Troubleshooting Server & CURL Errors

Hyperspace runs on a LINUX server.  We can host Hyperspace for you or you can procure your own server and run Hyperspace inside your network.

Apple Device Enrollment uses a proprietary Apple certificate (provided by Apple) and CURL to authenticate and send web service requests to the Apple Device Enrollment server. There are several configuration requirements for Hyperspace Apple Device Enrollment for the server. If your IT department has recently upgraded your server or if you are installing Hyperspace Apple Device Enrollment on your own server, it is important to note the following:

1. OPEN SSL

API calls to Apple Device Enrollment are initiated using CURL with OPEN SSL.  Run a php.info check on your server to make sure that PHP is still using Open SSL.  Just because Open SSL is installed on your server doesn't mean that PHP is using it.  It is best to run a php.info check directly from the web browser. 

Screen_Shot_2018-08-24_at_8.13.20_PM.png

Screen_Shot_2018-08-24_at_8.13.36_PM.png

2. SELinux

Linux is regarded as one of the most secure operating systems you can use today, that is because of its illustrious security implementation features such as SELinux (Security-Enhanced Linux).  SELinux feature or service is enabled by default on most servers.

Please ask your IT department to disable SELinux temporarily and see if that addresses the issue.

Security restrictions in SELinux may be disabling outgoing calls to your Point of Sale or Apple.

Screen_Shot_2018-08-24_at_8.16.43_PM.png

We recognize that we cannot force clients to disable SELinux permanently, but often running this test will expose the issue. This will let you know if Apache has the proper permissions to read the Apple Private Key and Certificate.

If you are unsure how to disable SELinux temporarily, login to your server via SSH and run this command: setenforce 0

You can reference this article which shows how to disable SELinux temporarily until the next reboot or how to permanently disable it.

https://support.plesk.com/hc/en-us/articles/213947705-How-to-disable-SELinux-on-the-server

If there are no CURL errors when SELinux is disabled the issue is most likely your Apache permissions.

To permanently disable SELinux, you can run the following commands:

vi /etc/selinux/config
update SELINUX= enforcing to SELINUX=permissive 

3. If your server is running a proxy, make sure that Apache and PHP are configured to use your proxy. It is always a good idea to run a CURL test via SSH. For example, run this command via SSH:  curl https://www.google.com

90% of the time the issue is related to Apache and allowed permissions to read the Apple private key and Apple certificate.

3. Apple Firewall Connectivity

To check to see if your server is able to reach Apple's endpoint. You can also run this curl command to check if your firewall can communicate with Apple.

curl -G "https://api-applecareconnect.apple.com/system-service/1.0/check-liveness"

If you get a result of 0, the test was successful.

4. 400 Bad Response Errors

The Apple certificate on your server may have expired. It expires every 2 years. You can check this by running the following SSH command on the server.

openssl x509 -in <path to the Apple certificate> -text -noout

If you cannot locate the path to your Apple certificate, the path to the Apple certificate can be found in your Hyperspace settings.  In there you can edit the path to your certificate, private key and passphrase.

pathkey.jpg

If your certificate has expired, you will need to create a new CSR with a new private key and send it to Apple. You can find instructions on how to do that here.

 

 

 

Was this article helpful?
0 out of 0 found this helpful