1

Heroku somehow lost its GeoTrust Global CA root certificate, which is needed to use push notifications with Apple's servers. I found the certificate here but I'm not sure how to install it in my Heroku application. I tried adding it as an SSL certificate via the application's settings, but it says I need a private key - where would I get that for a root certificate? Or am I supposed to add this somewhere else?

I should specify that my app is a golang app.

bmueller
  • 2,681
  • 1
  • 27
  • 45

3 Answers3

1

I redefined sideshow/apns2 client factory function to include GeoTrust CA in rootCAs and apple`s apns server became reachable to my app on Heroku.

const (
    GeoTrustCACert = "<path to GeoTrust_Global_CA.pem>"
)

func newCertPool(certPath string) (*x509.CertPool, error) {
    rootCAs, _ := x509.SystemCertPool()
    if rootCAs == nil {
        rootCAs = x509.NewCertPool()
    }

    certs, err := ioutil.ReadFile(certPath)
    if err != nil {
        return nil, errors.New("no certs appended, using system certs only")
    }

    if ok := rootCAs.AppendCertsFromPEM(certs); !ok {
        log.Println("no certs appended, using systems only certs")
    }
    return rootCAs, nil
}

func NewApns2ClientWithGeoTrustCA(certificate tls.Certificate) *apns2.Client {
    rootCas, err := newCertPool(GeoTrustCACert)
    if err != nil {
        return nil
    }
    tlsConfig := &tls.Config{
        RootCAs:      rootCas,
        Certificates: []tls.Certificate{certificate},
    }

    if len(certificate.Certificate) > 0 {
        tlsConfig.BuildNameToCertificate()
    }
    transport := &http2.Transport{
        TLSClientConfig: tlsConfig,
        DialTLS:         apns2.DialTLS,
    }

    return &apns2.Client{
        HTTPClient: &http.Client{
            Transport: transport,
            Timeout:   apns2.HTTPClientTimeout,
        },
        Certificate: certificate,
        Host:        apns2.DefaultHost,
    }

}
rpletnev
  • 36
  • 3
0

We also faced similar problem in our spring boot application which is using dependency of artifact "pushy", groupId "com.eatthepath" with "0.14.2" version for APN push notification and deployed in heroku. And to solve this problem we followed the steps from this link: https://help.heroku.com/447CZS8V/why-is-my-java-app-unable-to-find-a-valid-certification-path and https://devcenter.heroku.com/articles/customizing-the-jdk and then also used the "CaCertUtil" class and "GeoTrust_Global_CA.pem" file and added ".setTrustedServerCertificateChain(CaCertUtil.allCerts());" line while building ApnsClientBuilder.

"CaCertUtil" and "GeoTrust_Global_CA.pem" is taken from this link https://github.com/wultra/powerauth-push-server/commit/71abeb5663201fedf64830fa0ebdf4db6c537e4b.

Prashan Dristi
  • 1
  • 3
0

We faced a similar issue this week and solved it by adding certificates to the App variables directly in Heroku Dashboard. According to the documentation you could also manually add the CA again. https://devcenter.heroku.com/articles/ssl

Simon
  • 1