-
-
Notifications
You must be signed in to change notification settings - Fork 60
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
update apple root cert? #49
Comments
Here is the link to the official Apple update: https://developer.apple.com/news/?id=7gx0a2lp I also would like to understand, whether this lib will need to release a new version to support the new certificate or wether library consumers will need to change something on their side. Documentation from Apple is really sparse regarding this. Or at least not easily found. What I found was in this doc in the
But I don't remember ever installing any certificate to use with this library. Nor are we running a macOS server but linux. I'm guessing it might have something to do with: https://github.com/parse-community/node-apn/blob/master/doc/provider.markdown#apnprovideroptions
I'm guessing one of those "well known root CAs" is Apple's current one? |
There's probably some facility in node's tls libraries to add additional certificates to allow when validating the certificate of the APNs server when connecting.
"/etc/ssl/certs/ca-certificates.crt", // Debian/Ubuntu/Gentoo etc.
"/etc/pki/tls/certs/ca-bundle.crt", // Fedora/RHEL 6
"/etc/ssl/ca-bundle.pem", // OpenSUSE
"/etc/pki/tls/cacert.pem", // OpenELEC
"/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", // CentOS/RHEL 7
"/etc/ssl/cert.pem", // Alpine Linux |
Going off @TysonAndre post above, if you check the
I'm guessing those will fill Apple's new requirements. |
Is there any way to verify that the the AAA root certificate is present/used by node-apn before the rollover date of March 29? |
You could try out this command: https://unix.stackexchange.com/a/97252 For me it shows EDIT: EDIT2:
This showed me, that the cert I thought was the new AAA is invalid since Jul 2019. |
Thanks @derN3rd! I tried this on both my server and my Mac running Big Sur, which I expect would include the latest certificate, but I'm getting GeoTrust Global CA one running Thinking about it I would expect that to be the case since the rollover date is Mar 29, and it'd probably not make sense for Apple to use the updated certificate now. But I think the bigger issue here may be that Node.js, which this project depends upon, does not use the system certificate store, as @Dudarev2 has pointed out here: #49 (comment) I did make a small Node.js program to search through all the hardcoded certificates to find the AAA one, and I found it within my copy of Node installation. If you're interested:
And AAACertificateServices.crt can be found via the link in Apple's email, or https://comodoca.my.salesforce.com/sfc/dist/version/download/?oid=00D1N000002Ljih&ids=0683l00000G9fLm&d=%2Fa%2F3l000000VbG0%2Fh70Hv.GWfGuD79pR_if0MtGjJFcUj.NRZS_RLqEyC_4&asPdf=false |
Nicely done, @junjie. I'm running However, I've just realized it's also possible to directly check Node's bundled root CA cert file for the signature of the Comodo AAA Services root: Searching the file for You can plug in your Node.js version into the URL instead of Therefore, we can all safely assume that |
@eladnava I'm not sure if thats so easily done.
Which sounds to me that you need at least the AAA cert from December 2020, which is not in Node 10 or any build that was built before that date. I have not enough knowledge about certs to tell if the AAACertificateServices 5/12/2020 is the same as Comodo AAA Services root just renewed, but the fact that apple especially states the date of this cert sounds to me that there is a difference. EDIT: |
Thank you so much for this helpful thread. I wrote up how we verified (I hope) our setup using what I learned here: https://stackoverflow.com/questions/66239455/how-to-verify-parse-running-on-heroku-supports-new-apple-push-notification-root/66239456 |
I would also dare to say that NodeJS v12.13.0+ supports the new How I verified:
|
@BorntraegerMarc just to confirm, if my server application is running using NodeJS > v12 I don't need to take any action on my side? |
@robsonalvesbh yes, if your application is running NodeJS v12.13.0+ |
If I am using *.p8 file for sending push notifications, is this issue affects me? |
It looks p8 will continue working. You need to make sure your apn version is using http/2 and it looks you are good with node 12. |
Please don't jump to conclusions based on the last comments. Not only v12.13.0+ is good. |
@enoskov That's a really cool tip with grepping the |
My node version is : v12.18.4. Before 1-2 months it's working with P8 and TeamId |
No, I think you wouldn't even be able to connect to APNs to get this error if you had the wrong root certificate node-apn#477 may be of use Can this be closed? the certificate expired in march |
I'm closing this as it does not seem to be a Parse node-apn issue.
|
On March 29, 2021, token and certificate-based HTTP/2 connections to the Apple Push Notification service must incorporate the new root certificate (AAACertificateServices 5/12/2020) which replaces the old GeoTrust Global CA root certificate. To ensure a seamless transition and to avoid push notification delivery failures, verify that both the old and new root certificates for the HTTP/2 interface are included in the Trust Store of each of your notification servers before March 29.
Will this be updated in the package?
The text was updated successfully, but these errors were encountered: