AAAA Certificate Services root certificate installation, realy needed?

[baden32]

Using pushok, I can send push notification with no problem only if I change src/Client.php and adding te following instruction in curl process:

// to bypass certificat issuer error
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);

Without this option, notification cannot be sent, the following error occurs:
Fatal error: Uncaught Exception: SSL certificate problem: unable to get local issuer certificate

Now my question is: is the installation of AAAA Certificate Services root certificate realy needed or can we just add this curl option?

If AAAA Certificate Services root certificate is needed, do I need to add a link to the certificate in Client.php or how should I install this certificate on my debian linux server?

Thank you in advance for your help.
Joel

[edamov]

I'm not good at security related issues, so I can't advice anything here.
But maybe this comment can be the solution for this problem - #109 (comment) ?

[marcorocca]

If you want to be independent from server configuration you can use this #124 (comment) or in this form:

$client = new Client($authProvider, true, [CURLOPT_CAPATH => '/pathto/certs']);

Where /pathto/certs is a directory containing the CAs from Apple (the old and the new one). Please make sure the CAs must be saved in the hashed form, for example:

2c543cd1.0
ee64a828.0

More info here:

-CApath directory
A directory of trusted certificates. The certificates should have names of the form: hash.0 or have symbolic links to them of this form ("hash" is the hashed certificate subject name: see the -hash option of the x509 utility). Under Unix the c_rehash script will automatically create symbolic links to a directory of certificates.

[baden32]

Hi marcorocca, thanks a lot for your very valuable feedback.

In my case, I tried both "solutions":

1. add [CURLOPT...] to $client definition
   $client = new Client($authProvider, $production = true, [CURLOPT_CAPATH => '/usr/local/share/ca-certificates/sectigo_AAA/']);
2. add option in src/Client.php
   $certificate = "/usr/local/share/ca-certificates/sectigo_AAA/";
   curl_setopt($ch, CURLOPT_CAPATH, $certificate);

Unfortunately the result is still the same:
Fatal error: Uncaught Exception: SSL certificate problem: unable to get local issuer certificate

I think there is something I don't understand with this root certificate handling. APNS doc states teh we have to install AAAA certificate from Sectigo and the link (https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA03l00000117cL) shows in fact 3 certif to download:
AAACertificateServices 5/12/2020
USERTrustRSAAAACA 5/12/2020
COMODORSAAAACA 5/12/2020

Am I supposed to download all 3 cert or only the first one?

Once I have this/these cert, what should I do on my debian server? What do you mean with "CAs must be saved in the hashed form"? Should I "hash" one or all cert downloaded from Sectigo?

Thank you in advance for your help.
Regards
Joel

[marcorocca]

Hello @baden32 you can download the certificates here from Apple:

Communication between your provider server and APNs must take place over a secure connection. Creating that connection requires installing the GeoTrust Global CA root certificate (until March 29, 2021) and the AAA Certificate Services root certificate (starting March 29, 2021) on each of your provider servers.

Please make sure you rename them exactly in 2c543cd1.0 and ee64a828.0 (more info here).

Copy them in a single directory, CURLOPT_CAPATH will make search a search based on their hash.

[baden32]

Hello,
On the link, I used the links in this section

Establish a Trusted Connection to APNs
Communication between your provider server and APNs must take place over a secure connection. Creating that connection requires installing the GeoTrust Global CA root certificate (until March 29, 2021) and the AAA Certificate Services root certificate (starting March 29, 2021) on each of your provider servers.

With Geotrust CA, there is no problem because it's a .pem and I can use it directely when $client ins initiated:
$client = new Client($authProvider, $production = true, [CURLOPT_CAINFO => 'GeoTrust_Global_CA.pem']);
(but this CA /solution is valide -> March 29)

We now should use the AAACertificateServices certificate from Sectigo. The link on Sectigo available on APNs doc (https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA03l00000117cL) shows 3 certificates:
AAACertificateServices 5/12/2020
USERTrustRSAAAACA 5/12/2020
COMODORSAAAACA 5/12/2020

I downloaded all 3 .crt in my /home/transn/web/testapns/cert/.
Run for all of them the command openssl x509 -hash -noout -in xxxx.crt to get their hash "value"
Renamed each .crt to xxxx.0

But when $client is defined using this path
$client = new Client($authProvider, $production = true, [CURLOPT_CAPATH => '/home/transn/web/testapns/cert/']);

notification sending fails with unable to get local issuer certificate error.

Am'I doing something wrong with these certif?

[marcorocca]

I think there is something wrong with the CAs in the link, one of them is the same linked in Apple site (AAACertificateServices.crt, hash: ee64a828), the other not.
Download the GeoTrust Global CA, it will work (the actual one used by Apple, its hash is 2c543cd1).

Note: CURLOPT_CAPATH search a path containing hashes, CURLOPT_CAINFO search a single file.

[baden32]

You're right, thanks a lot!
Getting hash for GeoTrust_Global_CA.pem returns 2c543cd1.
So renaming GeoTrust_Global_CA.pem -> 2c543cd1.0 makes my script working with
$client = new Client($authProvider, $production = true, [CURLOPT_CAPATH => '/home/transn/web/testapns/cert/']);

My only "problem" now is to be sure that it will work after March 29 using this GeoTrust_Global_CA?
As mentionned here (https://developer.apple.com/documentation/usernotifications/setting_up_a_remote_notification_server/) we are supposed to switch to AAAA from Sectigo as of March 29.

What's your idea here?

[marcorocca]

After March 29 Apple's servers will request a CA with ee64a828 hash. So, if it's in your cert directory, it will work.

You only have to leave both in your CA directory.

[baden32]

Ok thanks a lot for your feeddback. I put both CA in xxx.0 hash in the same directory. Hope everything will still be ok and working on March 30.
Thank 's again for your great help.
Regards
Joel

[marcorocca]

You're welcome, I hope it will be useful to others too.

[upngo]

Perhaps worth putting this on the readme as every ios user will need to do this before the end of march @edamov

[dinhdanh]

If you want to be independent from server configuration you can use this #124 (comment) or in this form:

$client = new Client($authProvider, true, [CURLOPT_CAPATH => '/pathto/certs']);

Where /pathto/certs is a directory containing the CAs from Apple (the old and the new one). Please make sure the CAs must be saved in the hashed form, for example:

2c543cd1.0
ee64a828.0

More info here:

-CApath directory
A directory of trusted certificates. The certificates should have names of the form: hash.0 or have symbolic links to them of this form ("hash" is the hashed certificate subject name: see the -hash option of the x509 utility). Under Unix the c_rehash script will automatically create symbolic links to a directory of certificates.

Where can we get the CAs from the Apple @marcorocca? And how do we save it as hashed form?