Couldn't able to connect to APNS Sandbox server

Question

I am trying to connect to Apple APNS server with the following observations:

1)port 2195 is open 2)With Valid key passphrase for APNS_SSLCertificate_Key.pem 3)Entrust certificate (2048) downloaded from https://www.entrust.net/downloads/binary/entrust_ssl_ca.cer

4)With the successful telnet response as below :

$ telnet gateway.sandbox.push.apple.com 2195 Trying 17.172.232.226... Connected to gateway.sandbox.push-apple.com.akadns.net. Escape character is '^]'.

But when i run the following openssl command in my server to test the APNS connectivity :

openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert  APNS_SSLCertificate_Key.pem -debug -showcerts -CAfile server-ca-cert.pem

I am getting error as follows:

unable to load certificate 57013:error:0906D06C:PEM routines:PEM_read_bio:no start line:/SourceCache/OpenSSL098/OpenSSL098-35/src/crypto/pem/pem_lib.c:650:Expecting: TRUSTED CERTIFICATE

So please suggest how to resolve this problem

Thanks in advance ......

Answer 1

I ran into this same issue; what eventually resolved the error was to re-export the Entrust certificate from System Roots of OS/X Keychain Access application.

To be complete, I'll give a complete explanation of how I created the key/cert files (something which should have been in Apple's TechNote 2265: https://developer.apple.com/library/content/technotes/tn2265/_index.html)

Creating your APN-cert-and-key:

1. Run Keychain Access; select "login" Keychain and "My Certificates" category
2. Select the certificate with the name format of "Apple Development IOS Push Services: ..."
3. Export the certificate (in the menu, under "File" .. "Export Items")
4. Export to .p12 format.
   This now contains your certificate and private key in an encrypted interchange format. The next step is to convert it to a passphrase protected .pem file

5. Using terminal, execute the following command (using your own filenames, of course):
   
   openssl pkcs12 -in PushCertKey.p12 -out PushCertKey.pem
   
   (You will need to enter the password for the .p12 file and provide another passphrase for the .pem file.)

   If you really really really don't want a passphrase on the .pem file, try:
   
   openssl pkcs12 -in PushCertKey.p12 -out PushCertKeyNoCrypt.pem -nodes
   
   

Creating CA Certificate file:

1. List item
2. Run Keychain Access application
3. Go to System Roots
4. Export the certificate named "Entrust.net Certification Authority (2048)" to a .pem file.
   
   Note: My Roots container has four Entrust certificates; two of them with the name "Entrust.net Certification Authority (2048)" (but with different certificate extensions, via Get Info). Both of the "Entrust.net Certification Authority (2048)" certificates where effective in validating the trust chain; the other two Entrust certificates did not work. More significantly, the Entrust certificate pointed at by the Apple TechNote 2265 also does not work.
   
   Make sure you export to .pem format; the default is .cer and this step is easy to miss.

Run the verification command:

openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert PushCertKey.pem -debug -showcerts -CAfile "Entrust.net Certification Authority (2048).pem" 

This server and process assume that your are connecting to Apple's Dev sandbox APN server; if you are trying to use the production APN server, you will need to use the correct server and port.

For more information on openssl, I suggest the following pages:

• https://www.madboa.com/geek/openssl/
• https://www.sslshopper.com/article-most-common-openssl-commands.html
• http://gagravarr.org/writing/openssl-certs/general.shtml