Removing APNs certificates in cPanel
For many years cPanel has provided support for push notifications on Apple devices for IMAP, CalDAV and CardDAV using the Apple Push Notification service (APNs).
In order to set this up, you need to provide APNs certificates for com.apple.mail, com.apple.calendar and com.apple.contact from Apple, which can be installed Service Configuration -> Manage Service SSL Certificates -> iOS Mail Push Notifications (APNs) in WHM.
Traditionally you needed an old copy of macOS Server in order to get these APNs certificates, but it was also possible to obtain the certificates using third party scripts such as https://github.com/scintill/macos-server-apns-certs which had reverse engineered the Apple APIs for issuing certificates.
Unfortunately, in October 2024 Apple discontinued this API and so it was no longer possible to issue new APNs certificates for com.apple.mail, com.apple.calendar and com.apple.contact.
Whilst it is annoying that we can’t provide push notifications to Apple users anymore thanks to these changes, this actually becomes a service affecting problem when these certificates expire as it causes any cPanel servers still using the old Calendar and Contacts Server (CCS) plugin (which behind the scenes is the old open source Apple/Darwin Calendar and Contacts Server) to break as the “cpanel-ccs” service will stop and refuse to start with a message about the expired APNs certificates:
-- Unit cpanel-ccs.service has begun starting up.
Apr 22 17:57:34 myserverhostname.com ccs_init[24103]: Using /opt/cpanel-ccs/.develop/virtualenv/bin/python as Python
Apr 22 17:57:34 myserverhostname.com ccs_init[24103]: Starting server...
Apr 22 17:57:34 myserverhostname.com ccs_init[24103]: /opt/cpanel-ccs/bin/caldavd -f /opt/cpanel-ccs/conf/caldavd-dev.plist -P caldav -t Combined
Apr 22 17:57:36 myserverhostname.com ccs_init[24103]: Reading configuration from file: /opt/cpanel-ccs/conf/caldavd-dev.plist
Apr 22 17:57:36 myserverhostname.com ccs_init[24103]: APNS certificate expired /var/cpanel/ssl/caldav_apns/cert.pem
Apr 22 17:57:36 myserverhostname.com systemd[1]: cpanel-ccs.service: control process exited, code=exited status=1
Apr 22 17:57:36 myserverhostname.com systemd[1]: Failed to start Apple Calendar Server.
-- Subject: Unit cpanel-ccs.service has failedFrustratingly, cPanel doesn’t provide a way to remove an existing APNs certificate, only to install new ones… given that no new APNs certificates can be issued, this leaves us rather stuck!
Sadly this kind of lack of attention to detail for basic management tasks is common throughout cPanel.
Even more frustratingly, cPanel seem to have removed all of their documentation about the APNs feature, so the only evidence that it ever existed are some very old posts on their badly mangled forum.
After a bit of poking around, I managed to find that you can manually remove the /var/cpanel/ssl/*apns/*.pem* certificate files and then update the CCS config in /opt/cpanel-ccs/conf/caldavd-dev.plist to remove any mention of them with the following commands:
rm -f /var/cpanel/ssl/*apns/*.pem*
/opt/cpanel-ccs/bin/rebuildccsconfig
systemctl restart cpanel-ccs.serviceAfter this, the “cpanel-ccs” service will run normally again so CalDAV and CardDAV services are restored for all users.
The one last thing to do is go to Service Configuration -> Service Manager in WHM and disable “APNSPush” under “tailwatchd”.
