has to update (eg. update the certificate on their side) since my backend server does not send directly to the APNs? Or if this is something I need to change, FCM hasn't updated anything on their website regarding to whether they will be impacted by this issue.

2

Answer 11

sal_from_new_york OP

Feb ’21

@KJZZZ,
I would imagine that it is Firebase's responsibility to update their back end appropriately. Your server connects only to FireBase, so it's out of your domain. Have you considered getting in touch with FireBase directly?

0

Answer 12

alexdoo OP

Feb ’21

Will you make connections to the Sandbox Server fail prior to the production server transition date for connections that do not include the new certificate? If yes, can you please publish the transition date for the Sandbox server?

Thank you!

0

Answer 13

alexequi OP

Feb ’21

I don't see anything concerning the laravel implementation. We have an API that sends the APNs and we are using the Laravel notification channels and the APNMessage class.
The config for the implementation at this moment looks like this:

'apn' => [
'environment' =>1,
'key_id' => env('APN_KEY_ID'),
'team_id' => env('APN_TEAM_ID'),
'app_bundle_id' => env('APN_APP_BUNDLE_ID'),
'private_key_path' => env('APN_PRIVATE_KEY', base_path('APN_cert.p8')),

where the private key is the old .p8 file.
Any hint to where the new AAACertificateServices.crt fits in?

Thanks!

0

Answer 14

jameswhite OP

Feb ’21

@skyborg We had similar issues to what you described, with Parse Server notifications suddenly starting to fail last week. We updated both Parse Server, and Node, and everything seems to be working now. Still unclear if this was related to this new certificate requirement. Our versions now are:
Node v14.15.5
@parse/node-apn 4.0.0
parse-server 4.5.0

0

Answer 15

ds_wrg OP

Feb ’21

I'm using this package to send push notification with a .p8 file. As far as I know, I not using any certificates till now. So do I have to install the new AAA certificate in order to send push notifications?

1