Unable to read your certificate: failed to parse PKCS1 private key
mohamedadly opened this issue · 12 comments
I created a procudtion certificate and exported it to p12 then pem on MacOS High Siera.
Whenever i try to subscribe by calling - (void) registerWithDeviceToken: (NSData*) deviceToken;, I get the following error:
Expected 2xx response to registration request; got 401 with response: {"error":"Invalid application credentials for apns","desc":"Unable to read your certificate: failed to parse PKCS1 private key"}
This usually means that you've uploaded an incorrect certificate, i.e. your .pem is invalid. Please raise a support ticket at https://dashboard.pusher.com/technical-help if you're unable to solve the problem. Thanks!
The command in Pusher documentation is not producing RSA key.
openssl pkcs12 -in ~/certificate.p12 -out ~/certificate.pem -nodes -clcerts
That's why it was not working. I had to generate RSA key separately and attache it to the .pem file for it to work.
I have got the same error. Is the command corrent in the Pusher documentation?
openssl pkcs12 -in ~/certificate.p12 -out ~/certificate.pem -nodes -clcerts
I have followed the process at https://pusher.com/docs/push_notifications/ios/apns. But i got error when the iOS app run:
Expected 2xx response to registration request; got 401 with response: {"error":"Invalid application credentials for apns","desc":"Unable to read your certificate: failed to parse PKCS1 private key"}
what's wrong? I need help!
I mentioned here before that the documentation is incorrect.
You need a .pem certificate with RSA key.
to solve this do the following:
use this command to create aps_dev.pem as usual:
openssl pkcs12 -in aps_dev.p12 -out aps_dev.pem -nodes -clcerts
then create the RSA key using this command:
openssl rsa -in aps_dev.pem -out rsa.pem
Finally, open aps_dev.pem using a text editor and replace the PRIVATE_KEY section with the generated RSA Key.
upload aps_dev.pem to pusher and it should work!
thx. It's working!
The Pusher documentation need update, it waste a lot of time of me!
@huogh @mohamedadly sorry about the issues you ran into!
We believe our documentation is correct but the library that our Push Notifications service depends on may have been causing an error when it shouldn't have been.
Would either (or both) of you be able to send me your unmodified *.pem file (i.e. the one you generated using the commands in our documentation)?
We believe we have found the issue but we don't currently have access to a suitable *.pem file to reproduce the issue ourselves and so we can't be sure we've fixed it!
If you're happy to do so (it would be massively appreciated!) then please email hamilton@pusher.com.
Thanks!
I have the same issue, same error if I follow the documentation. Adding the RSA key instead of private key gives a weird issue in the failedToRegisterForPushNotifications:
{\"token_validation_response\":{\"description\":\"Post https://api.development.push.apple.com/3/device/7ed7a4d309d7f47968e4e62df24ce6dad813b861ce410e02eb767681898f78a2: remote error: tls: error decrypting message\",\"sent_device_token\":\"7ed7a4d309d7f47968e4e62df24ce6dad813b861ce410e02eb767681898f78a2\",\"success\":false,\"platform\":\"apns\"}}\n"
@dannygrob Same question to you as above - are you able to send me your unmodified *.pem file (i.e. the one you generated using the commands in our documentation)?
I took an old laptop with MacOS Sierra (10.12.4) and exported the certificates like I normally do and it works fine. (guide here: https://stackoverflow.com/questions/21250510/generate-pem-file-used-to-setup-apple-push-notification)
So it seems to be a High Sierra issue maybe?
Thanks everyone - I can reproduce this issue by following our docs on a MacOS machine with latest software, so I suspect this is due to a recent upgrade in e.g. MacOS or openssl. I can also confirm that @mohamedadly's fix works. I'll try to isolate the cause, and update our docs with instructions which work for old and new software.
I dug deeper into this issue - the problem is that, in some versions of OpenSSL, openssl pkcs12 generates .pem files with private keys in PKCS#8 format, but the library we use internally assumes PKCS#1 format private keys. I've opened a PR on that library which should fix this issue, and make Pusher's current documentation work for everyone.