Alternative method to find if APNS certification file is valid?

Question

I'm having problem developing a "provider" in APNS. My server is trying to send messages using apns-client, it seems there are no problems occuring while sending messages, but the device isn't receiving any messages at all.

Recently I've changed the *.pem file to a new one. Messages were properly received while using the previous *.pem file, so I'm sure that there are no problems at server connections and sending script (written in Python). The reason is, probably, because the old *.pem file is valid but the new *.pem file is not.

I strongly desire to have an "error" response from the APNS server if the *.pem file is invalid, but it seems that the APNS server or apns-client library isn't returning any error signals even if *.pem file is invalid. I've proved this fact by adding one hundred 'a's to the line before before -----END RSA PRIVATE KEY----- in *.pem, and running the same python script. Yes, it still didn't receive any error messages.

Since APNS server is returning no error messages, it's nearly impossible to check if the *.pem file is valid... Aren't there any methods to check if the *.pem file is valid?

Answer 1

Here's some troubleshooting info suggested by Apple:

Problems Connecting to the Push Service

One possibility is that your server is unable to connect to the push service. This can mean that you don't have the certificate chain needed for TLS/SSL to validate the connection to the service. In addition to the SSL identity (certificate and associated private key) created by Member Center, you should also install the Entrust CA (2048) root certificate on your provider. This allows TLS/SSL to verify the full APNs server cert chain. If you need to get this root certificate, you can download it from Entrust's site. Also verify that these identities are installed in the correct location for your provider and that your provider has permission to read them.

You can test the TLS/SSL handshake using the OpenSSL s_client command, like this:

$ openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert YourSSLCertAndPrivateKey.pem -debug -showcerts -CAfile server-ca-cert.pem

where server-ca-cert.pem is the Entrust CA (2048) root certificate.

Be sure the SSL identity and the hostname are the correct ones for the push environment you're testing. You can configure your App ID in Member Center separately for the sandbox and production environment, and you will be issued a separate identity for each environment.

Using the sandbox SSL identity to try to connect to the production environment will return an error like this:

CRITICAL | 14:48:40.304061 | Exception creating ssl connection to Apple: [Errno 1] _ssl.c:480: error:14094414:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate revoked

Answer 2

To test you PRODUCTION cert, open Terminal and do this:

openssl s_client -connect gateway.push.apple.com:2195 -cert PushProdCer.pem -key PushProdKey.pem

Answer 3

I am not familiar with the python-client you are using but surely there is a way to simply attempt opening a connection with Apple's PNS servers and detecting whether that connection failed or not. If the connection fails, then something is wrong with the PEM file - either the format or the certificate values themselves.

If you want to get an error message that's a little more explicative than "pass or fail," I recommend you look into 3rd party shell scripts that can return some basic information about the PEM file. This thread contains a few sample scripts.

Of course, you can also check for some basic format validations that are widely available. I provided one such example here but there are others.