CERTIFICATE_VERIFY_FAILED since v0.7.1

[awesome-manuel]

Since v0.7.1 I get the following error using the Docker container:

sygnal_1         | sygnal.exceptions.TemporaryNotificationDispatchException: aioapns Connection Failure
sygnal_1         | 2020-07-28 07:08:31,637 [1] INFO  sygnal.access Handled request: "172.27.0.1" - - [28/Jul/2020:07:08:31 +0000] "POST /_matrix/push/v1/notify HTTP/1.1" 502 - "-" "Synapse/1.16.1"
sygnal_1         | 2020-07-28 07:08:31,958 [1] ERROR aioapns Could not connect to server: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1091)
sygnal_1         | 2020-07-28 07:08:31,958 [1] WARNING aioapns Could not send notification: ConnectionError
sygnal_1         | 2020-07-28 07:08:31,958 [1] ERROR aioapns Failed to connect after 4 attempts.
sygnal_1         | 2020-07-28 07:08:31,959 [1] WARNING sygnal.apnspushkin Temporary failure, will retry in 40 seconds
sygnal_1         | Traceback (most recent call last):
sygnal_1         |   File "/usr/local/lib/python3.7/site-packages/aioapns/connection.py", line 335, in acquire
sygnal_1         |     connection = await self.create_connection()
sygnal_1         |   File "/usr/local/lib/python3.7/site-packages/aioapns/connection.py", line 435, in create_connection
sygnal_1         |     ssl=self.ssl_context
sygnal_1         |   File "/usr/local/lib/python3.7/asyncio/base_events.py", line 989, in create_connection
sygnal_1         |     ssl_handshake_timeout=ssl_handshake_timeout)
sygnal_1         |   File "/usr/local/lib/python3.7/asyncio/base_events.py", line 1017, in _create_connection_transport
sygnal_1         |     await waiter
sygnal_1         |   File "/usr/local/lib/python3.7/asyncio/sslproto.py", line 530, in data_received
sygnal_1         |     ssldata, appdata = self._sslpipe.feed_ssldata(data)
sygnal_1         |   File "/usr/local/lib/python3.7/asyncio/sslproto.py", line 189, in feed_ssldata
sygnal_1         |     self._sslobj.do_handshake()
sygnal_1         |   File "/usr/local/lib/python3.7/ssl.py", line 774, in do_handshake
sygnal_1         |     self._sslobj.do_handshake()

[reivilibre]

I'm looking into it.

[reivilibre]

Certificate chain:

• api.push.apple.com
• Apple IST CA 2 - G1
• GeoTrust Global CA

[reivilibre]

My local system:

$ ls -lah | grep GeoTrust
lrwxrwxrwx    22 root 2017-10-26 19:26 2c543cd1.0 -> GeoTrust_Global_CA.pem
lrwxrwxrwx    49 root 2017-10-26 19:26 116bf586.0 -> GeoTrust_Primary_Certification_Authority_-_G2.pem
lrwxrwxrwx    44 root 2017-10-26 19:26 480720ec.0 -> GeoTrust_Primary_Certification_Authority.pem
lrwxrwxrwx    27 root 2017-10-26 19:26 8867006a.0 -> GeoTrust_Universal_CA_2.pem
lrwxrwxrwx    25 root 2017-10-26 19:26 ad088e1d.0 -> GeoTrust_Universal_CA.pem
lrwxrwxrwx    49 root 2017-10-26 19:26 e2799e36.0 -> GeoTrust_Primary_Certification_Authority_-_G3.pem
lrwxrwxrwx    57 root 2017-08-11 23:35 GeoTrust_Global_CA.pem -> /usr/share/ca-certificates/mozilla/GeoTrust_Global_CA.crt
lrwxrwxrwx    79 root 2017-08-11 23:35 GeoTrust_Primary_Certification_Authority.pem -> /usr/share/ca-certificates/mozilla/GeoTrust_Primary_Certification_Authority.crt
lrwxrwxrwx    84 root 2017-08-11 23:35 GeoTrust_Primary_Certification_Authority_-_G2.pem -> /usr/share/ca-certificates/mozilla/GeoTrust_Primary_Certification_Authority_-_G2.crt
lrwxrwxrwx    84 root 2017-08-11 23:35 GeoTrust_Primary_Certification_Authority_-_G3.pem -> /usr/share/ca-certificates/mozilla/GeoTrust_Primary_Certification_Authority_-_G3.crt
lrwxrwxrwx    60 root 2017-08-11 23:35 GeoTrust_Universal_CA.pem -> /usr/share/ca-certificates/mozilla/GeoTrust_Universal_CA.crt
lrwxrwxrwx    62 root 2017-08-11 23:35 GeoTrust_Universal_CA_2.pem -> /usr/share/ca-certificates/mozilla/GeoTrust_Universal_CA_2.crt

Files from extracted Docker image:

$ ls -lah | grep GeoTrust
lrwxrwxrwx    27 aaa  2020-07-22 13:29 8867006a.0 -> GeoTrust_Universal_CA_2.pem
lrwxrwxrwx    62 aaa  2020-07-22 13:29 GeoTrust_Universal_CA_2.pem -> /usr/share/ca-certificates/mozilla/GeoTrust_Universal_CA_2.crt

So the certificate for api.push.apple.com's CA is missing as a trusted cert...

(N.B. It's not just a symlink missing; it doesn't exist in /usr/share/ca-certificates/mozilla either.)

[richvdh]

For the record, this was caused by Debian removing the GeoTrust_Universal_CA_2.pem certificate as a trusted root certificate in ca-certificates 20200601~deb10u1. (Our docker image is based on python:3.7-slim, which is based on Debian Buster.) When we rebuilt the docker image to pick up the security fix in aioapns, we also got the updated ca-certificates package.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=962596 is a debian bug discussing this removal. In the meantime, and unless and until Apple switch to a certificate issued by a more trustworthy CA, the only plausible workaround is to add that certificate back into the trust store. @reivilibre is working on updating the Docker image to do just that.

[reivilibre]

Thanks for your report and sorry for the issue!

This has been addressed by Sygnal 0.7.2 (and 0.8.1) which have been just released; Docker builds will appear shortly.

[JaspreetiOSDev]

Any update on this we are getting this issue. Please tell us if you have any clue about this. Thanks in advance

[Sr-Preet]

root@matrix:~/sygnal# tail -f logs.log Traceback (most recent call last): File "/root/sygnal/sygnal/http.py", line 265, in _handle_dispatch result = await pushkin.dispatch_notification(notif, d, context) File "/root/sygnal/sygnal/apnspushkin.py", line 254, in dispatch_notification return await self._dispatch_request( File "/root/sygnal/sygnal/apnspushkin.py", line 212, in _dispatch_request raise NotificationDispatchException( sygnal.exceptions.NotificationDispatchException: 400 DeviceTokenNotForTopic

Getting this along with certificate verify failed: unable to get local issuer certificate (_ssl.c:1125)')))

Can anyone help please