Q: Local Error -1200 creating push certificates in the server. Any idea ?

I'm having the same problem with 10.7.5 server. (two of them)

During the renewal I watched the Console and I think the SSL certificate of the Apple servers is no longer trusted.

(or the Server versions are to low)

Aug 15 10:23:08 login.********** servermgrd[23349]: Got connection error: Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo=0x7fb8f5aab9a0 {NSUnderlyingError=0x7fb8f15af450 "An SSL error has occurred and a secure connection to the server cannot be made.", NSErrorFailingURLStringKey=https://identity.apple.com/pushcert/caservice/renew, NSErrorFailingURLKey=https://identity.apple.com/pushcert/caservice/renew, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made.}

Aug 15 10:23:08 login.********** servermgrd[23349]: Request for push certificate failed: reason = Local, error code = -1200, error = Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo=0x7fb8f5aab9a0 {NSUnderlyingError=0x7fb8f15af450 "An SSL error has occurred and a secure connection to the server cannot be made.", NSErrorFailingURLStringKey=https://identity.apple.com/pushcert/caservice/renew, NSErrorFailingURLKey=https://identity.apple.com/pushcert/caservice/renew, NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made.}

So not yet an idea, but hopefully with these console outputs we get somewhere?

Maybe this wil do the trick:

· check what certificate your notification service thinks it's using:

mymac:~ waider$ sudo serveradmin settings notification:sslKeyFile

notification:sslKeyFile="/etc/certificates/mymac.mydomain.com.BADBADBADBADBADBAD BADBADBAD.concat.pem"

mymac:~ waider$ sudo serveradmin settings notification:sslCAFile

notification:sslCAFile="/etc/certificates/mymac.mydomain.com.BADBADBADBADBADBADB ADBADBAD.chain.pem"

The Push Certificate is not corresponding with the SSL certificate.

I have exactly the same problem. OS X 10.8.5, Server 2.2.5. In the system.log I have same errors as joostvanriel. Connection error Error Domain=NSURLErrorDomain, NSErrorFailingURLStringKey=https://identity.apple.com/pushcert/caservice/renew, NSErrorFailingURLKey=https://identity.apple.com/pushcert/caservice/renew, Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made."

It looks like this is a problem with TLS 1.2 connection. Safari from server machine also cannot connect to the specified URL manually because TLS 1.2 connection are not supported by that Safari version on 10.8.5. It looks like apple identity servers require TLS 1.2, but OS X 10.8.5 doesn't support it.

So, I'm unsure the problem can be solved with anything on client side. No manipulations with certificates or Time Machine on the client can help as Apple certificate signing servers are simply unreachable. Apple must do something. Any Apple representative? I'm soon going to end up with no push notifications, terrible. Same problem reported here: local error -1200 push certificate - no solution.

I have the same problem on 10.8.5 and with server osx 2.2.5.. I cant renew the apple push certificate anymore. Do we have any news or any solution about it?

thanospc, no. I decided to spend the remaining time before certificate expires to upgrade to El Capitan and solve the problems of upgrading if any. Basically, after upgrade there were no major ones. Postfix and Apache required some minor tweaking though. Also, Postgresql stopped working for user created roles and tables, I had to install separate instance with homebrew for that. (After upgrade I renewed the push certificate, however somehow I had to use alternative e-mail address connected to the same Apple ID as a login name to succeed. Otherwise there was an error (-1000... something). No re-enrollment for devices were necessary after that.)

But i know that server osx 2.2.5 dont work on el capitan.. You download server osx 5.1.7 version as well?

Yes. The general procedure is 1) full backup, 2) OS upgrade, 3) Server.app upgrade.

But if you download the new Server.app you dont loose all the created users and tha ipad in the database from the old server app?

thanospc, users and most of the other configuration are preserved during OS and Server.app upgrade. However, after OS upgrade I lost connection to my headless Mac via Screen Sharing. I could restore it as described here (I used the second method): https://blog.pivotal.io/labs/labs/enabling-os-x-screen-sharing-from-the-command- line

ok mephiz, so i ll do the upgrade to el capitan then i will buy the new server osx 5.1.7 and i will do the upgrade from 2.2.5 and then i ll renew the certificate

thanospc, basically yes. But I admit that this upgrade is risky. Depending on your current configuration and installed services and applications you may encounter various issues. So, you should be ready to return fully back.

Do you know how to full backup all the users and ipad database ?

You can have full bootable system backup with this tool: http://www.shirt-pocket.com/SuperDuper

In case of necessity you will be able to restore the whole system at once.

Ok mephiz thanks a lot! I am very greatful for your help.