0
votes

I have been using sandbox push notification for a while, and it is working perfectly. After switching to distribution, push notification stopped working.

Things that I have checked:

  1. Two separate push notification certificates are created, one for development (Sandbox) and one for distribution(production).
  2. Device token is different for sandbox and production.
  3. We use NotNoop APNS on server side. The certificate.p12 is created by exporting the private key under push notification certificate in Apple Keychain Access. Certificate itself is not in the p12 file.
  4. Checked archived package for production with command

    codesign -d --entitlements :- "Payload/YourApp.app"

    And the code signing entitlement is distribution.

  5. Followed Apple TN 2265 (https://developer.apple.com/library/ios/technotes/tn2265/_index.html). While using openssl to connect to APNS, the connection is closed right after handshake (for production). For sandbox, there is a pause after the handshake, and then more reads & writes.

My command:

> openssl pkcs12 -in Cert_prod.p12 -out Cert_prod.pem
> openssl s_client -connect gateway.push.apple.com:2195 -cert Cert_prod.pem -debug -showcerts -CAfile "Entrust.pem"

The output (for production):

...
Server certificate
subject=/C=US/ST=California/L=Cupertino/O=Apple Inc./CN=gateway.push.apple.com
issuer=/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
---
Acceptable client certificate CA names
/C=US/O=Apple Inc./OU=Apple Certification Authority/CN=Apple Root CA
/C=US/O=Apple Inc./OU=Apple Worldwide Developer Relations/CN=Apple Worldwide Developer Relations Certification Authority
/C=US/O=Apple Inc./OU=Apple Certification Authority/CN=Apple Application Integration Certification Authority
---
SSL handshake has read 3144 bytes and written 2161 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: CCCE22D7487589D257E547F2693E8AEDF86B693E6EFE09DCAA7EE74C28812E45506A21B0DC0ED6CAAF4395EB2D2899ED
    Key-Arg   : None
    Start Time: 1454828210
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
read from 0x7fa6d3a00060 [0x7fa6d4806600] (5 bytes => 5 (0x5))
0000 - 15 03 01                                          ...
0005 - <SPACES/NULS>
read from 0x7fa6d3a00060 [0x7fa6d4806605] (32 bytes => 32 (0x20))
0000 - 8f c6 74 25 a6 40 2b 58-29 bc a4 e0 a7 c9 43 a8   ..t%.@+X).....C.
0010 - a0 93 62 78 6a 73 ed aa-4f 61 0a a4 9e fe a7 9e   ..bxjs..Oa......
closed
write to 0x7fa6d3a00060 [0x7fa6d480b000] (37 bytes => 37 (0x25))
0000 - 15 03 01 00 20 2c 70 db-af 76 7a 2c 01 70 da 0f   .... ,p..vz,.p..
0010 - a9 03 da e2 fb 69 f8 09-63 5d 18 85 81 8c 31 63   .....i..c]....1c
0020 - 63 fb 73 cb 48                                    c.s.H

The output (for sandbox):

...
Server certificate
subject=/C=US/ST=California/L=Cupertino/O=Apple Inc./CN=gateway.sandbox.push.apple.com
issuer=/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
---
Acceptable client certificate CA names
/C=US/O=Apple Inc./OU=Apple Certification Authority/CN=Apple Root CA
/C=US/O=Apple Inc./OU=Apple Worldwide Developer Relations/CN=Apple Worldwide Developer Relations Certification Authority
/C=US/O=Apple Inc./OU=Apple Certification Authority/CN=Apple Application Integration Certification Authority
---
SSL handshake has read 3160 bytes and written 2161 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 011B90857BC02D4A9DCB7300F8C9F368905F90EA4BDDC0677CD2EA9AAB3550CF750F0B57C5AF0C72F5BCD991658AC4AC
    Key-Arg   : None
    Start Time: 1454828396
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
write to 0x7f9b19c1aef0 [0x7f9b1a019000] (74 bytes => 74 (0x4A))
0000 - 17 03 01 00 20 d7 a1 a1-b2 9e be ce 49 18 26 0e   .... .......I.&.
0010 - 46 73 f9 dc 7f b2 75 71-f6 bf 51 65 44 0e f1 60   Fs....uq..QeD..`
0020 - fe 80 2e e2 a6 17 03 01-00 20 f0 be dc 70 85 b0   ......... ...p..
0030 - 82 d0 44 1e 9a b8 fe 59-39 b1 14 be 0a 9d 7c 0e   ..D....Y9.....|.
0040 - ce 09 9b c3 f2 1c dd 28-c7 24                     .......(.$
write to 0x7f9b19c1aef0 [0x7f9b1a019000] (74 bytes => 74 (0x4A))
0000 - 17 03 01 00 20 4c 12 4f-f9 ba 0b e4 80 b3 66 bb   .... L.O......f.
0010 - 93 a7 c9 47 9d 84 36 88-33 c0 80 79 a2 97 c6 95   ...G..6.3..y....
0020 - 2a 4b 42 c1 bc 17 03 01-00 20 a0 4d 06 fd 84 78   *KB...... .M...x
0030 - 3d b9 12 ad 65 75 b6 1a-01 91 28 86 40 c4 e9 c2   =...eu....(.@...
0040 - 38 91 47 42 c3 1d e3 c7-f9 41                     8.GB.....A
write to 0x7f9b19c1aef0 [0x7f9b1a019000] (74 bytes => 74 (0x4A))
0000 - 17 03 01 00 20 35 77 28-ea b0 80 5a ad 9e 99 87   .... 5w(...Z....
0010 - 7d 07 13 14 ff ea a8 48-60 7c 46 f0 59 07 c8 53   }......H`|F.Y..S
0020 - 3f 96 55 fc ec 17 03 01-00 20 60 49 00 86 bf 41   ?.U...... `I...A
0030 - 70 70 5c d5 d7 f5 83 4c-8a b3 10 22 bb ad 4c f2   pp\....L..."..L.
0040 - 3e e0 54 db 5d e7 2e bc-cc 9c                     >.T.].....
write to 0x7f9b19c1aef0 [0x7f9b1a019000] (74 bytes => 74 (0x4A))
0000 - 17 03 01 00 20 25 d3 8a-20 a4 4c 3c b6 f7 fe 95   .... %.. .L<....
0010 - 60 e2 5b 9f fc fd 3d e7-4c 27 cc d0 8e 6c ef 30   `.[...=.L'...l.0
0020 - 56 4a 88 a9 f9 17 03 01-00 20 cc 32 2d d5 e6 ff   VJ....... .2-...
0030 - 59 26 14 67 2d 3f 3d 88-d3 3b ea 53 5e 11 72 75   Y&.g-?=..;.S^.ru
0040 - a4 c6 0e d8 95 b4 21 e3-5d dd                     ......!.].
write to 0x7f9b19c1aef0 [0x7f9b1a019000] (74 bytes => 74 (0x4A))
0000 - 17 03 01 00 20 8a a0 b6-fd 72 7b f4 f6 ef de 65   .... ....r{....e
0010 - 76 40 6b 67 1d b8 83 c1-92 98 50 9e 0f ac d7 da   [email protected].....
0020 - 66 39 9c 39 9f 17 03 01-00 20 70 a4 1d 63 f1 6e   f9.9..... p..c.n
0030 - d6 5a b3 fd f9 7e de de-64 7d 42 0d da 94 59 09   .Z...~..d}B...Y.
0040 - 93 3f 33 e3 d7 d0 3e 2e-10 e7                     .?3...>...
read from 0x7f9b19c1aef0 [0x7f9b1a014600] (5 bytes => 5 (0x5))
0000 - 15 03 01                                          ...
0005 - <SPACES/NULS>
read from 0x7f9b19c1aef0 [0x7f9b1a014605] (32 bytes => 32 (0x20))
0000 - 60 b6 57 1c 8a 8e e9 f0-59 b5 27 73 f5 ba de b1   `.W.....Y.'s....
0010 - 7a ef d7 ab 79 23 0a ea-b2 13 c9 ca 98 e5 c3 36   z...y#.........6
closed
write to 0x7f9b19c1aef0 [0x7f9b1a019000] (37 bytes => 37 (0x25))
0000 - 15 03 01 00 20 f2 6f d0-1b 8d 41 5e 44 df f5 49   .... .o...A^D..I
0010 - 3a 09 6a 11 2b 3b f3 47-1e 70 8d 8d a8 9d 42 45   :.j.+;.G.p....BE
0020 - e9 47 18 26 3e                                    .G.&>

Therefore, it seems that the broken link is between my server and APNS. How can I know why the connection is closed?

I suspected that something is wrong on the certificate, but could not find anything. I took the same steps to create sandbox certificates, and they worked just fine. Did I miss anything for production?

Other related links that I checked:

  1. apple push notification not working in production
  2. http://www.raywenderlich.com/32960/apple-push-notification-services-in-ios-6-tutorial-part-1
  3. Couldn't able to connect to APNS Sandbox server
1
It is from the certificate. The right way to create .p12 file is to expand the push notification certificate in Keychain access, so you can see the private key underneath, then only select the certificate (not the key) and export to a .p12 file. After updating the .p12 file on the server side, it is all working. I probably remembered wrongly how the original sandbox p12 file was created.gfc

1 Answers

2
votes

The certificate.p12 in NotNoop APNS should be exported from the certificate only, without the private key. In Keychain Access, click the small arrow next to the push notification certificate to show the private key, select the certificate only (without the key), and export it to a .p12 file. Updating the file on server solved my problem. Openssl is a good tool for smoke test before archiving the app and running it in ad hoc mode.