**Current status:** Connecting to APNS requires the GeoTrust Global CA certificate which was removed from ca-certificates in recently published version 20200601~deb10u1. We currently have the package pinned to previous version 20190110 in the Blubberfile. A change reverting the removal of the certificate was merged but a new version has not yet been published. We should monitor the upstream bug and use the fixed version when it's available.
---
**Original bug:**
I've updated the push notifications service in the Beta Cluster (on deployment-push-notifications01) with the commit adding APNS support, and configured it with the `push-toolforge.p12` certificate and `production: true` for testing with the push-notifications-helper tool as described in src/outgoing/apns/readme.md.
Problem: Requests to APNS fail with the following response:
```
{
"sent": [],
"failed": [
{
"device": <device token>,
"error": {
"jse_shortmsg": "stream ended unexpectedly",
"jse_info": {},
"message": "stream ended unexpectedly"
}
}
]
}
```
The Beta Cluster push service can be tested locally by SSH'ing into deployment-push-notifications01 and forwarding port 8900:
```
ssh -L 8900:localhost:8900 deployment-push-notifications01.deployment-prep.eqiad1.wikimedia.cloud
```