12

I've gone through the process here http://www.raywenderlich.com/32960/apple-push-notification-services-in-ios-6-tutorial-part-1#comments about 7 times. The other forum posts on this topic didn't seem to provide an answer other than the certificates arent valid. However I followed the steps exactly, and if Im missing something about how to ensure my certificates are valid I am all ears!

Ive tried using my email as well the email registered with account which hosts the game, and followed every step to the T!

I request a certificate, export my p12 key, download the public certificate, and make them into .pem files.

Why am I still getting these errors:

verify error:num=20:unable to get local issuer certificate verify return:0

No client certificate CA names sent

Here is the full output when I connect to the APNS:

openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert cert.pem -key key.pem

Enter pass phrase for key.pem:
CONNECTED(00000003)
depth=1 /C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=US/ST=California/L=Cupertino/O=Apple Inc./OU=iTMS Engineering/CN=gateway.sandbox.push.apple.com
   i:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
 1 s:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
   i:/O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority (2048)
---
Server certificate
-----BEGIN CERTIFICATE-----
IIIFGzCCBAOgAwIBAgIETBz90jANBgkqhkiG9w0BAQUFADCBsTELMAkGA1UEBhMC
VVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xOTA3BgNVBAsTMHd3dy5lbnRydXN0
Lm5ldC9ycGEgaXMgaW5jb3Jwb3JhdGVkIGJ5IHJlZmVyZW5jZTEfMB0GA1UECxMW
KGMpIDIwMDkgRW50cnVzdCwgSW5jLjEuMCwGA1UEAxMlRW50cnVzdCBDZXJ0aWZp
Y2F0aW9uIEF1dGhvcml0eSAtIEwxQzAeFw0xMjA1MjUyMzM3NDZaFw0xNDA1MzEw
NTA4NDhaMIGPMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTESMBAG
A1UEBxMJQ3VwZXJ0aW5vMRMwEQYDVQQKEwpBcHBsZSBJbmMuMRkwFwYDVQQLExBp
VE1TIEVuZ2luZWVyaW5nMScwJQYDVQQDEx5nYXRld2F5LnNhbmRib3gucHVzaC5h
cHBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/r1z4BRFu
DIU9/vOboVmd7OwaPPLRtcZiZLWxSyG/6KeRPpaeaC6DScvSDRoJuIeTDBup0bg4
08K0Gzh+lfKRlJOC2sma5Wgvk7oP4sty83My3YCZQv4QvgDhx+seONNs6XiA8Cl4
ingDymWGlzb0sTdfBIE/nWiEOtXQZcg6GKePOWXKSYgWyi/08538UihKK4JZIOL2
eIeBwjEwlaXFFpMlStc36uS/8oy+KMjwvuu3HazNMidvbGK2Z68rBnqnOAaDBtuT
K7rwAa5+i8GYY+sJA0DywMViZxgG/xWWyr4DvhtpHfUjyQgg1ixM8q651LNgdRVf
4sB0PfANitq7AgMBAAGjggFZMIIBVTALBgNVHQ8EBAMCBaAwHQYDVR0lBBYwFAYI
KwYBBQUHAwEGCCsGAQUFBwMCMDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly9jcmwu
ZW50cnVzdC5uZXQvbGV2ZWwxYy5jcmwwZQYIKwYBBQUHAQEEWTBXMCMGCCsGAQUF
BzABhhdodHRwOi8vb2NzcC5lbnRydXN0Lm5ldDAwBggrBgEFBQcwAoYkaHR0cDov
L2FpYS5lbnRydXN0Lm5ldC9sMWMtY2hhaW4uY2VyMEAGA1UdIAQ5MDcwNQYJKoZI
hvZ9B0sCMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly93d3cuZW50cnVzdC5uZXQvcnBh
MB8GA1UdIwQYMBaAFB7xq4kG+EkPATN37hR67hl8kyhNMB0GA1UdDgQWBBSgNiNR
qtTShi8PuJ7UNUEbeE71STAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBBQUAA4IBAQAS
EDkUyBHVdRJnCLHY8w9ec92NWqBYqKiSGP0uVCvgpsJIWDBkCGIw1Olks6mQuS9+
R7VRJJFg7EhtufmoRIvjgntKpTe49sB/lrmiZVQGnhjd6YdyYm9+OBUWRvwketLM
v0S+nxZD0qLLJ9foVUB8zP8LtutqFJ5IZw1xb9eSNzhpKkQ9ylj8MCd4tpXZxICL
Gt327poTXwmjQ+31fz7HCQCowMHccP8kiKM5SeYC9q+nkmdaozHVvw4e1RsP+EWO
vPtcH1x1BCkTJajmrO7JuRPLuBEnZGSPUVFRKWP9jy0a28VnJek+oA7rRMRD8irU
fMGbLqkGn8YogdPqe5T1
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Cupertino/O=Apple Inc./OU=iTMS Engineering/CN=gateway.sandbox.push.apple.com
issuer=/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C

No client certificate CA names sent

SSL handshake has read 2731 bytes and written 2191 bytes

New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 0BB064CE572CC45FF7FE32B45E53BA282E36ACE58516F0110C2F1C1BCCA647E0B13ADF8273F3122219C0B7C069CB02D7
    Key-Arg   : None
    Start Time: 1396636635
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

First part SOLVED my certificates are valid

Adding -CAfile and the 2048 EA cert did the trick.

Now to get this working on my server...

Server code:

$deviceToken = '05ae9852d21e51d7d516777bad0453456346456456456211a09085abe197c';

        // Put your private key's passphrase here:
        $passphrase = 'password';

        // Put your alert message here:
        $message = 'TEST NOTIFICATION';

        $ctx = stream_context_create();
        stream_context_set_option($ctx, 'ssl', 'local_cert', 'ck.pem');
        stream_context_set_option($ctx, 'ssl', 'passphrase', $passphrase);
        stream_context_set_option($ctx, 'ssl', 'cafile', 'entrust_2048_ca.cer');
        //stream_context_set_option($ctx, 'ssl', 'allow_self_signed', 1);
        //stream_context_set_option($ctx, 'ssl', 'verify_peer', 1);

        // Open a connection to the APNS server
        $fp = stream_socket_client('ssl://gateway.sandbox.push.apple.com:2195', $err, $errstr, 60, STREAM_CLIENT_CONNECT|STREAM_CLIENT_PERSISTENT, $ctx);

Solved

As stated below it was missing the full path.

Aggressor
  • 13,323
  • 24
  • 103
  • 182

1 Answers1

12

See the error:

CONNECTED(00000003) depth=1 /C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C verify error:num=20:unable to get local issuer certificate verify return:0

In the tutorial , on the troobleshooting section read the bullet #3

Unable to get local issuer certificate. This error means that the certificate from the server could not be verified. To fix this you need to download the Entrust CA root certificate. This can be done from the Terminal using the command: curl -O https://www.entrust.com/root-certificates/entrust_2048_ca.cer You then also need to add stream_context_set_option($ctx, 'ssl', 'cafile', 'entrust_2048_ca.cer');

Download entrust_2048_ca.cer

make sure all your cerificate are in the same directory as the PHP script.

Change your code to the following:

//applying context to stream option
stream_context_set_option($ctx, 'ssl', 'local_cert', 'ck.pem');
stream_context_set_option($ctx, 'ssl', 'passphrase', $passphrase);
stream_context_set_option($ctx, 'ssl', 'cafile', 'entrust_2048_ca.cer');

You should be good now.

After a long Chat with @Agressor, solution was to put the full path to entrust_2048_ca.cer

/var/www/site/pages/entrust_2048_ca.cer
meda
  • 45,103
  • 14
  • 92
  • 122
  • 1
    I have it validating though the terminal to apple. however on my server I keep getting the same error: Warning: stream_socket_client(): SSL operation failed with code 1. OpenSSL Error messages: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure – Aggressor Apr 04 '14 at 19:44
  • Ill update my answer with my server code but looks like yours : – Aggressor Apr 04 '14 at 19:44
  • Also the ck.pem and ca.cer is in the same folder with 777 permissions! – Aggressor Apr 04 '14 at 19:47
  • did you set a Password on your certificate? – meda Apr 04 '14 at 19:52
  • Yes I tried those, I did set a password and the password is correct. I even tried converting the entrust certificate to a .pem file, still no avail. I tested my ck.pem against apples server in the terminal and it worked, so I know the issue is strictly server side...but what :/ – Aggressor Apr 04 '14 at 19:56
  • openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert ck.pem -showcerts -CAfile ca.pem gets me a return of 1 across the board, so I feel like theres some setting or issue on my actual server... – Aggressor Apr 04 '14 at 19:59
  • @Aggressor are you available for [chat](http://chat.stackoverflow.com/rooms/50313/pushnotifications) – meda Apr 04 '14 at 20:05
  • Darn says I need 20 reputation to use it:/ Only at 7 – Aggressor Apr 04 '14 at 20:09
  • Click join, leave the top field as Aggressor and just put a nick for the 2nd – Aggressor Apr 04 '14 at 20:12
  • yes I can, but why did you downvote me @maheshchowdary – meda Jul 25 '14 at 12:05
  • @maheshchowdary ok but you never told me your issue? – meda Jul 25 '14 at 13:28
  • @meda : i followed all the steps but when i run- openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert PushChatCert.pem -key PushChatKey.pem am getting the same error - Verify return code: 20 (unable to get local issuer certificate) after a bunch of lines. But when i run php script from my terminal it works and i do get a push notification as well, but my aps_development_cert.cert file is not validated at server side(Amazon-SNS) saying it 'There was a transient failure registering the app with Amazon SNS. Please try again (Request ID: unknown)'. – Mak13 Jan 07 '15 at 09:31
  • 1
    Just want to point out, the entrust certificate linked in the above answer seems to be bugged, I couldn't install it. I went to Apple's site: https://developer.apple.com/library/content/technotes/tn2265/_index.html#//apple_ref/doc/uid/DTS40010376-CH1-TNTAG31 and then downloaded the Entrust certificate linked by Apple: https://www.entrust.com/root-certificates/entrust_2048_ca.cer and then double click installed it, ran my `php push.php` test script and it worked. – Zhang Apr 04 '17 at 01:32
  • 1
    Yeah you right , the link was dead, I updated with the link you provided thannks! – meda Apr 04 '17 at 01:47