APNS VError: ... alert certificate revoked SSL issue

Tudmotu commented 6 years ago

Hi :slightly_smiling_face: I have an issue that I've been trying to figure out for hours. I'm using Parse Server 2.7.4 and I don't seem to be able to send push notifications, I get the following error:

node-pre-gyp ERR! parse-server-push-adapter APNS VError: endpoint error: write EPROTO 140233536760648:error:14094414:SSL routines:ssl3_read_bytes:sslv3
 alert certificate revoked:../deps/openssl/openssl/ssl/s3_pkt.c:1500:SSL alert number 44

Here is a partial stack:

node-pre-gyp ERR! parse-server-push-adapter APNS VError: endpoint error: write EPROTO 140233536760648:error:14094414:SSL routines:ssl3_read_bytes:sslv$
 alert certificate revoked:../deps/openssl/openssl/ssl/s3_pkt.c:1500:SSL alert number 44                                                                                        
node-pre-gyp ERR! parse-server-push-adapter APNS 140233536760648:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:../deps/openssl/op$
nssl/ssl/s3_pkt.c:659:                                                                                                                                                          
node-pre-gyp ERR! parse-server-push-adapter APNS                                                                                                       
node-pre-gyp ERR! parse-server-push-adapter APNS     at Endpoint.endpoint.on.err (/node_modules/apn/lib/protocol/endpointManager.js:69:32)             
node-pre-gyp ERR! parse-server-push-adapter APNS     at Endpoint.emit (events.js:127:13)                                                               
node-pre-gyp ERR! parse-server-push-adapter APNS     at Endpoint.emit (domain.js:421:20)                                                               
node-pre-gyp ERR! parse-server-push-adapter APNS     at Endpoint.error [as _error] (/node_modules/apn/lib/protocol/endpoint.js:149:10)                 
node-pre-gyp ERR! parse-server-push-adapter APNS     at TLSSocket.emit (events.js:132:15)
node-pre-gyp ERR! parse-server-push-adapter APNS     at TLSSocket.emit (domain.js:421:20)
node-pre-gyp ERR! parse-server-push-adapter APNS     at onwriteError (_stream_writable.js:427:12)
node-pre-gyp ERR! parse-server-push-adapter APNS     at onwrite (_stream_writable.js:449:5)
node-pre-gyp ERR! parse-server-push-adapter APNS     at _destroy (internal/streams/destroy.js:39:7)
node-pre-gyp ERR! parse-server-push-adapter APNS     at TLSSocket.Socket._destroy (net.js:557:3)
node-pre-gyp ERR! parse-server-push-adapter APNS  APNS error transmitting to device %s with error %s 73d5844f896727fb9fa531630e68f508bea69e67fa904b183$
7eab621dc94b58 { VError: endpoint error: write EPROTO 140233536760648:error:14094414:SSL routines:ssl3_read_bytes:sslv3 alert certificate revoked:../deps/openssl/openssl/ssl/s$
_pkt.c:1500:SSL alert number 44
node-pre-gyp ERR! parse-server-push-adapter APNS 140233536760648:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:../deps/openssl/op$
nssl/ssl/s3_pkt.c:659:

My Parse configuration:

var api = new ParseServer({
    .....
    push: {
        ios: [{
            pfx: '<path-to-dev.p12>',
            password: APNS_PASSPHRASE,
            topic: '<topic>',
            production: false
        }, {
            pfx: '<path-to-prod.p12>',
            password: APNS_PASSPHRASE,
            topic: '<topic>',
            production: true
        }]
    }
});

flovilmart commented 6 years ago

Given the message ‘certificate revoked’ i’d Double check That your certificate is still valid.

Tudmotu commented 6 years ago

My p12 certificates? I created them a couple of days ago and they are valid for a year (or at least that's what Keychain says).

Is there a way to confirm their validity? When I use NWPusher notifications are sent correctly, and the device receives them.

Tudmotu commented 6 years ago

Hi @flovilmart, seems like I figured it out. After hours of searching, found the alert certificate revoked error mentioned in a PN troubleshooting page on Apple's website. So it seems Parse was using the wrong certificate or something. Not sure. But figuring this out lead me to this issue on prase-server repository, and thanks to @liltimtim my issue seems to have been resolved. Didn't test with a prod release yet, but I hope it will work for that as well. So to fix this issue I changed my Parse configuration to:

var api = new ParseServer({
    ...
    push: {
        ios: {
            pfx: '<path-to-prod.p12>',
            password: APNS_PASSPHRASE,
            topic: '<topic>',
            production: process.env.NODE_ENV === 'production'
        }
    }
});

Use only the "omni certificate", and change the production flag according to the environment.

Thank you for this awesome project! 😃

liltimtim commented 6 years ago

@Tudmotu glad to have helped. Push notifications are... tricky sometimes.

Tudmotu commented 6 years ago

Haha, yeah. Thank you very much for the effort investigating these issues! 😃

flovilmart commented 6 years ago

Just a quick reminder that you should probably not rely on NODE_ENV === 'production' to set production to true or false.

Tudmotu commented 6 years ago

Why not? I am running everything in containers so I set the environment variables explicitly. Does it matter?

flovilmart commented 6 years ago

NODE_ENV=production is used by many frameworks to enable performance improvements, so this may not reflect what you want.

Tudmotu commented 6 years ago

OK got it, thanks! I will maybe use some other name :+1:

parse-community / parse-server-push-adapter

APNS VError: ... alert certificate revoked SSL issue #115