apache|php升级后导致apns服务不可用

由于安全问题我们将apache和php的版本进行了升级，apache从apache-2.4.10升级到了apache-2.4.20 php从5.6.0升级到了5.6.4，之后就开始报错了，报错信息如下：

[Tue Apr 19 12:17:14.520250 2016] [:error] [pid 17766:tid 1303021888] PHP Warning:  stream_socket_client(): Failed to enable crypto in /opt/app/apache-2.4.20/htdocs/iossender/apns/lib/APNotification.class.php on line 278

[Tue Apr 19 12:17:14.520349 2016] [:error] [pid 17766:tid 1303021888] PHP Warning:  stream_socket_client(): unable to connect to ssl://gateway.push
.apple.com:2195 (Unknown error) in /opt/app/apache-2.4.20/htdocs/iossender/apns/lib/APNotification.class.php on line 278
[Tue Apr 19 12:17:29.451896 2016] [proxy:error] [pid 17795:tid 1240271168] (70007)The timeout specified has expired: AH00957: HTTP: attempt to connect to 211.136.93.48:80 (*) failed
[Tue Apr 19 12:17:29.451984 2016] [proxy_http:error] [pid 17795:tid 1240271168]  AH01114: HTTP: failed to make connection to backend: 211.136.93.48
[Tue Apr 19 12:17:31.330882 2016] [proxy:error] [pid 17795:tid 1145862464] (70007)The timeout specified has expired: AH00957: HTTP: attempt to connect to 211.136.93.48:80 (*) failed
[Tue Apr 19 12:17:31.330921 2016] [proxy_http:error] [pid 17795:tid 1145862464] AH01114: HTTP: failed to make connection to backend: 211.136.93.48
[Tue Apr 19 12:17:33.456868 2016] [proxy:error] [pid 17686:tid 1336916288] (70007)The timeout specified has expired: AH00957: HTTP: attempt to connect to 211.136.93.48:80 (*) failed
[Tue Apr 19 12:17:33.456938 2016] [proxy_http:error] [pid 17686:tid 1336916288] AH01114: HTTP: failed to make connection to backend: 211.136.93.48
[Tue Apr 19 12:17:52.795618 2016] [proxy:error] [pid 17686:tid 1200548160] (70007)The timeout specified has expired: AH00957: HTTP: attempt to connect to 211.136.93.48:80 (*) failed

解决办法：

1. 下载CA验签证书：https://www.entrust.net/downloads/binary/entrust_ssl_ca.cer

该证书会在每次向苹果服务器发送消息时都会访问验证，如果本地存在就不需要去远端访问了。

2. 修改 config.inc.php，加载CA证书

<span style="white-space:pre"></span>define('CHECK_CA', CONFIG.'entrust_2048_ca.cer');

3. 修改调用代码

<span style="color:#222426;"><?php// configrequire (dirname(__FILE__) . '/config/config.inc.php');$request = Request::getRequest();$output = new Response();try {       ...        // Notification        $notification = new APNotification(APNS_ENV);        $notification->setPrivateKey(APNS_KEY);        </span><span style="color:#ff0000;">$notification->setCheckCa(CHECK_CA);</span><span style="color:#222426;">       ....        $notification->send();} catch (Exception $e) {        $code = $e->getCode();        $output->code = empty($code)?999:$code;        $output->msg = $e->getMessage();}echo $output->getResponse();</span>

4. 修改发送代码

<pre name="code" class="php">public function send()  {   。。。    <span style="color:#ff0000;">if($this->_check_ca !=''){      stream_context_set_option($streamContext, 'ssl', 'cafile', $this->_check_ca);    }</span>

。。。

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Creating your APN-cert-and-key:

Run Keychain Access; select "login" Keychain and "My Certificates" category
Select the certificate with the name format of "Apple Development IOS Push Services: ..."
Export the certificate (in the menu, under "File" .. "Export Items")
Export to .p12 format. 
This now contains your certificate and private key in an encrypted interchange format. The next step is to convert it to a passphrase protected .pem file
Using terminal, execute the following command (using your own filenames, of course):


openssl pkcs12 -in PushCertKey.p12 -out PushCertKey.pem 

(You will need to enter the password for the .p12 file and provide another passphrase for the .pem file.)

If you really really really don't want a passphrase on the .pem file, try:

openssl pkcs12 -in PushCertKey.p12 -out PushCertKeyNoCrypt.pem -nodes 

Creating CA Certificate file:

List item
Run Keychain Access application
Go to System Roots
Export the certificate named "Entrust.net Certification Authority (2048)" to a .pem file.

Note: My Roots container has four Entrust certificates; two of them with the name "Entrust.net Certification Authority (2048)" (but with different certificate extensions, via Get Info). Both of the "Entrust.net Certification Authority (2048)" certificates where effective in validating the trust chain; the other two Entrust certificates did not work. More significantly, the Entrust certificate pointed at by the Apple TechNote 2265 also does not work. 

Make sure you export to .pem format; the default is .cer and this step is easy to miss.
Run the verification command:

openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert PushCertKey.pem -debug -showcerts -CAfile "Entrust.net Certification Authority (2048).pem" 
This server and process assume that your are connecting to Apple's Dev sandbox APN server; if you are trying to use the production APN server, you will need to use the correct server and port.

For more information on openssl, I suggest the following pages:

http://www.madboa.com/geek/openssl/
http://www.sslshopper.com/article-most-common-openssl-commands.html
http://gagravarr.org/writing/openssl-certs/general.shtml