Specifying Entrust CA certificate

[berengergermain]

Hello,

I am a new comer on GitHub and I first want to thank you for this wonderful bundle.

I use it to manage notifications with a cordova based app and it works nice for Android and IOS... when I am in sandbox :) In production environment, I have some problems that I don't know how to solve.

I already have generated the SSL certificate and when I test it in a terminal through an openssl command the APNS (in production mode) responds good. But with the bundle, I don't know how to specify the path to the Entrust certificate (Authority that sign the Apple certificate), which must be added to stream context (with PHP function "stream_context_set_option"). Is there a way to specify it directly or a way to get the context which will be used by the notification service ?

Kind regards Bérenger Germain

[pjfraser82]

Any luck getting this working? I think we might have the same problem.

If we run a Wireshark trace on a the APNS Gateway. Apple Responds with TCP RST. They also respond with a content type: 21

This means it was unable to decrypt the information.

Any pointers would be great.

[richsage]

@berengergermain I've not seen this before, but doesn't mean it's not an issue :-) Are you able to temporarily hack in that stream_context_set_option call and verify it works? I'm happy to add an additional configuration option if so.

It may be because the deployments I've done before already have a certificate bundle installed - is this the case on your environments too (@pjfraser82 as well!)

[berengergermain]

@richsage I'm confused because I was wrong : all is working good :) It's not necessary to specify the Entrust certificate (In fact, it is obligatory only through the openssl command to receive a successful response). The problem I had came from my application and is now resolved. Sorry for the inconvenience and thank you for your response ;)

Regards. Bérenger

[richsage]

@berengergermain no problem, glad you got it all working! @pjfraser82 interested to know if you got your issue sorted separately? Or if you can try the hacky option and let me know how you get on?

[Glideh]

I was wondering about the same, and would still like to know why it's not required from within the bundle. The documentation from Apple says:

To establish a TLS session with APNs, an Entrust Secure CA root certificate must be installed on the provider’s server. If the server is running macOS, this root certificate is already in the keychain. On other systems, the certificate might not be available. You can download this certificate from the Entrust SSL Certificates website.

We can still install the certificate in the server (like in this debian based example) Not tried yet.

[Glideh]

For info the certificate seems to be already there in my debian:jessie docker container:

$ cp ./entrust_2048_ca.cer /usr/local/share/ca-certificates/entrust_2048_ca.crt

$ update-ca-certificates
Updating certificates in /etc/ssl/certs... WARNING: Skipping duplicate certificate
Entrust.net_Premium_2048_Secure_Server_CA.pem
WARNING: Skipping duplicate certificate Entrust.net_Premium_2048_Secure_Server_CA.pem
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d....done.

$ ls /etc/ssl/certs/Entrust*
Entrust.net_Premium_2048_Secure_Server_CA.pem  Entrust_Root_Cer...ion_Authority_-_EC1.pem
Entrust_Root_Certification_Authority.pem       Entrust_Root_Cer...ion_Authority_-_G2.pem

Which would explain why it's not required.