APNS certificate issue: [Cannot build push service provider: x509: unhandled critical extension] on new production certificate

[Hans]

Hi,

(uniqush 1.5.1 on debian)

maybe a kind soul can help me out.

I have been unable to activate a new apns certificate. 

when I run 

curl "http://xxxx:9898/addpsp?service=xxxx&pushservicetype=apns&cert=xxxCert.pem&key=xxxKey-noenc.pem&sandbox=false&skipverify=true"

I get: 

"Cannot build push service provider: x509: unhandled critical extension"

The cert is brand new from the apple web site (and has had all the nasty re-wrapping needed)

It does have some new stuff:

when I do a diff between the certificate dumps (openssl x509 -in xxxCert.pem -noout -text), I see this:

36,37c36,37

<             X509v3 Basic Constraints:

---

>             X509v3 Basic Constraints: critical

53c53

<             X509v3 Key Usage:

---

>             X509v3 Key Usage: critical

55,57c55,57

<             X509v3 Extended Key Usage:

<                 TLS Web Client Authentication

<             1.2.840.113635.100.6.3.2:

---

>             X509v3 Extended Key Usage: critical

>                 Code Signing

>             1.2.840.113635.100.6.1.4: critical

That 'critical' stuff is new and seems the reason it chokes.

Any idea how to get that out of the way? 

testing the cert with openssl is a dead end, the old and the new cert give the same behaviour.

Kind regards,

Hans

[Hans]

by the way, there are 2 methods for exporting the cert:

1) via the certificate list (the most obvious), or 

2) via the app ID (hidden: go to edit, expand the notification stuff, and there download the cert)

option 1 gives the behaviour below, 2 doesn't. Option 2 works.

but still, it would be nice if uniqush wouldn't choke on it.

Hans