I have been successfully testing sending push notifications to Apple devices using SNS, currently in Xcode with the APNS_SANDBOX.
We are now ready to move to production and are having an absolute nightmare getting the certificates set up properly on the APNS (Production) application endpoint.
I am following the same process we followed during development and have consulted several guides.
Each time we try to send a push notification to a device we get the following failure notification:
{"DeliveryAttempts":1,"EndpointArn":"arn:aws:sns:eu-west-1:123456789:endpoint/APNS/Name/e591d1a1-8db3-3382-8091-ab1a3cb3cac5","EventType":"DeliveryFailure","FailureMessage":"Endpoint is disabled","FailureType":"EndpointDisabled","MessageId":"08a70f95-773c-58fb-a6f9-5df1650eeb19","Resource":"arn:aws:sns:eu-west-1:123456789:app/APNS/Name","Service":"SNS","Time":"2017-10-20T15:02:10.824Z"}
I understand this can relate to several issues but is likely a problem with the certificate uploaded to SNS.
The process we have followed:
From Apple Developer website visit navigate to Certificates, IDs & Profiles > Identifiers > App IDs
Create a new App ID and enable the Push Notifications service.
Click Create a new Production SSL certificate, then create a new CSR file in the local keychain on Mac, upload it to Developer site (during the certificate generation process) then download the generated .cer file.
Double click the .cer file to add it to the Keychain on mac.
At this point we have consulted http://docs.aws.amazon.com/sns/latest/dg/mobile-push-apns.html documentation which suggests running the following command:
openssl x509 -in myapnsappcert.cer -inform DER -out myapnsappcert.pem
Back inside Keychain select Keys, highlight the apps private key and export it the .p12 file.
Back in the command prompt run the following command as per the AWS docs: openssl pkcs12 -in myapnsappprivatekey.p12 -out myapnsappprivatekey.pem -nodes -clcerts to generate another .pem file.
Amazon goes on to say:
The newly created .pem file will be used to configure Amazon SNS for sending mobile push notification messages.
This leads me to believe the docs are outdated as uploading the .pem file to the SNS APNS Applications credentials manager returns an error stating that it cannot read the file.
According to the SNS credentials manager for the APNS Application, it only accepts the .p12 file... if that is the case, why the need to create the final .pem file? This step still required? Have I missed a step?
I uploaded the final .p12 file anyway, but obviously, it does not work.
I appreciate there are other questions similar to this but the answers are so broad that there are no real solutions other than trial and error. I believe my issue is specifically related to incorrectly generated certificates, or a step is missing out of the process.
I guess I am reaching out to anybody who has done this recently who can clarify the steps involved.
Thanks
After a lot of trial and error, i've managed to get it working. I'm not sure if AWS docs are outdated but they are certainly over kill.
Here goes:
From Apple Developer website visit navigate to Certificates, IDs & Profiles > Identifiers > App IDs
Create a new App ID and enable the Push Notifications service.
Click Create a new Production SSL certificate, then create a new CSR file in the local keychain on Mac, upload it to Developer site (during the certificate generation process) then download the generated .cer file.
Double click the .cer file to add it to the Keychain on mac.
Open Keychain, select 'My Certificates' highlight the certificate that got added in step 3, probably starts with 'Apple Push Services'.
Right-click the cert and export it (extension is .p12). If it asks you to set a password you can leave blank.
In AWS SNS, navigate into Applications, click into your APNS application (or add a new application). Under 'platform application actions' click update credentials and upload your exported .p12 file.
Finally, click 'Load credentials from file' and update to exit the application settings.
Enjoy push notifications in your app.
This worked for me, I'm not sure why AWS docs suggest the commands to convert files, it looks like they're not necessary and have caused great confusion.
Hope this else somebody.
Related
I have integrated aws amplify into and android app by following https://docs.amplify.aws/lib/q/platform/android in my mac book pro.
Now I check-out the same project into another machine mac mini. and trying to run.
I am getting this error, not sure how to fix it.
AmplifyException {message=Failure performing sync query to AppSync: [GraphQLResponse.Error{message='You are not authorized to make this call.'
tried, amplify pull, amplify configure, amplify init. but none are able to resolve this issue.
thanks in advance
Initially, you will see your graphql in Network tab failed because of Authorization.
"My case is App Sync API key is expried. – Freddie Jun 26"
This is the answer, go to Appsync / Settings / API keys.
You will see the "red" key. That means it has expired.
You just need to create a new key. Then replace this new key for appsync api inside your aws-exports.js under name aws_appsync_apiKey
If you have resolved this, I'll just leave it here so someone else can see it.
Ah! Great news, you can simply edit the date (no need to make a new one).
It's just that the default is one week.
Go to your ordinary, full, normal AWS console. GO to "aws appsync".
Then ..
If your token expired (here I'm talking about a token that was living its max 365 days and has expired) and you by any chance are publishing your application to AWS using amplify, you will need to add new token to application (simply changing it in awsexports would not be enough). To do it you must:
Find the file amplify/backend/<your_app_name>/parameters.json and there add two lines (this might be just CreateAPIKey but I've tested just one method found in this github issue and it worked).
"APIKeyExpirationEpoch": -1,
"CreateAPIKey": -1
Run amplify push. This should delete the old token. But you will be better off checking it yourself in Appsync/settings/api keys. If you have no tokens there, then you are good to go.
Go back to parameters.json file and remove our parameters (APIKeyExpirationEpoch and CreateAPIKey).
Run amplify update api. Choose your api (mine was Graphql). Choose update auth settings. Choose your default authorization method (mine Api key). Enter description for your api key and add the ttl for your api key (default is 7 so I suggest changing this one). Don't configure additional auth types.
You should get success message at the end. Now do amplify push. After a while the command should return success message and you are good to go. To double check you can verify token in your appsync. There should be one token only. Alson you can check the api calls for x-api-key value in header which should hold your new token.
After sending a new build to the app store, the push notifications for my app are no longer working. During the build, expo made a new APNS certificate, and now when I try to push a notification to users, I get the following error message.
"'{"errorMessage":"Invalid
Credentials","channelType":"APNS","pushProviderStatusCode":"403","pushProviderError":"InvalidProviderToken","pushProviderResponse":"{\"reason\":\"InvalidProviderToken\"}"}'"
I get the same error message when attempting to send myself a notification through the AWS Console. I tried to update my push notification credentials on expo, but get a similar error:
? Path to P8 file: /Users/REDACTED/Downloads/AuthKey_D3QREDACTED-1.p8
? Key ID: REDACTED ? Apple Team ID: REDACTED Unable to validate Push
Keys due to insufficient Apple Credentials
I tried following every thread I could find online about the error and verified that I had the right Team ID and Key ID, but it still does not work.
Happy to provide more info if needed, and thank you for your help
I just had to regenerate a new .p8 file and upload it to AWS pinpoint
I had this issue recently, and no matter how many times I tired to "Edit" the APNs configuration it would not work. Eventually I just removed APNs setting from PinPoint, saved it, and then set it up again fresh.
Now it works.
I have written a simple c++ code which add certificate into "MY" store. I tested the code, it's working. I would want to run this application as windows service based.
So, I've created a new service in windows which will read certificate from file system and insert into local "MY" store.
Also I created a log file, when I ran my service log file says certificate successfully inserted into "MY" store but I unable to find certificate in "MY" known as Personal store.
Is there any access permission of current user "MY" Store when an application runs as windows service? If no, then what could be the reason for this?
We have been using Amazon SNS to send Android push notifications since April this year.
Pushes have sent with no problem, however there has never been any record of calls to the Cloud Messaging API in the Cloud Console (seems odd?).
Today I created a new API key for the Static Map service (unrelated) and renamed our Cloud Messaging API key (only the name, the key is the same). From this point no pushes have been sent, and trying to create a new platform application (or update the existing one) in AWS results in:
Invalid parameter: Attributes Reason: Platform credentials are invalid (Service: AmazonSNS; Status Code: 400; Error Code: InvalidParameter; Request ID:)
I have also tried manually making calls to the https://gcm-http.googleapis.com/gcm/send endpoint using the key which results in Unauthorized (401).
Interestingly, I can make calls to the above endpoint using the key I created today, however they fail on MismatchSenderId.
I can't see a lot of the previous options that the Cloud Console had (server / browser keys, etc) within the API Manager?
For those who are facing this in 2017, here goes a tip:
1 - Go to your firebase console (https://console.firebase.google.com/) click on your project (which you want to use for push notifications)
2 - Click on the "three dots" on the right side of your project name and click on "Settings"
3 - Click on "CLOUD MESSAGING" on the header tabs
4 - Copy the "Server Key" (this one is bigger than your API key)
5 - Paste on the "API Key" input of the AWS Form for "Create platform application"
PS: Note that this is valid only for GCM Push Notifications.
API Key management for GCM has been moved to Firebase Console.
You can create a new Firebase Project (or import an existing cloud project) and you should obtain a new Server Key for Cloud Messaging.
see the updated documentation:
https://developers.google.com/cloud-messaging/android/client#create-an-api-project
and the stack overflow question: Where can I find the API KEY for Firebase Cloud Messaging?
if you still have problems please contact:
https://firebase.google.com/support/contact/troubleshooting
I have been getting the same error when creating Amazon SNS platform application:
Invalid parameter: Attributes Reason: Platform credentials are invalid (Service: AmazonSNS; Status Code: 400; Error Code: InvalidParameter; Request ID:)
After reaching out to the Firebase support as suggested by Diego, this is the response I got from Google:
Hope you're doing well and thanks for reaching out to us.
I'm not really familiar with Amazon SNS and looks like their integration is still with GCM, not FCM. If your app implementation is still GCM, then you need to migrate with FCM in order to use the server key in the console. See the instructions here.
Also, Firebase has upgraded the server keys to a new version. We'd recommend to use the server key instead of the legacy server key.
I hope this helps. Let me know if you have any other concerns. Thank you.
This indicates that we'll have to change our app code. We were able to make this work for another app in out organization by creating a new firebase project and using the Legacy server key with Amazon SNS.
At some point we'll definitely upgrade to using FCM but at the moment we have a tight deadline.
Update:
So finally what worked for us is using the 'Server Key' under Project Settings --> Cloud Messaging . The app still uses the GCM implementation. Amazon SNS is happy with this key and generated a GCM platform push application. The pushes work !
Still confused about why the 'Legacy Server Key' does not work for one app but is ok for the other. But I am not digging into it any further.
For those starting a new project and wondering why it is still invalid, make sure the application Key restriction is set to Android apps. In my case, it was at only set to None and when I switched to Android apps, it worked after 5 to 10min after updating it. You'll need to add your package name and SHA-1 certificate fingerprint.
I've gone through all the prereqs on Google's site.
Got and installed a SSL cert (from Let's Encrypt) on server.
Registered and verified the domain (yes, the https url) on Google Search Console (like https://example.org).
Added to the domain to my API Credential's Domain Verification.
topic='projects/myproject/subscriptions/mytopic'
sub='projecs/myproject/subscription/mysub'
client.projects().topics().create(topic=topic, body={}).execute()
client.projects().subscriptions().create(name=sub, body={'topic': topic, 'pushConfig': {'pushEndpoint': 'https://example.org/push-handler'}})
And I get back:
googleapiclient.errors.HttpError: https://pubsub.googleapis.com/v1/projects/myproject/subscriptions/mysub?alt=json returned "Invalid push endpoint given (endpoint=https://example.org/push-handler). Refer to https://cloud.google.com/pubsub/subscriber#create for more information.">
Also, I'm unable to create subscriptions from Google's Pub/Sub developer console. When I try, I get back a "Subscription cannot be added" notification. I am the full owner of this topic and project, with read and write permissions. I'm able to add pull subscriptions with no problem.
Any ideas on why? It seems like I'm not the only one hitting this.
Figured it out. I included the protocol (https://example.org) in the domain verification, instead of just example.org. It would have been nice of the domain verification tool provided some validation preventing this.
https://console.developers.google.com/apis/credentials/domainverification