Why do I get TLS/certificate errors connecting to the Apple Push Notification Service (APNs)?

Issue

Connections to the Apple Push Notification Service (APNs) at https://api.push.apple.com fail with TLS certificate errors like:

• x509: certificate signed by unknown authority
• PKIX path building failed
• SunCertPathBuilderException: unable to find valid certification path to requested target

These errors are caused by the APN service's use of the legacy GeoTrust Global CA root certificate, which has been distrusted by several widely-used CA root stores as part of a multi-year phase-out program. Most recently the GeoTrust Global CA root certificate was removed from the Ubuntu ca-certificates package, which is the root store used by Heroku's stack images.

The updated ca-certificates package was released to Common Runtime apps on February 8th, 2021, and will be released to Private Spaces apps during their space's next maintenance cycle (typically every 2 weeks).

This issue also occurs outside of Heroku - for example, connections also fail using the official Ubuntu Docker image:

$ docker run --rm -it ubuntu:20.04 bash
root@1b98119cc104:/# apt-get update -qq
root@1b98119cc104:/# apt-get install -yqq curl
...
root@1b98119cc104:/# curl -I https://api.push.apple.com
curl: (60) SSL certificate problem: unable to get local issuer certificate

Resolution

Apple are due to switch to a supported Certificate Authority on March 29th, 2021, which will fix this issue:
https://developer.apple.com/news/?id=7gx0a2lp

Until that time, the legacy GeoTrust Global CA root certificate must be manually configured for apps connecting to APNs.

This certificate can be downloaded from the GeoTrust Root Certificates website - direct link: GeoTrust_Global_CA.pem

For Heroku apps using Java, this CA certificate can be added to the JDK root store bundled within the app - see adding custom certificates.

For Heroku apps using other languages, these generally use the stack image root store directly (which cannot be modified), so will either need to:

1. Manually specify the above CA when creating/configuring their APNs push client library.
2. File an issue against their APNs push client library, asking them to bundle the CA cert directly, so the client works out of the box.

For more information on specific clients, see:

• Java's pushy library: https://github.com/jchambers/pushy/issues/809
• Golang's apns2 library: https://github.com/sideshow/apns2/issues/182

We also recommend filing a ticket against Apple, to raise awareness of this compatibility issue.

For more background on this issue, see:

• https://wiki.mozilla.org/CA:Symantec_Issues
• https://bugzilla.mozilla.org/show_bug.cgi?id=1670769
• https://launchpad.net/ubuntu/+source/ca-certificates/+changelog
• https://developer.apple.com/documentation/usernotifications/setting_up_a_remote_notification_server#2943333