neilmorton
commented
1 week ago Hi @bmueller.
I saw this too. It seems Apple are changing the server certificates again.
As a result we need to ensure that our push notification server Trust Stores include the new server certificate to prevent push notification delivery issues when the change occurs next year.
My understanding is that this means ensuring that SHA-2 Root : USERTrust RSA Certification Authority is included in your Trust Store (/etc/ssl/certs/ on linux).
e.g. USERTrust_RSA_Certification_Authority.pem -> /usr/share/ca-certificates/mozilla/USERTrust_RSA_Certification_Authority.crt
It is possible to verify certificates using openssl s_client -connect gateway.push.apple.com:2195 -CApath /etc/ssl/certs/ although as Apple are not yet using the new cert, it should pass based on existing certificates Apple Worldwide Developer Relations (WWDR) Intermediate Certificate.
When I try to verify with openssl s_client -connect gateway.push.apple.com:2195 -CAfile /usr/share/ca-certificates/mozilla/USERTrust_RSA_Certification_Authority.crt I get a verification error Verification error: unable to get local issuer certificate which I believe is because Apple are still using the current certificate until next year.
In short, I believe that if you make sure that the SHA-2 Root : USERTrust RSA Certification Authority is in your Trust Store, you should be good.
Although I will be testing it on Sandbox on/after 20th January 2025 to make sure.
bmueller
Apple just posted this story saying that the Certification Authority for APNs is changing. What do we need to do in order to make sure we have the correct certificate installed? I am running my push notification server on Heroku.