x509: cannot validate certificate for 17.110.227.92 because it doesn't contain any IP SANs

[alecthomas]

Hi there,

Trying to use this library against the production APNS servers results in the above error (Go 1.4, OSX Yosemite). Digging into it, this appears to be a possibly overly-aggressive check by crypto/tls for IP addresses in the server certificate. openssl s_client works fine with the same inputs.

I'm not sure what the solution is, but a hack to work around it is to enable InsecureSkipVerify. Needless to say, this is not ideal.

Have you (or anyone else) seen this?

Alec

[freeeve]

+1. I'm still in dev sandbox mode but I just added InsecureSkipVerify myself to get it to work.

[ghost]

Just got a chance to check it out, confirmed as well on 1.4 OSX.

[ghost]

Is this still happening for you all? I just sent a few notifications through successfully and can't seem to replicate the problem anymore.

Happy to investigate further, just let me know!

[CallMeRo]

I just get this problem again, the message is "x509: certificate signed by unknown authority (possibly because of "x509: invalid signature: ........")" . I test with ips[17.110.226.164 ,17.172.232.18 ,17.172.232.45 ],they don't work. I use go 1.6 on linux 2.6. With "enable InsecureSkipVerify" , it works.