Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

APNs is changing root certificate from GeoTrust to Comodo AAA Certificate Services on March 29 #173

Closed
1 of 3 tasks
reivilibre opened this issue Mar 5, 2021 · 3 comments
Closed
1 of 3 tasks

APNs is changing root certificate from GeoTrust to Comodo AAA Certificate Services on March 29 #173

reivilibre opened this issue Mar 5, 2021 · 3 comments

Comments

@reivilibre
Copy link
Contributor

reivilibre commented Mar 5, 2021
edited
Loading

Vishnups in the Sygnal channel kindly alerted me/us to the fact that APNs is changing which root certificate they will use:

On March 29, 2021, token and certificate-based HTTP/2 connections to the Apple Push Notification service must incorporate the new root certificate (AAACertificateServices 5/12/2020) which replaces the old GeoTrust Global CA root certificate. To ensure a seamless transition and to avoid push notification delivery failures, verify that both the old and new root certificates for the HTTP/2 interface are included in the Trust Store of each of your notification servers before March 29.

https://developer.apple.com/news/?id=7gx0a2lp

This is probably good news for many because the old root certificate wasn't trusted by Debian anymore.

Things it seems we should do:

  • revert the old GeoTrust certificate from getting specially added into the Docker image Docker: Include Root CA cert needed for APNs #141 (after March 29)
  • check the Docker image has the new root certificate present (if it doesn't for some reason, that will need a new release being pushed out for Docker users before March 29)
  • alert Sygnal users to check this, if it seems like this may pose some trouble? Sounds like Apple has already sent out e-mails.

The certificate in question looks like this (AAACertificateServices.crt found here), path on an Ubuntu system (I presume are the same on any Debian system):

oli@bbm-neon:~/Downloads$ sha256sum AAACertificateServices.crt 
a5ddabd1602ae1c66ce11ad078e734cc473dcb8e9f573037832d8536ae3de90b  AAACertificateServices.crt
oli@bbm-neon:~/Downloads$ sha256sum /etc/ssl/certs/Comodo_AAA_Services_root.pem 
a5ddabd1602ae1c66ce11ad078e734cc473dcb8e9f573037832d8536ae3de90b  /etc/ssl/certs/Comodo_AAA_Services_root.pem
@reivilibre reivilibre changed the title APNs is changing root certificate from GeoTrust to Comodo AAA Certificate Services APNs is changing root certificate from GeoTrust to Comodo AAA Certificate Services on March 29 Mar 5, 2021
@reivilibre
Copy link
Contributor Author

Looks like the latest Docker image has it, at least:

oli@bbm-neon:~$ docker run -it --rm --entrypoint bash --name s1 matrixdotorg/sygnal:latest 
root@1fcb0d0eaebb:/# cd /etc/ssl/certs/
root@1fcb0d0eaebb:/etc/ssl/certs# sha256sum Comodo_AAA_Services_root.pem 
a5ddabd1602ae1c66ce11ad078e734cc473dcb8e9f573037832d8536ae3de90b  Comodo_AAA_Services_root.pem

@csett86
Copy link
Contributor

csett86 commented Apr 3, 2021

I opened #208 to remove the now unnecessary GeoTrust from the docker image.

@reivilibre
Copy link
Contributor Author

Fixed by #208

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@csett86 @reivilibre