Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

update apple root cert? #49

Closed
bukira opened this issue Feb 11, 2021 · 21 comments
Closed

update apple root cert? #49

bukira opened this issue Feb 11, 2021 · 21 comments

Comments

@bukira
Copy link

bukira commented Feb 11, 2021

On March 29, 2021, token and certificate-based HTTP/2 connections to the Apple Push Notification service must incorporate the new root certificate (AAACertificateServices 5/12/2020) which replaces the old GeoTrust Global CA root certificate. To ensure a seamless transition and to avoid push notification delivery failures, verify that both the old and new root certificates for the HTTP/2 interface are included in the Trust Store of each of your notification servers before March 29.

Will this be updated in the package?

@BorntraegerMarc
Copy link

BorntraegerMarc commented Feb 11, 2021

Here is the link to the official Apple update: https://developer.apple.com/news/?id=7gx0a2lp

I also would like to understand, whether this lib will need to release a new version to support the new certificate or wether library consumers will need to change something on their side.

Documentation from Apple is really sparse regarding this. Or at least not easily found.

What I found was in this doc in the Establish a Trusted Connection to APNs section:

Communication between your provider server and APNs must take place over a secure connection. Creating that connection requires installing the GeoTrust Global CA root certificate (until March 29, 2021) and the AAA Certificate Services root certificate (starting March 29, 2021) on each of your provider servers.

If your provider server runs macOS, the GeoTrust Global CA root certificate is in the keychain by default. If your provider server runs macOS 10.14 or later, the AAA Certificate Services root certificate is in the keychain by default. On other systems, you might need to install this certificate yourself. You can download the GeoTrust Global CA root certificate from the GeoTrust Root Certificates website. You can download the “AAACertificateServices 5/12/2020” certificate from the Sectigo KnowledgeBase website.

But I don't remember ever installing any certificate to use with this library. Nor are we running a macOS server but linux.


I'm guessing it might have something to do with: https://github.com/parse-community/node-apn/blob/master/doc/provider.markdown#apnprovideroptions

ca An array of trusted certificates. Each element should contain either a filename to load, or a Buffer/String (in PEM format) to be used directly. If this is omitted several well known "root" CAs will be used. - You may need to use this as some environments don't include the CA used by Apple (entrust_2048).

I'm guessing one of those "well known root CAs" is Apple's current one?

@TysonAndre
Copy link

TysonAndre commented Feb 11, 2021

node-apn probably uses the OS's certificate store. If you're running an out of date OS such as CentOS 6 or haven't updated ca-certificates (name varies based on OS) in 2020, you'll probably have issues. For a newer one such as Ubuntu 20.04 (any LTS?) or CentOS 7 you should be fine. EDIT: As other commentors said, certificates are bundled with Node.js, node doesn't use the OS's certificate store.

There's probably some facility in node's tls libraries to add additional certificates to allow when validating the certificate of the APNs server when connecting.

Node probably checks various paths (I haven't checked the source) - I'd guess it's similar to how golang does it? (EDIT: it isn't)

    "/etc/ssl/certs/ca-certificates.crt",                // Debian/Ubuntu/Gentoo etc.
    "/etc/pki/tls/certs/ca-bundle.crt",                  // Fedora/RHEL 6
    "/etc/ssl/ca-bundle.pem",                            // OpenSUSE
    "/etc/pki/tls/cacert.pem",                           // OpenELEC
    "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", // CentOS/RHEL 7
    "/etc/ssl/cert.pem",                                 // Alpine Linux

@ehubbell
Copy link

Going off @TysonAndre post above, if you check the ca-certificates package (https://packages.ubuntu.com/bionic/all/ca-certificates/filelist) which you can install via apt-get install ca-certificates you get the following certs in your ca-certificates.crt file mentioned above.

/usr/share/ca-certificates/mozilla/Comodo_AAA_Services_root.crt
/usr/share/ca-certificates/mozilla/COMODO_RSA_Certification_Authority.crt
/usr/share/ca-certificates/mozilla/USERTrust_RSA_Certification_Authority.crt

I'm guessing those will fill Apple's new requirements.

@Dudarev2
Copy link

I have found that:
https://github.com/nodejs/node/blob/master/doc/guides/maintaining-root-certs.md
and that:
https://github.com/nodejs/node/blob/v8.x/src/node_root_certs.h

@junjie
Copy link

junjie commented Feb 15, 2021

Is there any way to verify that the the AAA root certificate is present/used by node-apn before the rollover date of March 29?

@derN3rd
Copy link

derN3rd commented Feb 15, 2021

Is there any way to verify that the the AAA root certificate is present/used by node-apn before the rollover date of March 29?

You could try out this command: https://unix.stackexchange.com/a/97252

For me it shows subject= /C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services inthe output which is the AAA root certificate afaik, but doesn't show until when the cert is valid. For me it was an old cert (see more in EDIT2)

EDIT:
To clarify my reasoning why I think this is the correct cert:
I downloaded the cert that apple includes in their docs (AAACertificateServices 5/12/2020), ran the command above on this cert again and it showed the same info: subject=C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services

EDIT2:
I was checking this on an AWS AMI for NodeJS, but wasn't checking the cert validity.

awk -v cmd='openssl x509 -noout -enddate -subject' '
    /BEGIN/{close(cmd)};{print | cmd}' < /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem  | grep -A1 'AAA'

This showed me, that the cert I thought was the new AAA is invalid since Jul 2019.
So it seems I don't have the newest AAA cert

@junjie
Copy link

junjie commented Feb 16, 2021

Thanks @derN3rd! I tried this on both my server and my Mac running Big Sur, which I expect would include the latest certificate, but I'm getting GeoTrust Global CA one running openssl s_client -showcerts -connect api.push.apple.com:443

CleanShot 2021-02-16 at 09 26 23@2x

Thinking about it I would expect that to be the case since the rollover date is Mar 29, and it'd probably not make sense for Apple to use the updated certificate now.

But I think the bigger issue here may be that Node.js, which this project depends upon, does not use the system certificate store, as @Dudarev2 has pointed out here: #49 (comment)

I did make a small Node.js program to search through all the hardcoded certificates to find the AAA one, and I found it within my copy of Node installation. If you're interested:

var tls = require('tls'), fs = require('fs');

aaa = fs.readFileSync('AAACertificateServices.crt').toString();

allRootCertificates = tls.rootCertificates;
var i;
for (i = 0; i < allRootCertificates.length; i++) {
        if (allRootCertificates[i] === aaa) {
                console.log("Found AAA certificate at loop " + i);
                console.log(allRootCertificates[i]);
        }
}
console.log("Processed " + allRootCertificates.length + " certificates");

And AAACertificateServices.crt can be found via the link in Apple's email, or https://comodoca.my.salesforce.com/sfc/dist/version/download/?oid=00D1N000002Ljih&ids=0683l00000G9fLm&d=%2Fa%2F3l000000VbG0%2Fh70Hv.GWfGuD79pR_if0MtGjJFcUj.NRZS_RLqEyC_4&asPdf=false

@eladnava
Copy link

eladnava commented Feb 16, 2021

Nicely done, @junjie.

I'm running Node v10 and tls.rootCertificates was only introduced in Node v12+ so I can't run your code.

However, I've just realized it's also possible to directly check Node's bundled root CA cert file for the signature of the Comodo AAA Services root:
https://github.com/nodejs/node/blob/v10.15.1/src/node_root_certs.h

Searching the file for Comodo AAA Services root will yield the exact certificate you have attached in Base64 encoded format.

You can plug in your Node.js version into the URL instead of v10.15.1, yet from what I've seen every single Node.js release has this root CA is present in all Node releases.

Therefore, we can all safely assume that node-apn will continue functioning when Apple deploys the AAA certificate.

@derN3rd
Copy link

derN3rd commented Feb 16, 2021

@eladnava I'm not sure if thats so easily done.
Apple stated in their mail

On March 29, 2021, token and certificate-based HTTP/2 connections to the Apple Push Notification service must incorporate the new root certificate (AAACertificateServices 5/12/2020) which replaces the old GeoTrust Global CA root certificate

Which sounds to me that you need at least the AAA cert from December 2020, which is not in Node 10 or any build that was built before that date.

I have not enough knowledge about certs to tell if the AAACertificateServices 5/12/2020 is the same as Comodo AAA Services root just renewed, but the fact that apple especially states the date of this cert sounds to me that there is a difference.

EDIT:
The docs from apple state that macOS 10.14 (which was released in 2018) and above already include the new AAA root cert, so it seems AAACertificateServices 5/12/2020 is just the newest root cert, but the Comodo AAA Services root should work as well

@henrik
Copy link

henrik commented Feb 17, 2021

Thank you so much for this helpful thread. I wrote up how we verified (I hope) our setup using what I learned here: https://stackoverflow.com/questions/66239455/how-to-verify-parse-running-on-heroku-supports-new-apple-push-notification-root/66239456

@BorntraegerMarc
Copy link

I would also dare to say that NodeJS v12.13.0+ supports the new AAACertificateServices 5/12/2020 cert: https://github.com/nodejs/node/blob/v12.13.0/src/node_root_certs.h#L247


How I verified:

@robsonalvesbh
Copy link

robsonalvesbh commented Mar 3, 2021

@BorntraegerMarc just to confirm, if my server application is running using NodeJS > v12 I don't need to take any action on my side?

@BorntraegerMarc
Copy link

@robsonalvesbh yes, if your application is running NodeJS v12.13.0+

@ArturV93
Copy link

ArturV93 commented Mar 5, 2021

If I am using *.p8 file for sending push notifications, is this issue affects me?
Apn version: 6.12.0
Node version: 12.13.0

@davimacedo
Copy link
Member

It looks p8 will continue working. You need to make sure your apn version is using http/2 and it looks you are good with node 12.

@hb020
Copy link

hb020 commented Mar 7, 2021

Please don't jump to conclusions based on the last comments. Not only v12.13.0+ is good.
Many latest node versions should work, as @eladnava indicated in #49 (comment).
Just to show: node v9.11.2, v10.15.1 and v11.15.0 are good as well. See
https://github.com/nodejs/node/blob/v9.11.2/src/node_root_certs.h#L269 and
https://github.com/nodejs/node/blob/v10.15.1/src/node_root_certs.h#L269 and
https://github.com/nodejs/node/blob/v11.15.0/src/node_root_certs.h#L247 and
https://github.com/nodejs/node/blob/v12.13.0/src/node_root_certs.h#L247
Compare with the root certificate.

@enoskov
Copy link

enoskov commented Mar 10, 2021

If you still feel uncertain whether your nodejs version embeds a new Root CA certificate, you may check nodejs binary using grep or hexedit and search for ASCII substring from a new cert. My nodejs 10.15.3 contains it:
hexedit_node

If it is still not enough for you, just add a config option for your node.js app to add 'ca' to apn.Provider's options and point to a desired Root CA cert. In case some unpleasant surprise will arise, you can always configure your app to enforse using AAACertificateServices.pem since March 29, 2021.

@eladnava
Copy link

@enoskov That's a really cool tip with grepping the node binary. Cheers!

@HardikDG
Copy link

HardikDG commented Apr 3, 2021

My node version is : v12.18.4.
I am having issue of InvalidProviderToken. Does it related to this root cert issue?

Before 1-2 months it's working with P8 and TeamId

@TysonAndre
Copy link

I am having issue of InvalidProviderToken. Does it related to this root cert issue?

No, I think you wouldn't even be able to connect to APNs to get this error if you had the wrong root certificate

node-apn#477 may be of use

Can this be closed? the certificate expired in march

@mtrezza
Copy link
Member

mtrezza commented Mar 27, 2022

I'm closing this as it does not seem to be a Parse node-apn issue.

  • For help with Parse Platform we recommend our community forum
  • For coding questions we recommend Stack Overflow using the parse-platform tag
  • For network and server questions we recommend ServerFault using the parse-server tag

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests