update apple root cert?

[bukira]

On March 29, 2021, token and certificate-based HTTP/2 connections to the Apple Push Notification service must incorporate the new root certificate (AAACertificateServices 5/12/2020) which replaces the old GeoTrust Global CA root certificate. To ensure a seamless transition and to avoid push notification delivery failures, verify that both the old and new root certificates for the HTTP/2 interface are included in the Trust Store of each of your notification servers before March 29.

Will this be updated in the package?

[BorntraegerMarc]

Here is the link to the official Apple update: https://developer.apple.com/news/?id=7gx0a2lp

I also would like to understand, whether this lib will need to release a new version to support the new certificate or wether library consumers will need to change something on their side.

Documentation from Apple is really sparse regarding this. Or at least not easily found.

What I found was in this doc in the Establish a Trusted Connection to APNs section:

Communication between your provider server and APNs must take place over a secure connection. Creating that connection requires installing the GeoTrust Global CA root certificate (until March 29, 2021) and the AAA Certificate Services root certificate (starting March 29, 2021) on each of your provider servers.

If your provider server runs macOS, the GeoTrust Global CA root certificate is in the keychain by default. If your provider server runs macOS 10.14 or later, the AAA Certificate Services root certificate is in the keychain by default. On other systems, you might need to install this certificate yourself. You can download the GeoTrust Global CA root certificate from the GeoTrust Root Certificates website. You can download the “AAACertificateServices 5/12/2020” certificate from the Sectigo KnowledgeBase website.

But I don't remember ever installing any certificate to use with this library. Nor are we running a macOS server but linux.

---

I'm guessing it might have something to do with: https://github.com/parse-community/node-apn/blob/master/doc/provider.markdown#apnprovideroptions

ca An array of trusted certificates. Each element should contain either a filename to load, or a Buffer/String (in PEM format) to be used directly. If this is omitted several well known "root" CAs will be used. - You may need to use this as some environments don't include the CA used by Apple (entrust_2048).

I'm guessing one of those "well known root CAs" is Apple's current one?

[TysonAndre]

node-apn probably uses the OS's certificate store. If you're running an out of date OS such as CentOS 6 or haven't updated ca-certificates (name varies based on OS) in 2020, you'll probably have issues. For a newer one such as Ubuntu 20.04 (any LTS?) or CentOS 7 you should be fine. EDIT: As other commentors said, certificates are bundled with Node.js, node doesn't use the OS's certificate store.

• If you update node.js you should get newer certificates? (i.e. https://nodejs.org/en/download/)

There's probably some facility in node's tls libraries to add additional certificates to allow when validating the certificate of the APNs server when connecting.

Node probably checks various paths (I haven't checked the source) - I'd guess it's similar to how golang does it? (EDIT: it isn't)

    "/etc/ssl/certs/ca-certificates.crt",                // Debian/Ubuntu/Gentoo etc.
    "/etc/pki/tls/certs/ca-bundle.crt",                  // Fedora/RHEL 6
    "/etc/ssl/ca-bundle.pem",                            // OpenSUSE
    "/etc/pki/tls/cacert.pem",                           // OpenELEC
    "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", // CentOS/RHEL 7
    "/etc/ssl/cert.pem",                                 // Alpine Linux

[ehubbell]

Going off @TysonAndre post above, if you check the ca-certificates package (https://packages.ubuntu.com/bionic/all/ca-certificates/filelist) which you can install via apt-get install ca-certificates you get the following certs in your ca-certificates.crt file mentioned above.

/usr/share/ca-certificates/mozilla/Comodo_AAA_Services_root.crt
/usr/share/ca-certificates/mozilla/COMODO_RSA_Certification_Authority.crt
/usr/share/ca-certificates/mozilla/USERTrust_RSA_Certification_Authority.crt

I'm guessing those will fill Apple's new requirements.

[Dudarev2]

I have found that:
https://github.com/nodejs/node/blob/master/doc/guides/maintaining-root-certs.md
and that:
https://github.com/nodejs/node/blob/v8.x/src/node_root_certs.h

[junjie]

Is there any way to verify that the the AAA root certificate is present/used by node-apn before the rollover date of March 29?

[derN3rd]

Is there any way to verify that the the AAA root certificate is present/used by node-apn before the rollover date of March 29?

You could try out this command: https://unix.stackexchange.com/a/97252

For me it shows subject= /C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services inthe output which is the AAA root certificate afaik, but doesn't show until when the cert is valid. For me it was an old cert (see more in EDIT2)

EDIT:
To clarify my reasoning why I think this is the correct cert:
I downloaded the cert that apple includes in their docs (AAACertificateServices 5/12/2020), ran the command above on this cert again and it showed the same info: subject=C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services

EDIT2:
I was checking this on an AWS AMI for NodeJS, but wasn't checking the cert validity.

awk -v cmd='openssl x509 -noout -enddate -subject' '
    /BEGIN/{close(cmd)};{print | cmd}' < /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem  | grep -A1 'AAA'

This showed me, that the cert I thought was the new AAA is invalid since Jul 2019.
So it seems I don't have the newest AAA cert

[junjie]

Thanks @derN3rd! I tried this on both my server and my Mac running Big Sur, which I expect would include the latest certificate, but I'm getting GeoTrust Global CA one running openssl s_client -showcerts -connect api.push.apple.com:443

Thinking about it I would expect that to be the case since the rollover date is Mar 29, and it'd probably not make sense for Apple to use the updated certificate now.

But I think the bigger issue here may be that Node.js, which this project depends upon, does not use the system certificate store, as @Dudarev2 has pointed out here: #49 (comment)

I did make a small Node.js program to search through all the hardcoded certificates to find the AAA one, and I found it within my copy of Node installation. If you're interested:

var tls = require('tls'), fs = require('fs');

aaa = fs.readFileSync('AAACertificateServices.crt').toString();

allRootCertificates = tls.rootCertificates;
var i;
for (i = 0; i < allRootCertificates.length; i++) {
        if (allRootCertificates[i] === aaa) {
                console.log("Found AAA certificate at loop " + i);
                console.log(allRootCertificates[i]);
        }
}
console.log("Processed " + allRootCertificates.length + " certificates");

And AAACertificateServices.crt can be found via the link in Apple's email, or https://comodoca.my.salesforce.com/sfc/dist/version/download/?oid=00D1N000002Ljih&ids=0683l00000G9fLm&d=%2Fa%2F3l000000VbG0%2Fh70Hv.GWfGuD79pR_if0MtGjJFcUj.NRZS_RLqEyC_4&asPdf=false

[eladnava]

Nicely done, @junjie.

I'm running Node v10 and tls.rootCertificates was only introduced in Node v12+ so I can't run your code.

However, I've just realized it's also possible to directly check Node's bundled root CA cert file for the signature of the Comodo AAA Services root:
https://github.com/nodejs/node/blob/v10.15.1/src/node_root_certs.h

Searching the file for Comodo AAA Services root will yield the exact certificate you have attached in Base64 encoded format.

You can plug in your Node.js version into the URL instead of v10.15.1, yet from what I've seen every single Node.js release has this root CA is present in all Node releases.

Therefore, we can all safely assume that node-apn will continue functioning when Apple deploys the AAA certificate.

[derN3rd]

@eladnava I'm not sure if thats so easily done.
Apple stated in their mail

On March 29, 2021, token and certificate-based HTTP/2 connections to the Apple Push Notification service must incorporate the new root certificate (AAACertificateServices 5/12/2020) which replaces the old GeoTrust Global CA root certificate

Which sounds to me that you need at least the AAA cert from December 2020, which is not in Node 10 or any build that was built before that date.

I have not enough knowledge about certs to tell if the AAACertificateServices 5/12/2020 is the same as Comodo AAA Services root just renewed, but the fact that apple especially states the date of this cert sounds to me that there is a difference.

EDIT:
The docs from apple state that macOS 10.14 (which was released in 2018) and above already include the new AAA root cert, so it seems AAACertificateServices 5/12/2020 is just the newest root cert, but the Comodo AAA Services root should work as well

[henrik]

Thank you so much for this helpful thread. I wrote up how we verified (I hope) our setup using what I learned here: https://stackoverflow.com/questions/66239455/how-to-verify-parse-running-on-heroku-supports-new-apple-push-notification-root/66239456

[BorntraegerMarc]

I would also dare to say that NodeJS v12.13.0+ supports the new AAACertificateServices 5/12/2020 cert: https://github.com/nodejs/node/blob/v12.13.0/src/node_root_certs.h#L247

---

How I verified:

• Downloaded AAACertificateServices 5/12/2020 cert from here: https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA03l00000117cL
• Opened cert with text editor
• Copy / pasted first line from cert
• Searched for first line in NodeJS root certs and found it here: https://github.com/nodejs/node/blob/v12.13.0/src/node_root_certs.h#L247

[robsonalvesbh]

@BorntraegerMarc just to confirm, if my server application is running using NodeJS > v12 I don't need to take any action on my side?

[BorntraegerMarc]

@robsonalvesbh yes, if your application is running NodeJS v12.13.0+

[ArturV93]

If I am using *.p8 file for sending push notifications, is this issue affects me?
Apn version: 6.12.0
Node version: 12.13.0

[davimacedo]

It looks p8 will continue working. You need to make sure your apn version is using http/2 and it looks you are good with node 12.

[hb020]

Please don't jump to conclusions based on the last comments. Not only v12.13.0+ is good.
Many latest node versions should work, as @eladnava indicated in #49 (comment).
Just to show: node v9.11.2, v10.15.1 and v11.15.0 are good as well. See
https://github.com/nodejs/node/blob/v9.11.2/src/node_root_certs.h#L269 and
https://github.com/nodejs/node/blob/v10.15.1/src/node_root_certs.h#L269 and
https://github.com/nodejs/node/blob/v11.15.0/src/node_root_certs.h#L247 and
https://github.com/nodejs/node/blob/v12.13.0/src/node_root_certs.h#L247
Compare with the root certificate.

[enoskov]

If you still feel uncertain whether your nodejs version embeds a new Root CA certificate, you may check nodejs binary using grep or hexedit and search for ASCII substring from a new cert. My nodejs 10.15.3 contains it:

If it is still not enough for you, just add a config option for your node.js app to add 'ca' to apn.Provider's options and point to a desired Root CA cert. In case some unpleasant surprise will arise, you can always configure your app to enforse using AAACertificateServices.pem since March 29, 2021.

[eladnava]

@enoskov That's a really cool tip with grepping the node binary. Cheers!

[HardikDG]

My node version is : v12.18.4.
I am having issue of InvalidProviderToken. Does it related to this root cert issue?

Before 1-2 months it's working with P8 and TeamId

[TysonAndre]

I am having issue of InvalidProviderToken. Does it related to this root cert issue?

No, I think you wouldn't even be able to connect to APNs to get this error if you had the wrong root certificate

node-apn#477 may be of use

Can this be closed? the certificate expired in march

[mtrezza]

I'm closing this as it does not seem to be a Parse node-apn issue.

• For help with Parse Platform we recommend our community forum
• For coding questions we recommend Stack Overflow using the parse-platform tag
• For network and server questions we recommend ServerFault using the parse-server tag