APNs push notification with macOS Sierra

Question

I'm trying to send my phone a push notification using the simple PHP tool which connects to ssl://gateway.push.apple.com:2195, but the connection fails with the following errors:

Warning: stream_socket_client(): SSL operation failed with code 1. OpenSSL Error messages:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed in <Users/.../file.php> on line 30

Warning: stream_socket_client(): Failed to enable crypto in <Users/.../file.php> on line 30

Warning: stream_socket_client(): unable to connect to ssl://gateway.sandbox.push.apple.com:2195 (Unknown error) in <Users/.../file.php> on line 30
Failed to connect: 0 

This all started since I upgraded to the GM Seed of macOS Sierra. What's new in macOS Sierra that affects SSL connections? How do I resolve this?

Answer 1

I got same error, and this is what I did:

1) updated my openssl (i think u dont need this) got to step 2, cause this will take about 10 minutes

brew install openssl

make sure u updated it correct:

openssl version

If not, try this or google:

brew link --force openssl

2) check you php default_cert_file path:

php -r "print_r(openssl_get_cert_locations());"

this is what i got:

Array
(
[default_cert_file] => /usr/local/libressl/etc/ssl/cert.pem
[default_cert_file_env] => SSL_CERT_FILE
[default_cert_dir] => /usr/local/libressl/etc/ssl/certs
[default_cert_dir_env] => SSL_CERT_DIR
[default_private_dir] => /usr/local/libressl/etc/ssl/private
[default_default_cert_area] => /usr/local/libressl/etc/ssl
[ini_cafile] => 
[ini_capath] => 
)

3) download cacert.pem from here:

wget http://curl.haxx.se/ca/cacert.pem

4) move cacert.pem file to your default_cert_file path (as root):

sudo mv cacert.pem /usr/local/libressl/etc/ssl/cert.pem

probably i'll need to create this directory first

After this, my php script worked.

Answer 2

I got the same error after upgrading to macOS Sierra while using php script to send push notifications.

Solution with installing certificate to

[default_cert_file] => /usr/local/libressl/etc/ssl/cert.pem didn't help as well.

---

Updated to PHP v. 5.6.27, macOS Sierra 10.12.4

---

And after all, I found my problem. It was in the fact, that macOS Sierra updated PHP version to 5.6.27

To check it, type in Terminal

php -v

PHP 5.6.27 (cli) (built: Oct 23 2016 11:47:58) 
Copyright (c) 1997-2016 The PHP Group
Zend Engine v2.6.0, Copyright (c) 1998-2016 Zend Technologies

And here is OpenSSL changes in PHP 5.6.x

As the brief workaround, someone suggested disabling brand-new security features in the php script (in the link above, very bottom part).

Safer (and I recommend it) would be a way to setup path to entrust_2048_ca.cer explicitly like

 $streamContext = stream_context_create([
            'ssl' => [
                'verify_peer'      => true,
                'verify_peer_name' => true,
                'cafile'           => '/path/to/bundle/entrust_2048_ca.cer',
            ]
        ]);

It works as well .

Answer 3

You can get certificate from Entrust. Download the entrust_2048_ca.cer certificate from: https://www.entrust.com/get-support/ssl-certificate-support/root-certificate-downloads/. After downloading entrust_2048_ca.cer, I copied it in the same directory where my php script was and it all worked.

More details here: https://stackoverflow.com/a/28222783/4253579