Worklight SSL errors using local Liberty server

Question

I have the PushAdapter from the example push notification defined in an new project, and, I've added the apns-certificate-sandbox.p12 to the native api application (a native api), added the correct bundleId value in the application-descriptor.xml, but, I keep getting this error:

[WARNING ] Failed to retreive invalid devices
javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
[ERROR   ] Couldn't get feedback connection
javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
[ERROR   ] Unknown exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
Unknown exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown

This is a new installation of Worklight (6.0.0.20130909-1459), and I've tried two separate installations (one into Eclipse and one into RAD), both same errors.

Is there some additional work that needs to be done for push testing to work in the Worklight Development Server (Websphere Liberty) environment for SSL to work? There aren't any devices subscribed yet, but, not sure why this error is occurring or if it's relevant at all.

The detailed trace is here:

[11/1/13 11:50:20:834 EDT] 00000034 com.worklight.core.exceptions.InstrumentedException          E Unknown exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
com.worklight.core.exceptions.InstrumentedException: Unknown exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
    at com.worklight.core.exceptions.DefaultExceptionHandler.handleException(DefaultExceptionHandler.java:56)
    at com.worklight.core.tasks.TaskThread.run(TaskThread.java:113)
Caused by: java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
    at com.notnoop.apns.internal.Utilities.parseFeedbackStreamRaw(Utilities.java:201)
    at com.notnoop.apns.internal.Utilities.parseFeedbackStream(Utilities.java:211)
    at com.notnoop.apns.internal.ApnsFeedbackConnection.getInactiveDevicesImpl(ApnsFeedbackConnection.java:87)
    at com.notnoop.apns.internal.ApnsFeedbackConnection.getInactiveDevices(ApnsFeedbackConnection.java:67)
    at com.notnoop.apns.internal.AbstractApnsService.getInactiveDevices(AbstractApnsService.java:99)
    at com.notnoop.apns.internal.ApnsServiceImpl.getInactiveDevices(ApnsServiceImpl.java:36)
    at com.worklight.integration.notification.apns.ApplicationConnection.getInactiveDevices(ApplicationConnection.java:110)
    at com.worklight.integration.notification.apns.APNSMediator.maintain(APNSMediator.java:95)
    at com.worklight.integration.notification.Dispatcher.maintain(Dispatcher.java:148)
    at com.worklight.integration.notification.NotificationCleanupTask.step(NotificationCleanupTask.java:29)
    at com.worklight.core.tasks.TaskThread.run(TaskThread.java:111)
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
    at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1961)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1077)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
    at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:882)
    at sun.security.ssl.AppInputStream.read(AppInputStream.java:102)
    at sun.security.ssl.AppInputStream.read(AppInputStream.java:69)
    at java.io.DataInputStream.readInt(DataInputStream.java:387)
    at com.notnoop.apns.internal.Utilities.parseFeedbackStreamRaw(Utilities.java:192)
    ... 10 more

Answer 1

On my side it has been veririfed that in OS X (sometimes in Windows too actually), the certificate_unknown error is thrown when using JRE 7 instead of JRE 6. It seems that the notnoop open source library used in Worklight is not handling well Java 7.

https://github.com/notnoop/java-apns/issues/54

Answer 2

This looks like an error from the server trying to test a connection to the Apple Push/Feedback service.

A couple of things to check:

1. Is the application built for development or distribution?
2. If development, ensure you are using the Development SSL certificate. Export both the certificate and private key into a file named: apns-certificate-sandbox.p12
3. If distribution, ensure you are using the Production SSL certificate. Export both the certificate and private key into the a file named: apns-certificate-production.p12
4. Ensure the .p12 file was created correctly and that you specified the corresponding password in the application descriptor file.
5. Ensure that your Worklight server can access the APNs hosts/ports for the push and for feedback service. i.e Firewall ports need to be opened for the following:
   • gateway.push.apple.com, port 2195
   • gateway.sandbox.push.apple.com, port 2195
   • feedback.push.apple.com, port 2196
   • feedback.sandbox.push.apple.com on port 2196

Answer 3

Worklight product never used http://code.google.com/p/javapns for push, it is using com.notnoop.apns . This package works well with Oracle JDK 1.6 and 1.7 Can you shed some more light on which JDK exactly version were you using ? I tested push sample on the embedded Liberty+Oracle JDK 1.7_07b +iPhone 5 and it worked. how did you create this certificate ? can you write here step-by-step what you did? (and specify every file you copied,edited i the way)

If you are asking about using javaPNS: Ofcourse, since its an open framework, you could manually copy (and use) any jar into your Worklight project as a 3rd party dependency, however, it seems that this javaPNS jar has some bugs with SSL.

Why don't you look at the Worklight's push notification samples and work your way from there ( http://www.ibm.com/developerworks/mobile/worklight/getting-started.html#client-basics ) ? (Worklight comes with a working push notification solution , works on JDK1.6 or 1.7 without issues with your PKCS12 certificates)