I'm having problem developing a "provider" in APNS. My server is trying to send messages using apns-client, it seems there are no problems occuring while sending messages, but the device isn't receiving any messages at all.
Recently I've changed the *.pem file to a new one. Messages were properly received while using the previous *.pem file, so I'm sure that there are no problems at server connections and sending script (written in Python). The reason is, probably, because the old *.pem file is valid but the new *.pem file is not.
I strongly desire to have an "error" response from the APNS server if the *.pem file is invalid, but it seems that the APNS server or apns-client library isn't returning any error signals even if *.pem file is invalid. I've proved this fact by adding one hundred 'a's to the line before before -----END RSA PRIVATE KEY----- in *.pem, and running the same python script. Yes, it still didn't receive any error messages.
Since APNS server is returning no error messages, it's nearly impossible to check if the *.pem file is valid... Aren't there any methods to check if the *.pem file is valid?
Here's some troubleshooting info suggested by Apple:
Problems Connecting to the Push Service
One possibility is that your server is unable to connect to the push
service. This can mean that you don't have the certificate chain
needed for TLS/SSL to validate the connection to the service. In
addition to the SSL identity (certificate and associated private key)
created by Member Center, you should also install the Entrust CA
(2048) root certificate on your provider. This allows TLS/SSL to
verify the full APNs server cert chain. If you need to get this root
certificate, you can download it from Entrust's site. Also verify that
these identities are installed in the correct location for your
provider and that your provider has permission to read them.
You can test the TLS/SSL handshake using the OpenSSL s_client command,
like this:
$ openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert
YourSSLCertAndPrivateKey.pem -debug -showcerts -CAfile
server-ca-cert.pem
where server-ca-cert.pem is the Entrust CA (2048) root certificate.
Be sure the SSL identity and the hostname are the correct ones for the
push environment you're testing. You can configure your App ID in
Member Center separately for the sandbox and production environment,
and you will be issued a separate identity for each environment.
Using the sandbox SSL identity to try to connect to the production
environment will return an error like this:
CRITICAL | 14:48:40.304061 | Exception creating ssl connection to
Apple: [Errno 1] _ssl.c:480: error:14094414:SSL
routines:SSL3_READ_BYTES:sslv3 alert certificate revoked
To test you PRODUCTION cert, open Terminal and do this:
openssl s_client -connect gateway.push.apple.com:2195 -cert PushProdCer.pem -key PushProdKey.pem
I am not familiar with the python-client you are using but surely there is a way to simply attempt opening a connection with Apple's PNS servers and detecting whether that connection failed or not. If the connection fails, then something is wrong with the PEM file - either the format or the certificate values themselves.
If you want to get an error message that's a little more explicative than "pass or fail," I recommend you look into 3rd party shell scripts that can return some basic information about the PEM file. This thread contains a few sample scripts.
Of course, you can also check for some basic format validations that are widely available. I provided one such example here but there are others.
Related
I'm trying to figure out, why I'm having a problem that Python code is throwing a SSLCertVerificationError for valid LetsEncrypt certificates on a virtual host with multiple domains and certificates at the same IP If I delete all certificates except one it's fine, but with more than one certificate requests ignores the domain to which Python sent the request and pulls the most recent LetsEncrypt certificate, which is incorrect, causing the domain SSLCertVerificationError.
My understanding was that under SNI (Server Name Indication) requests should only pull the certificate for the domain to which the request is being made, not simply the most recent one. I have checked, and I'm running Python, 3.8, requests 2.5 under a version of Nginx that has been compiled with SNI support. I can suppress the error by turning off SSL validation, but that seems a poor workaround.
Any idea what is going on?
Why does SNI work fine when browsers requests page from Nginx, pullign the proper certificate, but fail under when the same is done under Python's requests package?
I have read everything I can find, and the docs say it should just work under the current builds of nginx, requests,OpenSSL, etc., but it clearly isn't here.
To replicate, I can do requests.get{'https://kedrosky.org') error-free from a local machine. But on scripts run at that server -- a hosted domain -- a newer certificate for the wrong domain is returned, causing an SSLCertVerificationError.
The problem is that the server configuration is likely only properly done for IPv4 even though the domain also resolved to an IPv6 address. With IPv4 it returns the correct certificate:
$ openssl s_client -connect kedrosky.org:443 -4
...
subject=CN = kedrosky.com
But with IPv6 it returns a different certificate (this needs IPv6 connectivity to the internet on your local machine):
$ openssl s_client -connect kedrosky.org:443 -6
...
subject=CN = paulandhoward.com
Likely this is because there is only a listen 443 but not listen [::]:443, the latter needed for IPv6. In this case virtual hosts only properly work for IPv4 but with IPv6 it will just return the default, i.e. usually the first certificate configured.
And the reason that you are seeing different results from different hosts is that one has only IPv4 connectivity while the other can do IPv6 too.
I am trying to configure a basic SSL authentification with RabbitMQ using this RabbitMQ container.
After following all the steps mentioned, I fail to run the either the consumer or the producer from the Python examples. The error that appears is the following one:
Connection to 127.0.0.1:5671 failed: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645) ConnectionClosed
The certificates cacert.pem, cert.pem and key.pem I have asumed that are the cacert from the directory testca, and the cert.pem and key.pem should be the ones that can be found in the client and server directories (depending on whether the consumer or the produces is executed).
Therefore, my question is if these asumptions are right or not and finally, how could the aforementioned example should be executed in order to not obtain the SSL error that appears either after the execution of the consumer or the producer.
I have installed Openstack CLI and when I try to use any command say
openstack server list
it is throwing the below error
Failed to discover available identity versions when contacting
https://44.128.19.51:5000/v3. Attempting to parse version from URL.
SSL exception connecting to https://44.128.19.51:5000/v3/auth/tokens:
[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed
(_ssl.c:765)
I tried setting the export OS_CACERT=/path/to/ca.crt, but it is not working.
You must provide a proper authorization url. Sometimes the port of the url can be wrong. Like in my case, the authorization url had port 1300 instead of 5000.
And have you sourced your RC file?
Other than for proper authorization url, proper CACERT path or proper authorization certificates it should show this error.
A long time has passed since the question, but if someone like myself faces the problem, enter the "OpenStack" command with the flag "--insecure".
Here's the related documentation.
My python application is using M2Crypto to generate CSR in client, sends it to server and retrieves signed certificate in PEM format and saves as file.
Signed certificate file can be verified by M2Crypto. It can be read by OpenSSL successfully both in client and server.
However Windows clients report "This file is invalid for use as the following: security certificate" error when it is tried to be used. Like wise, in Ubuntu clients, "Could not display <filename>" is reported when it is tried to be viewed.
Platform Information for both client and server:
Python 2.7.x
M2Crypto 0.21.1
OpenSSL 1.0.1e
Do you have any idea, what am I missing?
I am a client to a secured HTTPS server who has issued to me a password protected .pfx certificate to identify me to its system every-time. Using browser where I have installed the certificate (apparently only IE6 and previous versions works) i am able to log in and upload a file which i need to do on a daily basis. Right now am trying to write a Python script to do the same task and I am not sure if it is doable this way.
I am trying to use python mechanize library to connect to the server.
Using OpenSSL I have broken down the .pfx file into .key and .cer PEM files.
And I am using them as certificate for my python script.
Here is my code snippet
br = mechanize.Browser()
br.add_client_certificate(host,"I:/Key.key","I:/certificate.crt:")
whatever I tried it throws various SSL exception .. namely
SSL_CTX_use_certificate_chain_file
SSL_CTX_use_PrivateKey_file
Can anyone please tell me what possibly I could be doing wrong or if at all this is not the right approach.
I was able to get rid of errors by ways described in this link.
It didn't solve my purpose though because the server I was trying to connect is a IIS based server and it only accepts .pfx certificates.