Not able to send pushes since April 1st

Question

Not able to send pushes since April 1st

jusefjames opened this issue 5 years ago · 4 comments

Hi,
i am trying to get my push notifications work again since Apples changes on 1st April.
I read all the existing issues and tried everything what's suggested there but I always get this error:

PHP Fatal error: Uncaught Exception: NSS: client certificate not found (nickname not specified) in .../edamov/pushok/src/Client.php:161 Stack trace: #0 .../push.php(106): Pushok\Client->push() #1 {main} thrown in ...edamov/pushok/src/Client.php on line 161

I tried putting
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
in Client.php
and also adding this:
$client = new Client($authProvider, $production = true, [CURLOPT_CAPATH => '/pathToCerts/']);
like mentioned in #128 (comment)
still no luck

When i try curl --http2 https://google.com I get a valid response.

For curl --http2 https://api.push.apple.com I get the same error curl: (1) NSS: client certificate not found (nickname not specified)
but
openssl s_client -showcerts -connect api.push.apple.com:443 looks ok for me and the output ends with Verify return code: 0 (ok)

I am using
curl 7.76.0
OpenSSL 1.0.2k-fips
PHP 7.3.27

If anyone has a tip for me what I could try that would be great. Thanks.

Answer 1 · 2021-04-05T16:54:57.000Z

Seems something wrong with path name where certificate is located.
You should change /pathToCerts by real path from you environment:
$client = new Client($authProvider, $production = true, [CURLOPT_CAPATH => '/pathToCerts/']);

Answer 2 · 2021-04-05T17:01:40.000Z

Hi, thanks for your quick reply. I used the real path name, just changed it to something shorter for this post. The certificates are located at the same location as my *.p8 file:
/var/www/virtual/myusername/AuthKey_xxxxxxx.p8
It's a shared hosting server. Do the files need special permissions?
The *.p8 file has 644, the certificates *.0 have 644

Answer 3 · 2021-04-11T08:44:43.000Z

Hi, I got a little forward on that. Seems like the problem here is that curl was built with NSS and not openSSL.
If I build a new curl '--without-nss' (before I had to build nghttp2 also) and using this one I am able to connect to api.push.apple.com without any problems.
But PHP is using the default one with NSS and therefore it always fails.
I worked around by not using this library and call my custom built curl from php with exec() but that's far away from ideal.

Answer 4 · 2021-04-15T17:07:14.000Z

Hi, just a quick update: The issue was related to curl 7.76.0 release which was done on 31st March (close to apples changes on 1st April). Thats why I thought this was because of Apple´s changes.
But the release of curl 7.76.0 broke http2 support for many ssl backends like NSS (not OpenSSL).
See this for details:
https://daniel.haxx.se/blog/2021/04/14/curl-7-76-1-h2-works-again/
Now with a patch release curl 7.76.1 from yesterday everything is working.