Push Notification Error: "Unable to set local cert chain file"
Asked Answered
I

4

12

I wrote a test php page that just sends out a generic push notification and it works intermittently. Sometimes it delivers the message and other times I get this error:

"Message: stream_socket_client() [function.stream-socket-client]: Unable to set local cert chain file `/var/www/ninerobot.com/public/mlb/certs/mlbtr-push-dev.pem'; Check that your cafile/capath settings include details of your certificate and its issuer"

Do you know how I can solve this issue?

I see that on Apple's docs it says "Note: To establish a TLS session with APNs, an Entrust Secure CA root certificate must be installed on the provider’s server. If the server is running Mac OS X, this root certificate is already in the keychain. On other systems, the certificate might not be available. You can download this certificate from the Entrust SSL Certificates website." Does this mean anything that I need to do?

Ijssel answered 4/7, 2010 at 17:31 Comment(1)
did this get solved? i am having the same problem.Millur
A
18

Me too got more struggle to do the same. Eventually I found solution to send push notification through PHP global url. Try the below steps. Before that I hope you all know to generate the 3 certificates thats PushChat.certSigningRequest, pushkey.p12 & aps_development.cer (csr,p12,cer)

Open your Terminal and step by step run the below commands:

# Make sure terminal refers your correct certificate path.
$ cd ~/Desktop/

# Ask system administrator to open if its not connected 
$ telnet gateway.sandbox.push.apple.com 2195

Trying 17.110.227.35...
Connected to gateway.sandbox.push-apple.com.akadns.net.

Escape character is '^]'.

# Convert .cer to .pem
$ openssl x509 -in aps_development.cer -inform der -out PushCert.pem

# Convert .p12 to .pem. Enter your pass pharse which is the same pwd that you have given while creating the .p12 certificate. PEM pass phrase also same as .p12 cert.  
$ openssl pkcs12 -nocerts -out PushKey1.pem -in pushkey.p12

Enter Import Password:

MAC verified OK

Enter PEM pass phrase:

Verifying - Enter PEM pass phrase:

# To remove passpharse for the key to access globally. This only solved my stream_socket_client() & certificate capath warnings.
$ openssl rsa -in PushKey1.pem -out PushKey1_Rmv.pem

Enter pass phrase for PushChatKey1.pem:

writing RSA key

# To join the two .pem file into one file:
$ cat PushCert.pem PushKey1_Rmv.pem > ApnsDev.pem

Then Finally move the SimplePush.php to the ApnsDev.pem file location. Both files will be in same folder. and change Device Token, Pass Phrase, Certificate Name(ApnsDev.pem), Message… In simplepush.php Download the file using the below URL. http://d1xzuxjlafny7l.cloudfront.net/downloads/SimplePush.zip Then execute the file in terminal or your domain server

$ php simplepush.php

or

www.Domainname.com/push/simplepush.php  // Now, url shows 'Connected to APNS Message successfully delivered'.

Thats it, the push notification will fly and reach the specific IOS device.

If you want to send 'Badge' then change the payload code in simplepush.php like below,

// Construct the notification payload body:

$badge = 1;

$sound = 'default';

$body = array();

$body['aps'] = array('alert' => $message);

if ($badge)

    $body['aps']['badge'] = $badge;

if ($sound)

    $body['aps']['sound'] = $sound;


// End of Configurable 

// Encode the payload as JSON:

$payload = json_encode($body);

Now run the php file again and the app icon appears with badge number in red circle.

Adorl answered 29/10, 2014 at 5:57 Comment(0)
P
8

Use this checklist to work through this:

  1. Did you create a legitimate certificate via instructions like these.
  2. Is your .pem file readable by your webserver process (ie permissions and file location are good)? Many setups run apache, for example, under the "www-data" user/group. Side note: make sure visitors can't view the .pem file by browsing to it.
  3. Does your server have the Entrust Secure CA Root Certificate (2048 bit) installed? If not, follow instructions for downloading/installing for your particular server OS.
  4. Is outbound TCP port 2195 open? Many hosting providers do NOT have this outbound port open by default.
Polite answered 2/3, 2011 at 13:50 Comment(2)
4. how to check if 2195 port is open? From terminal, i did telnet gateway.sandbox.push.apple.com 2195 and it showed Trying 17.149.34.66... Connected to gateway.sandbox.push-apple.com.akadns.net. Then after some time, it closed by itself saying that Connection closed by foreign host. ...... Is that normal?Millur
2. i am not sure if the pem file is readable. When i browse to the pem file through my browser, it shows a blank page. But when i do cat path/to/file.pem in the terminal, i see the certificate contents of the pem fileMillur
R
0

In addition to a great answer of Steve N let me add the last point.

  1. Ensure you understand the warning, especially include details of your certificate and its issuer. You probably don't have a block in your .pem file, i.e. issuer= , subject= etc. and your file begins with -----BEGIN CERTIFICATE. It can be accidentally deleted during conversion of the certificate file.
Roselynroseman answered 2/10, 2016 at 21:4 Comment(0)
S
0

Might be irrelevant for OP's Q, but I've tried all openssl statements with all the different flags, while trying to connect with PHP \SoapClient(...) and after 3 days I finally found a solution that worked for me. Posting so the next dude(tte) may find this easier than me.

GitBash

$ cd path/to/certificate/
$ openssl pkcs12 -in personal_certificate.pfx -out public_key.pem -clcerts

First you have to enter YOUR_CERT_PASSWORD once, then DIFFERENT_PASSWORD! twice. The latter will possibly be available to everyone with access to code.

PHP

<?php

$wsdlUrl   = "https://example.com/service.svc?singlewsdl";
$publicKey = "rel/path/to/certificate/public_key.pem";
$password  = "DIFFERENT_PASSWORD!";

$params = [
    'local_cert' => $publicKey,
    'passphrase' => $password,
    'trace' => 1,
    'exceptions' => 0
];

$soapClient = new \SoapClient($wsdlUrl, $params);

var_dump($soapClient->__getFunctions());
Saintmihiel answered 26/1, 2021 at 16:0 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.