I'm having issues getting our JSS to contact the APN (Apple Push Notification) Server. Devices can enroll into our JSS without error. Once enrolled, mobile devices are not being updated, nor are push notifications received by the device. Port 2195 between our JSS and the APN servers (gateway.push.apple.com) in open as is port 5223 between the mobile device and the APN servers.
After poking around JAMF Nation, I stumbled on the following log file:
/usr/local/jss/logs/JAMFSoftwareServer.log
The log has a number of the following two error messages corresponding to the date and time of enrollment and manual inventory update requests:
<DATE> <TIME> [ERROR] [PushNotificationUtility ] - Error Creating And Sending Push Notification Received Fatal alert: decrypt_error
<DATE> <TIME> [ERROR] [PushNotificationUtility ] - Error sending push notification to device <DEVICE'S UDID>:javax.net.ssl.SSLHandshakeException: Received fatal alert: decrypt_error
Based on this error message, I'm guessing the issue is between our JSS and the APN server. Our JSS is running on Linux 2.6.18-274.18.1.e15. Our PKI certificate is self-signed and was created by the JSS when it was installed and configured. It is not expired. Our APN Certificate is brand new, was successfully downloaded from identity.apple.com/pushcert and according to the JSS was installed correctly.
Any advice on resolving this error is most welcome. Thanks.
UPDATE: Still not working.
On a hunch, I remembered that we had to reset our local certificate to resolve an invalid profile error (see: https://jamfnation.jamfsoftware.com/article.html?id=192). Because that requires resetting the local CA information, I recreated the push notification certificate using the new data in the JSS. After getting confirmation that the certificate was in the JSS, I removed all the mobile devices, remove the profiles from my device and re-enrolled the devices.
My log now lists the following warning and error messages in addition to the two previous ones:
<DATE> <TIME> [WARN ] [CSRResponse ] - Exception attempting to read generated APNS Cert: null
<DATE> <TIME> [ERROR] [PushNotificationUtility ] - Could not add UDID: <DEVICE'S UDID>
RESOLVED: The issue was with the keystore for the Certificates. I had to generate a new .p12 file and upload it to the server (Remember to click Apply) and then switch back to the built-in certificate or your purchased certificate. By changing the .p12 file, it recreates the keystone and resolves the issue. Thanks JAMF Support for the assist.
