Comments (21)
I would also dare to say that NodeJS v12.13.0+ supports the new AAACertificateServices 5/12/2020
cert: https://github.com/nodejs/node/blob/v12.13.0/src/node_root_certs.h#L247
How I verified:
- Downloaded
AAACertificateServices 5/12/2020
cert from here: https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA03l00000117cL - Opened cert with text editor
- Copy / pasted first line from cert
- Searched for first line in NodeJS root certs and found it here: https://github.com/nodejs/node/blob/v12.13.0/src/node_root_certs.h#L247
from node-apn.
@robsonalvesbh yes, if your application is running NodeJS v12.13.0+
from node-apn.
Nicely done, @junjie.
I'm running Node v10
and tls.rootCertificates
was only introduced in Node v12+
so I can't run your code.
However, I've just realized it's also possible to directly check Node's bundled root CA cert file for the signature of the Comodo AAA Services root:
https://github.com/nodejs/node/blob/v10.15.1/src/node_root_certs.h
Searching the file for Comodo AAA Services root
will yield the exact certificate you have attached in Base64 encoded format.
You can plug in your Node.js version into the URL instead of v10.15.1
, yet from what I've seen every single Node.js release has this root CA is present in all Node releases.
Therefore, we can all safely assume that node-apn
will continue functioning when Apple deploys the AAA certificate.
from node-apn.
I have found that:
https://github.com/nodejs/node/blob/master/doc/guides/maintaining-root-certs.md
and that:
https://github.com/nodejs/node/blob/v8.x/src/node_root_certs.h
from node-apn.
Thank you so much for this helpful thread. I wrote up how we verified (I hope) our setup using what I learned here: https://stackoverflow.com/questions/66239455/how-to-verify-parse-running-on-heroku-supports-new-apple-push-notification-root/66239456
from node-apn.
If you still feel uncertain whether your nodejs version embeds a new Root CA certificate, you may check nodejs binary using grep or hexedit and search for ASCII substring from a new cert. My nodejs 10.15.3 contains it:
If it is still not enough for you, just add a config option for your node.js app to add 'ca' to apn.Provider's options and point to a desired Root CA cert. In case some unpleasant surprise will arise, you can always configure your app to enforse using AAACertificateServices.pem since March 29, 2021.
from node-apn.
Here is the link to the official Apple update: https://developer.apple.com/news/?id=7gx0a2lp
I also would like to understand, whether this lib will need to release a new version to support the new certificate or wether library consumers will need to change something on their side.
Documentation from Apple is really sparse regarding this. Or at least not easily found.
What I found was in this doc in the Establish a Trusted Connection to APNs
section:
Communication between your provider server and APNs must take place over a secure connection. Creating that connection requires installing the GeoTrust Global CA root certificate (until March 29, 2021) and the AAA Certificate Services root certificate (starting March 29, 2021) on each of your provider servers.
If your provider server runs macOS, the GeoTrust Global CA root certificate is in the keychain by default. If your provider server runs macOS 10.14 or later, the AAA Certificate Services root certificate is in the keychain by default. On other systems, you might need to install this certificate yourself. You can download the GeoTrust Global CA root certificate from the GeoTrust Root Certificates website. You can download the “AAACertificateServices 5/12/2020” certificate from the Sectigo KnowledgeBase website.
But I don't remember ever installing any certificate to use with this library. Nor are we running a macOS server but linux.
I'm guessing it might have something to do with: https://github.com/parse-community/node-apn/blob/master/doc/provider.markdown#apnprovideroptions
ca
An array of trusted certificates. Each element should contain either a filename to load, or a Buffer/String (in PEM format) to be used directly. If this is omitted several well known "root" CAs will be used. - You may need to use this as some environments don't include the CA used by Apple (entrust_2048).
I'm guessing one of those "well known root CAs" is Apple's current one?
from node-apn.
node-apn probably uses the OS's certificate store. If you're running an out of date OS such as CentOS 6 or haven't updated ca-certificates (name varies based on OS) in 2020, you'll probably have issues. For a newer one such as Ubuntu 20.04 (any LTS?) or CentOS 7 you should be fine. EDIT: As other commentors said, certificates are bundled with Node.js, node doesn't use the OS's certificate store.
- If you update node.js you should get newer certificates? (i.e. https://nodejs.org/en/download/)
There's probably some facility in node's tls libraries to add additional certificates to allow when validating the certificate of the APNs server when connecting.
Node probably checks various paths (I haven't checked the source) - I'd guess it's similar to how golang does it? (EDIT: it isn't)
"/etc/ssl/certs/ca-certificates.crt", // Debian/Ubuntu/Gentoo etc.
"/etc/pki/tls/certs/ca-bundle.crt", // Fedora/RHEL 6
"/etc/ssl/ca-bundle.pem", // OpenSUSE
"/etc/pki/tls/cacert.pem", // OpenELEC
"/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", // CentOS/RHEL 7
"/etc/ssl/cert.pem", // Alpine Linux
from node-apn.
Going off @TysonAndre post above, if you check the ca-certificates
package (https://packages.ubuntu.com/bionic/all/ca-certificates/filelist) which you can install via apt-get install ca-certificates
you get the following certs in your ca-certificates.crt
file mentioned above.
/usr/share/ca-certificates/mozilla/Comodo_AAA_Services_root.crt
/usr/share/ca-certificates/mozilla/COMODO_RSA_Certification_Authority.crt
/usr/share/ca-certificates/mozilla/USERTrust_RSA_Certification_Authority.crt
I'm guessing those will fill Apple's new requirements.
from node-apn.
Is there any way to verify that the the AAA root certificate is present/used by node-apn before the rollover date of March 29?
from node-apn.
Is there any way to verify that the the AAA root certificate is present/used by node-apn before the rollover date of March 29?
You could try out this command: https://unix.stackexchange.com/a/97252
For me it shows subject= /C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services
inthe output which is the AAA root certificate afaik, but doesn't show until when the cert is valid. For me it was an old cert (see more in EDIT2)
EDIT:
To clarify my reasoning why I think this is the correct cert:
I downloaded the cert that apple includes in their docs (AAACertificateServices 5/12/2020), ran the command above on this cert again and it showed the same info: subject=C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services
EDIT2:
I was checking this on an AWS AMI for NodeJS, but wasn't checking the cert validity.
awk -v cmd='openssl x509 -noout -enddate -subject' '
/BEGIN/{close(cmd)};{print | cmd}' < /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem | grep -A1 'AAA'
This showed me, that the cert I thought was the new AAA is invalid since Jul 2019.
So it seems I don't have the newest AAA cert
from node-apn.
Thanks @derN3rd! I tried this on both my server and my Mac running Big Sur, which I expect would include the latest certificate, but I'm getting GeoTrust Global CA one running openssl s_client -showcerts -connect api.push.apple.com:443
Thinking about it I would expect that to be the case since the rollover date is Mar 29, and it'd probably not make sense for Apple to use the updated certificate now.
But I think the bigger issue here may be that Node.js, which this project depends upon, does not use the system certificate store, as @Dudarev2 has pointed out here: #49 (comment)
I did make a small Node.js program to search through all the hardcoded certificates to find the AAA one, and I found it within my copy of Node installation. If you're interested:
var tls = require('tls'), fs = require('fs');
aaa = fs.readFileSync('AAACertificateServices.crt').toString();
allRootCertificates = tls.rootCertificates;
var i;
for (i = 0; i < allRootCertificates.length; i++) {
if (allRootCertificates[i] === aaa) {
console.log("Found AAA certificate at loop " + i);
console.log(allRootCertificates[i]);
}
}
console.log("Processed " + allRootCertificates.length + " certificates");
And AAACertificateServices.crt can be found via the link in Apple's email, or https://comodoca.my.salesforce.com/sfc/dist/version/download/?oid=00D1N000002Ljih&ids=0683l00000G9fLm&d=%2Fa%2F3l000000VbG0%2Fh70Hv.GWfGuD79pR_if0MtGjJFcUj.NRZS_RLqEyC_4&asPdf=false
from node-apn.
@eladnava I'm not sure if thats so easily done.
Apple stated in their mail
On March 29, 2021, token and certificate-based HTTP/2 connections to the Apple Push Notification service must incorporate the new root certificate (AAACertificateServices 5/12/2020) which replaces the old GeoTrust Global CA root certificate
Which sounds to me that you need at least the AAA cert from December 2020, which is not in Node 10 or any build that was built before that date.
I have not enough knowledge about certs to tell if the AAACertificateServices 5/12/2020 is the same as Comodo AAA Services root just renewed, but the fact that apple especially states the date of this cert sounds to me that there is a difference.
EDIT:
The docs from apple state that macOS 10.14 (which was released in 2018) and above already include the new AAA root cert, so it seems AAACertificateServices 5/12/2020 is just the newest root cert, but the Comodo AAA Services root should work as well
from node-apn.
@BorntraegerMarc just to confirm, if my server application is running using NodeJS > v12 I don't need to take any action on my side?
from node-apn.
If I am using *.p8 file for sending push notifications, is this issue affects me?
Apn version: 6.12.0
Node version: 12.13.0
from node-apn.
It looks p8 will continue working. You need to make sure your apn version is using http/2 and it looks you are good with node 12.
from node-apn.
Please don't jump to conclusions based on the last comments. Not only v12.13.0+ is good.
Many latest node versions should work, as @eladnava indicated in #49 (comment).
Just to show: node v9.11.2, v10.15.1 and v11.15.0 are good as well. See
https://github.com/nodejs/node/blob/v9.11.2/src/node_root_certs.h#L269 and
https://github.com/nodejs/node/blob/v10.15.1/src/node_root_certs.h#L269 and
https://github.com/nodejs/node/blob/v11.15.0/src/node_root_certs.h#L247 and
https://github.com/nodejs/node/blob/v12.13.0/src/node_root_certs.h#L247
Compare with the root certificate.
from node-apn.
@enoskov That's a really cool tip with grepping the node
binary. Cheers!
from node-apn.
My node version is : v12.18.4.
I am having issue of InvalidProviderToken. Does it related to this root cert issue?
Before 1-2 months it's working with P8 and TeamId
from node-apn.
I am having issue of InvalidProviderToken. Does it related to this root cert issue?
No, I think you wouldn't even be able to connect to APNs to get this error if you had the wrong root certificate
node-apn#477 may be of use
Can this be closed? the certificate expired in march
from node-apn.
I'm closing this as it does not seem to be a Parse node-apn issue.
- For help with Parse Platform we recommend our community forum
- For coding questions we recommend Stack Overflow using the parse-platform tag
- For network and server questions we recommend ServerFault using the parse-server tag
from node-apn.
Related Issues (20)
- Security vulnerability in node-forge HOT 1
- Location Push Service Notification Support HOT 2
- Notification successfully sent but not received HOT 5
- iOS Push Notification Error: {reason: 'TopicDisallowed'} HOT 3
- shutdown callback is not passed through from the Provider to the Client HOT 2
- Upgrade jsonwebtoken library HOT 3
- Resource leak when calling shutdown before finish writing HOT 1
- Is this project abandoned? HOT 4
- Add support for Node 18, 20 HOT 3
- Uncaught VError: Failed to generate token: secretOrPrivateKey must be an asymmetric key when using ES256 HOT 3
- Live Activity app not producing proper APS payload (events instead of event, missing dismissal-date) HOT 1
- I miss the localised subtitle properties `subtitle-loc-key` and `subtitle-loc-args` because you're using old Apple documentation HOT 1
- GOAWAY errors HOT 7
- topic missing in type ProviderOptions HOT 6
- Stream ended unexpectedly with status null and empty body HOT 8
- [Question] How do i use the buffer for the key parameter? HOT 3
- ENOENT: no such file or directory, open './voip.pem' HOT 1
- node-forge upgrade? HOT 1
- How can i use .pem file HOT 1
- aps property on Notification is being set to undefined HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from node-apn.