Saturday, October 08, 2016

Azure VPN Client: A certificate chain processed, but terminated in a root certificate Issue after Windows 10 Upgrade


I have upgraded my Windows OS to Windows 10 Anniversary edition recently and right after doing that I started to get the following error when connecting to the VPN. I have downloaded the same VPN client.

A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

Yes, we know your certs were going fine until a moment ago and I am not sure why I get myself in to this situation, but you should be able to fix this in a matter of 1/2 hr or less.

Fix or Workaround

I was able to get around this issue by simply re-generating the root certificate and then generating a client certificate. Then exporting the full public and private key pair files to Azure portal for your private network.

After you do so you can have the portal re-gen the VPN client software, then you can download and install.

You can follow the Self Signed Certificate Steps on the Azure web site to generate the Root and also Client certificates.

Some Point to Note: You will have to deal with two and half certificates:

1. The Root certificate.
1.5 The public part of the root certificate, which you will upload to Azure. Actually you can paste the hex number part of the cert directly in to the Azure console.
2. The Client certificate that you derive from the root certificate. This does not get uploaded to Azure but this has to be given to each user, if needed generate one per user if you are sensitive to revoking people individually (i.e., off-boarding an employee).

Do Not Go Down These Paths

  • There is no need to discard the original certificate pair you have uploaded. You can simply upload your new certificate. This may break other VPN users who are relying on current certificates. Both certificates are good.
  • More importantly, there is no need to re-do the private network.
  • You can use both Classic and Resource Manager model, so use the model that you are familiar with. It is all about uploading the proper certificates.
  • Do not do "extract the cert using RAR" stuff. The self-signed root certificates are just not right for your situation so extracting and manually installing them won't do a jack.

Saturday, October 01, 2016

XCODE-8 Missing Push Notification Entitlement Issue


You had a perfectly working iOS App build on XCODE 7. Now you have upgraded to XCODE 8, and when you push the build to the iTunes Connect, you get the following message back.

Dear developer,
We have discovered one or more issues with your recent delivery for "BodyMapSnap". Your delivery was successful, but you may wish to correct the following issues in your next delivery:
Missing Push Notification Entitlement - Your app includes an API for Apple's Push Notification service, but the aps-environment entitlement is missing from the app's signature. To resolve this, make sure your App ID is enabled for push notification in the Provisioning Portal. Then, sign your app with a distribution provisioning profile that includes the aps-environment entitlement. This will create the correct signature, and you can resubmit your app. See "Provisioning and Development" in the Local and Push Notification Programming Guide for more information. If your app does not use the Apple Push Notification service, no action is required. You may remove the API from future submissions to stop this warning. If you use a third-party framework, you may need to contact the developer for information on removing the API.
After you’ve corrected the issues, you can use Xcode or Application Loader to upload a new binary to iTunes Connect.
The App Store team

You checked many times that you had the correct provisioning profile and such.

Root Cause

If you had a good build before then XCODE has likely broken your build.

The Fix

Try these fixes first even before you go down the other line. Do not muck with your provisioning profile stuff either locally or on the developer provisioning portal or let alone generating a new set of key as they won't do anything without this fixed.

In your XCODE project find the Capabilities Tab then scroll down a bit to where it says Push notifications. It is very likely this is now in red and allows you to fix. Basically pressing the "Fix Issues" button will fix this, and that's all.

If Have Fiddled With It Too Much and You Do Not see the Fix Issue Button

We were down so many wrong routes, that we did quite a number of bad things to the project files.
I will new provide some recovery information to get the Fix button back.

Check to make sure that .entitlements file is not present in your project root directory. For us it is BodyMapSnap.entitlements, and lack of this file is the root cause of this. You should delete that file.

Next check in .xcodeproj/project.pbxproj  in our case this was BodyMapSnap.xcodeproj/project.pbxproj

Using the editing feature of XCODE locate CODE_SIGN_ENTITLEMENTS in above file which should point to the .entitlements file. If you delete the whole line, you can get back the "Fix Issue" button under the Capabilities tab. Press that fix button again then you can Archive then Push to the iTunes connect.

The following Source Tree GIT Diffs shows you the types of files and file modifications XCODE makes after you press the Fix Issues button.