Intermittent TopicDisallowed Error with APNs

Hello,

I am encountering an intermittent TopicDisallowed error while using APNs and would like to ask for your assistance.

Environment:

  1. Authentication: We are using certificate-based authentication with APNs, where the PEM file is stored on the server to authenticate our requests.
  2. API: We are using the HTTP/2 API and calling the /3/device/<device_token> endpoint while passing the apns-topic in the request header.

Issue:

  • After renewing our APNs certificate, the new certificate mistakenly included an incorrect app bundle ID, resulting in a TopicDisallowed error.
  • We then issued a new certificate with the correct bundle ID and replaced it on our server before resuming remote push requests.
  • However, even after replacing the certificate, we are still intermittently receiving the TopicDisallowed error, while other requests successfully return a 200 OK response and deliver notifications to devices.
  • Over time, the frequency of TopicDisallowed responses has been decreasing, leading us to speculate that APNs might be caching responses and updating this cache over time.

Questions:

  1. Could you provide details on the specific conditions or causes that lead to a TopicDisallowed error?
  2. After replacing the certificate, is there a reason why we might still be intermittently receiving this error? Are there additional certificate or configuration settings we should check?
  3. What might cause some requests to succeed with a 200 OK response, while others result in a TopicDisallowed error with the same setup?
  4. Is it possible that APNs could be caching outdated information from the previous certificate, which might explain the decreasing frequency of the errors?

We have reviewed our certificate and configuration after the renewal, but the issue persists. Any guidance on how to further troubleshoot or resolve this would be greatly appreciated.

Thank you.

Answered by Engineer in 805462022

TopicDisallowed occurs when the credentials you use to start the connection to APNs does not match the Bundle ID (aka "the topic") you are trying to send a notification to.

The apns-topic header cannot override the topic that the certificate is tied to. In other words, if your server is establishing the connection with a certificate for BundleID-A, you cannot override that with apns-topic to BundleID-B if the certificate does not authorize you for it.

This is obviously all due to the wrong certificate with the incorrect Bundle ID. The reasons for while the issue is intermittently there could be one of several things:

  1. if you have multiple push provider servers, some of them are configured with the wrong certificate
  2. your server is still configured with both the correct and incorrect certificates, and it is randomly using one or the other
  3. after correcting the certificate you have not reset your connections. The connection will keep using the first credential it was established with for any subsequent requests. After changing the certificates you must close any open connections and establish new ones to APNs for the new credentials to work.

Hope these will give you some pointers to locate the issue.


Argun Tekant /  DTS Engineer / Core Technologies

Accepted Answer

TopicDisallowed occurs when the credentials you use to start the connection to APNs does not match the Bundle ID (aka "the topic") you are trying to send a notification to.

The apns-topic header cannot override the topic that the certificate is tied to. In other words, if your server is establishing the connection with a certificate for BundleID-A, you cannot override that with apns-topic to BundleID-B if the certificate does not authorize you for it.

This is obviously all due to the wrong certificate with the incorrect Bundle ID. The reasons for while the issue is intermittently there could be one of several things:

  1. if you have multiple push provider servers, some of them are configured with the wrong certificate
  2. your server is still configured with both the correct and incorrect certificates, and it is randomly using one or the other
  3. after correcting the certificate you have not reset your connections. The connection will keep using the first credential it was established with for any subsequent requests. After changing the certificates you must close any open connections and establish new ones to APNs for the new credentials to work.

Hope these will give you some pointers to locate the issue.


Argun Tekant /  DTS Engineer / Core Technologies

Intermittent TopicDisallowed Error with APNs
 
 
Q