**Current status:** Connecting to APNS requires the GeoTrust Global CA certificate which was removed from ca-certificates in recently published version 20200601~deb10u1. We currently have the package pinned to previous version 20190110 in the Blubberfile. A change reverting the removal of the certificate was merged but a new version has not yet been published. We should monitor the upstream bug and use the newest version when it's available. If it's not yet published by the time we need to go to production, we should find an alternate solution, possibly https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=962596#43.
---
**Original bug:**
I've updated the push notifications service in the Beta Cluster (on deployment-push-notifications01) with the commit adding APNS support, and configured it with the `push-toolforge.p12` credentials file and `production: true` for testing with the push-notifications-helper tool as described in src/outgoing/apns/readme.md.
Problem: Requests to APNS fail with the following response:
```
{
"sent": [],
"failed": [
{
"device": <device token>,
"error": {
"jse_shortmsg": "stream ended unexpectedly",
"jse_info": {},
"message": "stream ended unexpectedly"
}
}
]
}
```
The Beta Cluster push service can be tested locally by SSH'ing into deployment-push-notifications01 and forwarding port 8900:
```
ssh -L 8900:localhost:8900 deployment-push-notifications01.deployment-prep.eqiad1.wikimedia.cloud
```