antony2016

Q: Local Error -1200 creating push certificates in the server. Any idea ?

In the server Application

 

When you try to renew or create a push certificate comes up with the error "Local Error -1200 creating push certificates" in the server. Any idea ?"

Mac mini, OS X Mountain Lion (10.8.5)

Posted on Aug 13, 2016 5:11 AM

Close

Q: Local Error -1200 creating push certificates in the server. Any idea ?

  • All replies
  • Helpful answers

  • by joostvanriel,

    joostvanriel joostvanriel Aug 15, 2016 1:34 AM in response to antony2016
    Level 1 (4 points)
    Aug 15, 2016 1:34 AM in response to antony2016

    I'm having the same problem with 10.7.5 server. (two of them)

    During the renewal I watched the Console and I think the SSL certificate of the Apple servers is no longer trusted.

    (or the Server versions are to low)

    Aug 15 10:23:08 login.********** servermgrd[23349]: Got connection error: Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo=0x7fb8f5aab9a0 {NSUnderlyingError=0x7fb8f15af450 "An SSL error has occurred and a secure connection to the server cannot be made.", NSErrorFailingURLStringKey=https://identity.apple.com/pushcert/caservice/renew, NSErrorFailingURLKey=https://identity.apple.com/pushcert/caservice/renew, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made.}

    Aug 15 10:23:08 login.********** servermgrd[23349]: Request for push certificate failed: reason = Local, error code = -1200, error = Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo=0x7fb8f5aab9a0 {NSUnderlyingError=0x7fb8f15af450 "An SSL error has occurred and a secure connection to the server cannot be made.", NSErrorFailingURLStringKey=https://identity.apple.com/pushcert/caservice/renew, NSErrorFailingURLKey=https://identity.apple.com/pushcert/caservice/renew, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made.}

     

    So not yet an idea, but hopefully with these console outputs we get somewhere?

  • by joostvanriel,

    joostvanriel joostvanriel Aug 15, 2016 2:19 AM in response to joostvanriel
    Level 1 (4 points)
    Aug 15, 2016 2:19 AM in response to joostvanriel

    Maybe this wil do the trick:

    · check what certificate your notification service thinks it's using:

     

    mymac:~ waider$ sudo serveradmin settings notification:sslKeyFile

    notification:sslKeyFile="/etc/certificates/mymac.mydomain.com.BADBADBADBADBADBAD BADBADBAD.concat.pem"

    mymac:~ waider$ sudo serveradmin settings notification:sslCAFile

    notification:sslCAFile="/etc/certificates/mymac.mydomain.com.BADBADBADBADBADBADB ADBADBAD.chain.pem"

     

    The Push Certificate is not corresponding with the SSL certificate.

  • by mephiz,

    mephiz mephiz Aug 23, 2016 4:40 AM in response to antony2016
    Level 1 (4 points)
    Servers Enterprise
    Aug 23, 2016 4:40 AM in response to antony2016

    I have exactly the same problem. OS X 10.8.5, Server 2.2.5. In the system.log I have same errors as joostvanriel. Connection error Error Domain=NSURLErrorDomain, NSErrorFailingURLStringKey=https://identity.apple.com/pushcert/caservice/renew, NSErrorFailingURLKey=https://identity.apple.com/pushcert/caservice/renew, Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made."


    It looks like this is a problem with TLS 1.2 connection. Safari from server machine also cannot connect to the specified URL manually because TLS 1.2 connection are not supported by that Safari version on 10.8.5. It looks like apple identity servers require TLS 1.2, but OS X 10.8.5 doesn't support it.

     

    So, I'm unsure the problem can be solved with anything on client side. No manipulations with certificates or Time Machine on the client can help as Apple certificate signing servers are simply unreachable. Apple must do something. Any Apple representative? I'm soon going to end up with no push notifications, terrible. Same problem reported here: local error -1200 push certificate - no solution.

  • by thanospc,

    thanospc thanospc Sep 7, 2016 12:30 AM in response to mephiz
    Level 1 (4 points)
    Sep 7, 2016 12:30 AM in response to mephiz

    I have the same problem on 10.8.5 and with server osx 2.2.5.. I cant renew the apple push certificate anymore. Do we have any news or any solution about it?

  • by mephiz,

    mephiz mephiz Sep 7, 2016 12:48 AM in response to thanospc
    Level 1 (4 points)
    Servers Enterprise
    Sep 7, 2016 12:48 AM in response to thanospc

    thanospc, no. I decided to spend the remaining time before certificate expires to upgrade to El Capitan and solve the problems of upgrading if any. Basically, after upgrade there were no major ones. Postfix and Apache required some minor tweaking though. Also, Postgresql stopped working for user created roles and tables, I had to install separate instance with homebrew for that. (After upgrade I renewed the push certificate, however somehow I had to use alternative e-mail address connected to the same Apple ID as a login name to succeed. Otherwise there was an error (-1000... something). No re-enrollment for devices were necessary after that.)

  • by thanospc,

    thanospc thanospc Sep 7, 2016 12:51 AM in response to mephiz
    Level 1 (4 points)
    Sep 7, 2016 12:51 AM in response to mephiz

    But i know that server osx 2.2.5 dont work on el capitan.. You download server osx 5.1.7 version as well?

  • by mephiz,

    mephiz mephiz Sep 7, 2016 12:55 AM in response to thanospc
    Level 1 (4 points)
    Servers Enterprise
    Sep 7, 2016 12:55 AM in response to thanospc

    Yes. The general procedure is 1) full backup, 2) OS upgrade, 3) Server.app upgrade.

  • by thanospc,

    thanospc thanospc Sep 7, 2016 12:58 AM in response to mephiz
    Level 1 (4 points)
    Sep 7, 2016 12:58 AM in response to mephiz

    But if you download the new Server.app you dont loose all the created users and tha ipad in the database from the old server app?

  • by mephiz,

    mephiz mephiz Sep 7, 2016 1:10 AM in response to thanospc
    Level 1 (4 points)
    Servers Enterprise
    Sep 7, 2016 1:10 AM in response to thanospc

    thanospc, users and most of the other configuration are preserved during OS and Server.app upgrade. However, after OS upgrade I lost connection to my headless Mac via Screen Sharing. I could restore it as described here (I used the second method): https://blog.pivotal.io/labs/labs/enabling-os-x-screen-sharing-from-the-command- line

  • by thanospc,

    thanospc thanospc Sep 7, 2016 1:18 AM in response to mephiz
    Level 1 (4 points)
    Sep 7, 2016 1:18 AM in response to mephiz

    ok mephiz, so i ll do the upgrade to el capitan then i will buy the new server osx 5.1.7 and i will do the upgrade from 2.2.5 and then i ll renew the certificate

  • by mephiz,

    mephiz mephiz Sep 7, 2016 1:24 AM in response to thanospc
    Level 1 (4 points)
    Servers Enterprise
    Sep 7, 2016 1:24 AM in response to thanospc

    thanospc, basically yes. But I admit that this upgrade is risky. Depending on your current configuration and installed services and applications you may encounter various issues. So, you should be ready to return fully back.

  • by thanospc,

    thanospc thanospc Sep 7, 2016 1:28 AM in response to mephiz
    Level 1 (4 points)
    Sep 7, 2016 1:28 AM in response to mephiz

    Do you know how to full backup all the users and ipad database ?

  • by mephiz,

    mephiz mephiz Sep 7, 2016 1:42 AM in response to thanospc
    Level 1 (4 points)
    Servers Enterprise
    Sep 7, 2016 1:42 AM in response to thanospc

    You can have full bootable system backup with this tool: http://www.shirt-pocket.com/SuperDuper

    In case of necessity you will be able to restore the whole system at once.

  • by thanospc,

    thanospc thanospc Sep 7, 2016 3:02 AM in response to mephiz
    Level 1 (4 points)
    Sep 7, 2016 3:02 AM in response to mephiz

    Ok mephiz thanks a lot! I am very greatful for your help.