PushCert.pem downloaded from Apple Push Certificates Portal not valid

[MaximilianoRios]

I followed all the instructions and I expected to get a .pem file containing all like I got it the first time I started working on MDM, including private key as I expect:

-----BEGIN RSA PRIVATE KEY----- .....

But this certificate downloaded after sending a signed list does not contain the private key, and I cannot use it with the APNSWrapper:

wrapper = APNSNotificationWrapper("PushCert.pem", sandbox=False)

I get the typical error or a missing private key from the ssl routines:

ssl.SSLError: [Errno 336265225] _ssl.c:355: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib

I've tried a couple of solutions but it doesn't work.

[dbpolito]

I'm having this issue too, i also tried a few different things i've found in other issues but no luck so far.

[MaximilianoRios]

From what I knew we have to use the private key to send a message (it's signed with the private key) and the certificates chain. I built an app before that had some problems with different issues but my certificate was exactly private/public and the chain, and it works. So I'm quite sure these instructions are not correct. What other issues do you have? In my case this is the only one.

[MaximilianoRios]

Finally I made it work. To send commands it's not possible to use other than the private key, so I added the private key to my PushCert.pem and the APNSWrapper started sending messages right away. Not sure why it's exactly like this, when I started working on MDM I followed the instructions of Intrepidous Group and they make it clear, you have to use the private key to send Push Notifications from the server.

[dbpolito]

@MaximilianoRios So now you followed exactly the same as the guide shows, with the exception of the comment above?

Are you using IP address or DNS with a properly SSL Cert?

[MaximilianoRios]

Yes, so tell me what's wrong with yours and I can help you, I made it works.

[dbpolito]

I'm not at my computer right now, but i can for sure use your help, haha... I'm trying to make it work for sometime...

Tomorrow i'll try what you said and let you know the result.

Are you using IP address or DNS with a properly SSL Cert?

[MaximilianoRios]

I have your personal email address, post a new issue and I will help you to go through...

On Wed, Dec 3, 2014 at 2:43 PM, Daniel Polito notifications@github.com wrote:

I'm not at my computer right now, but i can for sure use your help, haha... I'm trying to make it work for sometime...

Tomorrow i'll try what you said and let you know the result.

Are you using IP address or DNS with a properly SSL Cert?

— Reply to this email directly or view it on GitHub https://github.com/project-imas/mdm-server/issues/19#issuecomment-65505443 .

[thrasr]

Glad to see you guys solved a bit of this! I'm currently in the process of redoing the certificate setup process due to the recent iOS 8 changes. Please let me know if you guys run into any other trouble, and especially any solutions that you find - it helps me when I can roll those into an updated process and readme file.

[dbpolito]

WOOHOOOOOO, works! So here is what i did:

At server folder:

openssl pkcs12 -in Identity.p12 -nocerts -out privateKey.pem
openssl pkcs12 -in Identity.p12 -clcerts -nokeys -out publicCert.pem
openssl rsa -in privateKey.pem -out newkey.pem

Then i put the content of newkey.pem at the beginning of my PushCert.pem

Thanks @MaximilianoRios @thrasr, you rocks!

[dbpolito]

ahh after that, you can delete these 3 .pem files you just generated, you won't use it anymore. Or keep it anywhere...

[MaximilianoRios]

Sorry I didn't post the solution but it's exactly what you did there, you need the private key to sign the messages with APNSWrapper. I think I'm going to make a couple of changes in the documentation and push another minor fix I had to change in the windows version.

[thrasr]

Nice work. Those commands will probably become part of the readme after I get to that part.

For now, have either of you had problems with the java softhinker code? Recently I've been getting errors with the crypto libraries. Have you seen this problem, and if so - how did you get around it?

[MaximilianoRios]

Not any issue with Java but I'm using a different version, my current version is 1.8.0.20

[pjfraser82]

Team,

I too am having the same issues as outlined above. All the steps work but I do get the same error:

SSLError: [Errno 336265225] _ssl.c:355: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib

I have tried solutions in this thread and others but it still does not seem to work.

Has there been anymore done about a proper write up on how to fix this?

[pjfraser82]

Note: I am using IP Address not DNS. Does that effect it?

[MaximilianoRios]

IP doesn't affect the process at all. I had to redo the process more than once because I made small mistakes and it didn't work. I'm quite sure the problem with the private key is you don't have the private key in the PushCert.pem and that's why it doesn't work. I'm leaving on a trip now for a couple of days but send us what you found and I will look at it as soon as possible.

[pjfraser82]

Hi Max,

Managed to get it working through the other bug on the page. Followed the instructions, I have previously missed a step.

Would you like me to work on an installation document step by step using Ubuntu if I get some time over christmas?

[MaximilianoRios]

There're so many steps that's a miracle to make it work :D

It would be nice you can work on that, I think it's going to be very useful for everyone. I found some minor issues on Windows and I'm going to fix them.

[mvnpavan]

Hi guys , I was faced same problem when I setup server for the first time , so I went through some other Instructions to create vendor.p12 , pushcert.pem in the following link http://www.blueboxmoon.com/wordpress/?p=877 , hope it might help you.

[thrasr]

Hope everyone had a great winter vacation!

Now that we're back, I've finally been able to go through the entire process and get (almost) everything cleared up and working. I've based the new instructions on the blogpost link that @mvnpavan provided. We've moved away from the java-based vendor signing code, which wasn't being updated and doesn't work with the latest versions of java. We've moved to the python based code located here. We've been able to go through the entire process, so hopefully these new instructions will fix some of the problems that have been popping up. If you haven't been able to get the server to work using the old instructions, then please try the new instructions and let me know how it goes!

Thanks everyone for your help!