Getting “EndpointDisabled” from Amazon SNS (APNS Production)

Question

I have been successfully testing sending push notifications to Apple devices using SNS, currently in Xcode with the APNS_SANDBOX.

We are now ready to move to production and are having an absolute nightmare getting the certificates set up properly on the APNS (Production) application endpoint.

I am following the same process we followed during development and have consulted several guides.

Each time we try to send a push notification to a device we get the following failure notification:

{"DeliveryAttempts":1,"EndpointArn":"arn:aws:sns:eu-west-1:123456789:endpoint/APNS/Name/e591d1a1-8db3-3382-8091-ab1a3cb3cac5","EventType":"DeliveryFailure","FailureMessage":"Endpoint is disabled","FailureType":"EndpointDisabled","MessageId":"08a70f95-773c-58fb-a6f9-5df1650eeb19","Resource":"arn:aws:sns:eu-west-1:123456789:app/APNS/Name","Service":"SNS","Time":"2017-10-20T15:02:10.824Z"}

I understand this can relate to several issues but is likely a problem with the certificate uploaded to SNS.

The process we have followed:

1. From Apple Developer website visit navigate to Certificates, IDs & Profiles > Identifiers > App IDs

2. Create a new App ID and enable the Push Notifications service.

3. Click Create a new Production SSL certificate, then create a new CSR file in the local keychain on Mac, upload it to Developer site (during the certificate generation process) then download the generated .cer file.

4. Double click the .cer file to add it to the Keychain on mac.

5. At this point we have consulted http://docs.aws.amazon.com/sns/latest/dg/mobile-push-apns.html documentation which suggests running the following command:

openssl x509 -in myapnsappcert.cer -inform DER -out myapnsappcert.pem

6. Back inside Keychain select Keys, highlight the apps private key and export it the .p12 file.

7. Back in the command prompt run the following command as per the AWS docs: openssl pkcs12 -in myapnsappprivatekey.p12 -out myapnsappprivatekey.pem -nodes -clcerts to generate another .pem file.

Amazon goes on to say:

The newly created .pem file will be used to configure Amazon SNS for sending mobile push notification messages.

This leads me to believe the docs are outdated as uploading the .pem file to the SNS APNS Applications credentials manager returns an error stating that it cannot read the file.

According to the SNS credentials manager for the APNS Application, it only accepts the .p12 file... if that is the case, why the need to create the final .pem file? This step still required? Have I missed a step?

I uploaded the final .p12 file anyway, but obviously, it does not work.

I appreciate there are other questions similar to this but the answers are so broad that there are no real solutions other than trial and error. I believe my issue is specifically related to incorrectly generated certificates, or a step is missing out of the process.

I guess I am reaching out to anybody who has done this recently who can clarify the steps involved.

Thanks

Answer 1

After a lot of trial and error, i've managed to get it working. I'm not sure if AWS docs are outdated but they are certainly over kill.

Here goes:

1. From Apple Developer website visit navigate to Certificates, IDs & Profiles > Identifiers > App IDs

2. Create a new App ID and enable the Push Notifications service.

3. Click Create a new Production SSL certificate, then create a new CSR file in the local keychain on Mac, upload it to Developer site (during the certificate generation process) then download the generated .cer file.

4. Double click the .cer file to add it to the Keychain on mac.

5. Open Keychain, select 'My Certificates' highlight the certificate that got added in step 3, probably starts with 'Apple Push Services'.

6. Right-click the cert and export it (extension is .p12). If it asks you to set a password you can leave blank.

7. In AWS SNS, navigate into Applications, click into your APNS application (or add a new application). Under 'platform application actions' click update credentials and upload your exported .p12 file.

8. Finally, click 'Load credentials from file' and update to exit the application settings.

9. Enjoy push notifications in your app.

This worked for me, I'm not sure why AWS docs suggest the commands to convert files, it looks like they're not necessary and have caused great confusion.

Hope this else somebody.