PushSharp APNS production: The credentials supplied to the package were not recognized (development works fine though)

Question

My app just got ready for sale on App Store, but none of my production devices (devices that have installed the app from App Store) are getting push notifications. When I try to send a push notification to a production device, I am getting this error:

"The credentials supplied to the package were not recognized" 
(System.ComponentModel.Win32Exception)

This exception is internally thrown and caught in an infinite loop:

It is thrown at line 539 of ApplePushChannel.cs file:

    try
{
    stream.AuthenticateAsClient(this.appleSettings.Host, this.certificates, 
        System.Security.Authentication.SslProtocols.Ssl3, false);
    //stream.AuthenticateAsClient(this.appleSettings.Host);
}
catch (System.Security.Authentication.AuthenticationException ex)
{
    throw new ConnectionFailureException("SSL Stream Failed to Authenticate as Client", ex);
}

This is the output of the application in Visual Studio Output:

...
A first chance exception of type 'System.ComponentModel.Win32Exception' occurred in System.dll
A first chance exception of type 'System.ObjectDisposedException' occurred in System.dll
A first chance exception of type 'System.ComponentModel.Win32Exception' occurred in System.dll
A first chance exception of type 'System.ObjectDisposedException' occurred in System.dll
A first chance exception of type 'System.ComponentModel.Win32Exception' occurred in System.dll
A first chance exception of type 'System.ObjectDisposedException' occurred in System.dll
A first chance exception of type 'System.ComponentModel.Win32Exception' occurred in System.dll
A first chance exception of type 'System.ObjectDisposedException' occurred in System.dll
A first chance exception of type 'System.ComponentModel.Win32Exception' occurred in System.dll
...(it keeps getting thrown until I stop it manually)

Here are the things I've tried:

• Double checked that the device ID I'm trying is registered with a production device token.
• Revoked and regenerated the APNS Production certificate, exported it with the private key to a new .p12 file, and tried again with the new certificate. (I had the same problem with development push notifications, and this solved my problem)
• Changed the SSL protocol from Ssl3 to Tls. (a few days ago there was a problem with protocol version, and it fixed a problem temporarily. There shouldn't be need for this, but the error I'm getting is the same as the one I was getting before which this fixed)
• Checked that I'm actually trying to connect to production server with the production certificate instead of development server/certificate.
• Checked that I can access the APNS server directly (my ASP.NET app lives inside a Parallels VM Windows 8.1 at my Mac, here is the output from my Mac, just to avoid confusion:

(Terminal output) Edit: I was pinging the sandbox server, I've pinged the production server, I verify that I can connect to it too, so it's not the issue.

can$ sudo nmap -p 2195 gateway.sandbox.push.apple.com
Starting Nmap 6.40-2 ( http://nmap.org ) at 2014-04-28 00:06 EEST
Nmap scan report for gateway.sandbox.push.apple.com (17.149.34.189)
Host is up (0.49s latency).
Other addresses for gateway.sandbox.push.apple.com (not scanned): 17.149.34.187 17.149.34.188
PORT     STATE SERVICE
2195/tcp open  unknown

Why would PushSharp not negotiate with APNS servers?

Answer 1

I was tested it again and again.

Convert the p12 file to pem format, and it will work with IIS limited users and maybe with Azure....

Answer 2

None of the answers worked for me. In the end what I ended up doing is importing the Cert and Private Key into the Windows cert store, and then exporting as a .pfx.

Answer 3

"The credentials supplied to the package were not recognized" exception usually indicates that the user running the code does not having enough permissions.

If you are sending push notifications from Azure web app or webjob do not load the APNS certificate from a file or base64-encoded string. Go to Azure Portal and add the certificate to website instead. Note the thumbprint.

Next add WEBSITE_LOAD_CERTIFICATES setting and set it to * (asterisk).

Now the APNS certificate can be used from C# code:

string thumbprint = "YOUR THUMBPRINT";
var store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadOnly);
var certificate = store.Certificates.Find(
    X509FindType.FindByThumbprint, thumbprint, validOnly: false)
    .Cast<X509Certificate2>().SingleOrDefault();
var apnsConfig = new ApnsConfiguration(
    ApnsConfiguration.ApnsServerEnvironment.Production, certificate);

References

• Using Certificates in Azure Websites Applications
• Configuring a certificate for APNS on the Azure platform

Answer 4

I was receiving the same exception and in my case I had to add permission for my IOS Push Services certificate.

Right click on the certificate in mmc -> All Tasks -> Manage Private Keys... I added NETWORK SERVICE because the iis application pool of my web app used that account.

See for more details: http://blog.falafel.com/apple-push-notifications-certificates-and-iis/

Answer 5

I figured out the problem. I revoked and regenerated the certificate again, and this time I only exported the private key (without the certificate). In Keychain access, I exported as .p12 and used the new file and it worked. For some reason, PushSharp wasn't play well with .p12 when both certificate and private key are present in the file.

Answer 6

When using the windows certificate store, (imho the easiest way to manage certificates on a production server), be sure to set the correct permissions on the private key.