[Solved] Problem with push server `err=crypto/tls: failed to parse certificate PEM data`

Hi there,

we have set up a mattermost server and a server for the push-service. We followed the documentation, but when we try to fire up a push-message like this:
curl -X POST -H “Content-Type: application/json” -d ‘{ “message”:“test”, “badge”: 1, “platform”:“apple”, “server_id”:“de.xxxxxxx.Mattermost”, “device_id”:“000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF”}’

the log shows this error message:
ERROR Failed to send apple push sid=de.xxxxxxx.Mattermost did=000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF err=crypto/tls: failed to parse certificate PEM data

The Push config:

    "ListenAddress": ":8066",
    "ApplePushServer": "gateway.push.apple.com:2195",
    "ApplePushCertPublic": "/opt/matterpush/bin/MattermostPushPrivatePem_new.pem",
    "ApplePushCertPrivate": "/opt/matterpush/bin/MattermostPushPrivatePem_new.pem",
    "ThrottlePerSec": 100,
    "ThrottleMemoryStoreSize": 10000,
    "ThrottleVaryByHeader": "X-Forwarded-For"

We verified the certificate ok:

root@08786a57720f:/opt/matterpush/bin# openssl verify MattermostPushPrivatePem_new.pem 
MattermostPushPrivatePem_new.pem: OK

Any ideas?


The public and private cert files look like they are the same file? typically the public cert is something like publickey.cer and the private one is privatekey.pem


thanks for the quick answer, but this was one of our desperate moves to get the server running.
At first, we tried to use separate files, but later, we created a *.pem with both keys in it just to give it a try.
But the error message is always the same, even if you use filenames that don’t exist!

any other hints?

@pstiffel Have you checked that your push-proxy is running under a user that can read the files correctly and that your file/folder permissions are correct?

There should also be one key per file, one for public and one for private I don’t believe they should be combined.

Hi there,

we double-checked the permissions. The push-proxy is running in a container as root-user, and the certs belong to the root-user, so there shouldn’t be any permission problems…

Any other hints?


After checking with the latest version of the push server, the certificate errors are gone :facepalm:

Thanks to all for their effort.