4

I'm going crazy with Apple push notification! I've developed my app and test notifications following Ray Wanderlich tutorial and everything worked fine until I changed the file .pem with the distribution one and changed the connection string from gateway.sandbox.push-apple.com to gateway.push-apple.com.

Now if I try to send a message the server returns

Warning: stream_socket_client() [function.stream-socket-client]: unable to connect to     ssl://gateway.push.apple.com:2195 (Connection timed out)
Failed to connect: 110 Connection timed out

The php file and the .pem file are on a TMDHosting: I try to ask them if port number 2195 is closed because googling I found that the error means port is closed.

Though, I can't understand if the error is linked to the certificate or to the server.

The strange things is that if I follow the procedure with the Terminal to test the .pem file , everything seems to work

CONNECTED(00000003)
    depth=1 /C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c)     2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
    verify error:num=20:unable to get local issuer certificate
    verify return:0
    ---
    Certificate chain
     0 s:/C=US/ST=California/L=Cupertino/O=Apple Inc/OU=Internet     Services/CN=gateway.push.apple.com
       i:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c)     2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
     1 s:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c)     2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
       i:/O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/OU=(c)     1999 Entrust.net Limited/CN=Entrust.net Certification Authority (2048)
---
Server certificate
-----BEGIN CERTIFICATE-----
    MIIEXTCC..........
-----END CERTIFICATE-----
    subject=/C=US/ST=California/L=Cupertino/O=Apple Inc/OU=Internet         Services/CN=gateway.push.apple.com
    issuer=/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c)      2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 2541 bytes and written 2039 bytes
    ---
    New, TLSv1/SSLv3, Cipher is AES256-SHA
    Server public key is 1024 bit
    Secure Renegotiation IS supported
   Compression: NONE
   Expansion: NONE
    SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
        Session-ID: 
        Session-ID-ctx: 
        Master-Key:     CBA98981BB512ED2FDF0C003F4556FDDA564BEBBEFC6528C37D8E0336BC141AEC6D7E014568B334B8330FFFE266E8CB4
    Key-Arg   : None
    Start Time: 1332945845
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

This lets me to think that it's not a .pem problem...

Am I wrong?

I've already read all the similar question here, and tried to change the port number from 2195 to 30, but nothing changes. Hints?

EDIT: I found that and seems equal to my problem: TMDHosting told me

...you are located under a shared hosting environment and opening a port for you will be not possible. However note that the address to which you are making a connection on port 2195 is not associate with our server. In other words you are trying to make a connection to a remote server on port 2195. In order to make this connection to the port specified above you should make sure that the port is opened for incoming connections on the remote server and not on the server on which your account with us relies.

Do I need a VPS?

EDIT2:

In the tutorial I followed I found

.. you will need a server that is connected to the internet. Push notifications are always sent by a server. For development you can use your Mac as the server (which we’ll do in this tutorial) but for production use, you need at least something like a VPS (Virtual Private Server). A cheap shared hosting account is not good enough. You need to be able to run a background process on the server, install an SSL certificate, and be able to make outgoing TLS connections on certain ports. Most shared hosting providers do not let you do this, although they might if you ask. However, I really recommend using a VPS host such as Linode.

At last I think I do need a VPS. Can you confirm for sure? But why if I send push notification with the sandbox server it works properly without VPS?

LAST UPDATE: (hope to help someone) it seems like there was a bug because the right thing is that I cannot send push notification not to the sandbox nor to the production server from my hosting (TMDHosting): my shared hosting has not the 2195 port open. Changed provider: everything works.

Community
  • 1
  • 1
Miwi
  • 774
  • 4
  • 15
  • 28

1 Answers1

0

Miwi,

Thanks for this detailed writeup.

We are having a similar issue and it is driving us nuts.

When we test the cert, it appears to work, other than: "verify error:num=20:unable to get local issuer certificate"

Regardless, we get a valid handshake with the command line test of openssl, just as you do.

We can get the sandbox/dev cert to work as well.

Can you let us know what provider you switched to just in case we need to make the switch?

Thanks.

user1328440
  • 1
  • I'm Italian: I asked them: http://www.devise.it/en for a domain (with a dedicated ip address). I don't know if they can help you,in any case I found, by googling, lots of providers where you can register a domain with the 2195 port open. See here too "http://stackoverflow.com/questions/1593820/what-is-the-best-host-provider-for-apple-push-notification-service". Hope that helps! – Miwi Apr 12 '12 at 08:43