freswa / dovecot-xaps-daemon Goto Github PK

It is unclear in your documentation what happens with non apple phone users. Does this plugin send apple a notification for every single e-mail the dovecot server ever gets? If so, this seems like a major privacy issue for people who opted out of apple products in the first place.

If it only sends notifications to apple for people who have apple phones and are actively logged in with them, how is that communicated? Is there some message that goes through the IMAP connection that is then passed from dovecot to this plugin? If so, could you point to where this is at in the code?

Trying to build this daemon on CentOS 7 with Go 1.16.13 and getting following error:

`# go build ./cmd/xapsd

go: github.com/spf13/[email protected] requires
cloud.google.com/go/[email protected] requires
github.com/golang/[email protected] requires
google.golang.org/[email protected] requires
github.com/golang/[email protected] requires
google.golang.org/[email protected] requires
github.com/golang/[email protected]: invalid version: git fetch --unshallow -f origin in /root/go/pkg/mod/cache/vcs/6e18cbff36266c74e48dd81b4b672026ac74fb69c838ddb6240f256bb8edf590: exit status 128:
fatal: git fetch-pack: expected shallow list`

Previously I had build https://github.com/st3fan/dovecot-xaps-daemon many times with no issues.

I am not an expert in Go and quick googling didn't help so asking for advice here.

Hi!

Would it be possible to add an "updated" time or update "registration time" regularly in the xapsd.json file and prune entries not updated in a while?

I had many long forgotten clients listed in the file, thus the server was sending many requests for no clients.

Thank you!

Hello, very grateful for all your work. I managed to make it work with my installation.

A few remarks that might be worthwhile to document:

• About the Apple ID, you mention:

  Prerequisites: Apple ID you've purchased macOS Server with

  I never bought macOS Server with the Apple ID I'm using. It is however enrolled in the Apple Developer Program, maybe that's the reason I didn't have any issue.

• I had to tweak my postfix/dovecot-lda configuration a bit, to ensure the logged in user corresponded with the one passed to the LDA (had to add -d "$RECIPIENT" to dovecot-lda

• When everything seemed to be working, and I was still not getting notifications in iOS, I had to go to Settings -> Mail -> Notifications -> Customize Notifications -> <Account> and ensure Alerts was "on". 🤦‍♂️ Not sure why it defaulted to "off".

Thanks again!

Can the plugin code be updated to reflect dovecot's debug/verbose/info configurations before add debug messages at the logs, instead of blindly calling i_debug functions at certain steps?

Curious mostly, but others might find this useful info.
Do we know if an App Specific Password is usable for this instead of the main account password?
I know we only used a hashed version of the password, but still, for some it might be preferred if it is possible to use that instead of the main account password

Currently the database is handled by a json-file, very simple and probably works fine for most cases, but I would say it might be inadvisable to use a JSON file rather than a "real" database of some kind if you have many users with xaps enabled.

This is a feature request for having some kind of database instead of a single database.json-file, be it Redis, Postgresql, Mariadb or something else for better scaling.

Also, is there some information from Apple how they handle "heavy users" of the notifications, rate-limiting or blocking the App Store account used for purchasing MacOS Server? (Found this, not sure if it is applicable https://developer.apple.com/library/archive/technotes/tn2265/_index.html#//apple_ref/doc/uid/DTS40010376-CH1-TNTAG44)

Thank you for this really awesome project, really love how simple it was to set up :)

Maybe an iOS user doesn't want apple to be notified every time they get an e-mail. Is it possible to allow or disallow this push notification plugin's capability for certain users? If so, would it be at a dovecot level or an access list baked into this plugin?

Just installed the daemon and started the service.

I am now getting a constant stream of repeated "Apple Push Notification Service certificate created" emai. Am I doing or missing something, or is it something at Apple's end?

Trying to recompile xapsd, go is a nightmare. xapsd requires go 1.19.7, module exp/constraints requires go 1.20. However go 1.20 and newer produces a buggy code (as confirmed on README file), and gcc-go doesn't work as it is based on go 1.18.

Aren't Python or C# options for a less volatile language? Absolutely anything Google related is a hit, miss, or an ad, and these days, Hartley any hits.

Once every couple of days I get the following error, which results in xapsd no longer responding. The stacktrace is completely spammed in the logs, since there are quite a few requests every second from dovecot nodes, until the service is restarted. Didn't know how much of the stacktrace is useful for you, but here's a bit of it at least.

I'm running on FreeBSD 13.1 with the tag f6d5733 checked out.

2023-04-27T11:15:32.398494+02:00 s972 xapsd[46491] time="2023-04-27T11:15:32+02:00" level=info msg="Apple returned 410 for notification to XXX / YYY"
2023-04-27T11:15:32.409280+02:00 s972 xapsd[46491] time="2023-04-27T11:15:32+02:00" level=info msg="Deleting YYY"
2023-04-27T11:15:32.409287+02:00 s972 xapsd[46491] fatal error: concurrent map read and map write
2023-04-27T11:15:32.412482+02:00 s972 xapsd[46491]
2023-04-27T11:15:32.412492+02:00 s972 xapsd[46491] goroutine 17661400 [running]:
2023-04-27T11:15:32.412497+02:00 s972 xapsd[46491] github.com/freswa/dovecot-xaps-daemon/internal/database.(*Database).UserExists(...)
2023-04-27T11:15:32.412502+02:00 s972 xapsd[46491] 	github.com/freswa/dovecot-xaps-daemon/internal/database/database.go:286
2023-04-27T11:15:32.412516+02:00 s972 xapsd[46491] github.com/freswa/dovecot-xaps-daemon/internal.(*httpHandler).handleNotify(0xc006fb7de0, {0x8f8fd0, 0xc022a84a80}, 0xc022a90700, {0xc006fd8500?, 0x0?, 0xc00cc42e8e?})
2023-04-27T11:15:32.412523+02:00 s972 xapsd[46491] 	github.com/freswa/dovecot-xaps-daemon/internal/socket.go:168 +0x77f
2023-04-27T11:15:32.412542+02:00 s972 xapsd[46491] github.com/julienschmidt/httprouter.(*Router).ServeHTTP(0xc006fa7f20, {0x8f8fd0, 0xc022a84a80}, 0xc022a90700)
2023-04-27T11:15:32.412547+02:00 s972 xapsd[46491] 	github.com/julienschmidt/httprouter/router.go:387 +0x81c
2023-04-27T11:15:32.412559+02:00 s972 xapsd[46491] net/http.serverHandler.ServeHTTP({0x8f7d50?}, {0x8f8fd0, 0xc022a84a80}, 0xc022a90700)
2023-04-27T11:15:32.412564+02:00 s972 xapsd[46491] 	net/http/server.go:2936 +0x316
2023-04-27T11:15:32.412567+02:00 s972 xapsd[46491] net/http.(*conn).serve(0xc01208b560, {0x8f91f8, 0xc006fdcd20})
2023-04-27T11:15:32.412570+02:00 s972 xapsd[46491] 	net/http/server.go:1995 +0x612
2023-04-27T11:15:32.412575+02:00 s972 xapsd[46491] created by net/http.(*Server).Serve
2023-04-27T11:15:32.412583+02:00 s972 xapsd[46491] 	net/http/server.go:3089 +0x5ed
2023-04-27T11:15:32.412589+02:00 s972 xapsd[46491]
2023-04-27T11:15:32.412592+02:00 s972 xapsd[46491] goroutine 1 [IO wait]:
2023-04-27T11:15:32.412595+02:00 s972 xapsd[46491] internal/poll.runtime_pollWait(0x82d253a98, 0x72)
2023-04-27T11:15:32.412598+02:00 s972 xapsd[46491] 	runtime/netpoll.go:306 +0x89
2023-04-27T11:15:32.412603+02:00 s972 xapsd[46491] internal/poll.(*pollDesc).wait(0xc0000da800?, 0x4b906c?, 0x0)
2023-04-27T11:15:32.412610+02:00 s972 xapsd[46491] 	internal/poll/fd_poll_runtime.go:84 +0x32
2023-04-27T11:15:32.412614+02:00 s972 xapsd[46491] internal/poll.(*pollDesc).waitRead(...)
2023-04-27T11:15:32.412618+02:00 s972 xapsd[46491] 	internal/poll/fd_poll_runtime.go:89
2023-04-27T11:15:32.412622+02:00 s972 xapsd[46491] internal/poll.(*FD).Accept(0xc0000da800)
2023-04-27T11:15:32.412625+02:00 s972 xapsd[46491] 	internal/poll/fd_unix.go:614 +0x2bd
2023-04-27T11:15:32.412632+02:00 s972 xapsd[46491] net.(*netFD).accept(0xc0000da800)
2023-04-27T11:15:32.412642+02:00 s972 xapsd[46491] 	net/fd_unix.go:172 +0x35
2023-04-27T11:15:32.412645+02:00 s972 xapsd[46491] net.(*TCPListener).accept(0xc006fccb10)
2023-04-27T11:15:32.412648+02:00 s972 xapsd[46491] 	net/tcpsock_posix.go:148 +0x25
2023-04-27T11:15:32.412652+02:00 s972 xapsd[46491] net.(*TCPListener).Accept(0xc006fccb10)
2023-04-27T11:15:32.412655+02:00 s972 xapsd[46491] 	net/tcpsock.go:297 +0x3d
2023-04-27T11:15:32.412665+02:00 s972 xapsd[46491] net/http.(*Server).Serve(0xc006fec000, {0x8f8df0, 0xc006fccb10})
2023-04-27T11:15:32.412669+02:00 s972 xapsd[46491] 	net/http/server.go:3059 +0x385
2023-04-27T11:15:32.412672+02:00 s972 xapsd[46491] net/http.(*Server).ListenAndServe(0xc006fec000)
2023-04-27T11:15:32.412676+02:00 s972 xapsd[46491] 	net/http/server.go:2988 +0x7d
2023-04-27T11:15:32.412685+02:00 s972 xapsd[46491] net/http.ListenAndServe(...)
2023-04-27T11:15:32.412688+02:00 s972 xapsd[46491] 	net/http/server.go:3242
2023-04-27T11:15:32.412692+02:00 s972 xapsd[46491] github.com/freswa/dovecot-xaps-daemon/internal.NewHttpSocket(0xc000000180, 0xc001d8e060, 0xc0000a63c0)
2023-04-27T11:15:32.412696+02:00 s972 xapsd[46491] 	github.com/freswa/dovecot-xaps-daemon/internal/socket.go:52 +0x285
2023-04-27T11:15:32.412700+02:00 s972 xapsd[46491] main.main()
2023-04-27T11:15:32.412704+02:00 s972 xapsd[46491] 	github.com/freswa/dovecot-xaps-daemon/cmd/xapsd/xapsd.go:68 +0x2c9
2023-04-27T11:15:32.412708+02:00 s972 xapsd[46491]
2023-04-27T11:15:32.412712+02:00 s972 xapsd[46491] goroutine 50 [chan receive, 136 minutes]:
2023-04-27T11:15:32.412715+02:00 s972 xapsd[46491] github.com/freswa/dovecot-xaps-daemon/internal/database.NewDatabase.func1()
2023-04-27T11:15:32.412718+02:00 s972 xapsd[46491] 	github.com/freswa/dovecot-xaps-daemon/internal/database/database.go:105 +0x65
2023-04-27T11:15:32.412725+02:00 s972 xapsd[46491] created by github.com/freswa/dovecot-xaps-daemon/internal/database.NewDatabase
2023-04-27T11:15:32.412728+02:00 s972 xapsd[46491] 	github.com/freswa/dovecot-xaps-daemon/internal/database/database.go:104 +0x24d
2023-04-27T11:15:32.412731+02:00 s972 xapsd[46491]
2023-04-27T11:15:32.412734+02:00 s972 xapsd[46491] goroutine 51 [select]:
2023-04-27T11:15:32.412737+02:00 s972 xapsd[46491] golang.org/x/net/http2.(*ClientConn).RoundTrip(0xc003838180, 0xc022a4f500)
2023-04-27T11:15:32.412740+02:00 s972 xapsd[46491] 	golang.org/x/net/http2/transport.go:1269 +0x491
2023-04-27T11:15:32.412743+02:00 s972 xapsd[46491] golang.org/x/net/http2.(*Transport).RoundTripOpt(0xc0037a8750, 0xc022a4f500, {0xe0?})
2023-04-27T11:15:32.412745+02:00 s972 xapsd[46491] 	golang.org/x/net/http2/transport.go:561 +0x1c5
2023-04-27T11:15:32.412749+02:00 s972 xapsd[46491] golang.org/x/net/http2.(*Transport).RoundTrip(0xc022a4f500?, 0x8f5ac0?)
2023-04-27T11:15:32.412753+02:00 s972 xapsd[46491] 	golang.org/x/net/http2/transport.go:513 +0x1b
2023-04-27T11:15:32.412756+02:00 s972 xapsd[46491] net/http.send(0xc022a4f400, {0x8f5ac0, 0xc0037a8750}, {0x8?, 0x8424a0?, 0xb570e0?})
2023-04-27T11:15:32.412758+02:00 s972 xapsd[46491] 	net/http/client.go:252 +0x5f7
2023-04-27T11:15:32.412769+02:00 s972 xapsd[46491] net/http.(*Client).send(0xc006adb770, 0xc022a4f400, {0x100000044fed9?, 0x829178ec8?, 0xb570e0?})
2023-04-27T11:15:32.412773+02:00 s972 xapsd[46491] 	net/http/client.go:176 +0x9b
2023-04-27T11:15:32.412780+02:00 s972 xapsd[46491] net/http.(*Client).do(0xc006adb770, 0xc022a4f400)
2023-04-27T11:15:32.412785+02:00 s972 xapsd[46491] 	net/http/client.go:716 +0x8fb
2023-04-27T11:15:32.412789+02:00 s972 xapsd[46491] net/http.(*Client).Do(...)
2023-04-27T11:15:32.412791+02:00 s972 xapsd[46491] 	net/http/client.go:582
2023-04-27T11:15:32.412796+02:00 s972 xapsd[46491] github.com/sideshow/apns2.(*Client).PushWithContext(0xc000031ea0, {0x8290ee5d8?, 0xc00002c150}, 0xc001cec200)
2023-04-27T11:15:32.412805+02:00 s972 xapsd[46491] 	github.com/sideshow/apns2/client.go:186 +0x1e5
2023-04-27T11:15:32.412808+02:00 s972 xapsd[46491] github.com/sideshow/apns2.(*Client).Push(...)
2023-04-27T11:15:32.412812+02:00 s972 xapsd[46491] 	github.com/sideshow/apns2/client.go:156
2023-04-27T11:15:32.412815+02:00 s972 xapsd[46491] github.com/freswa/dovecot-xaps-daemon/internal.(*Apns).SendNotification(0xc0000a63c0, {{0xc00bce8080, 0x40}, {0xc007600cc0, 0x24}}, 0x0?)
2023-04-27T11:15:32.412819+02:00 s972 xapsd[46491] 	github.com/freswa/dovecot-xaps-daemon/internal/apns.go:169 +0x55b
2023-04-27T11:15:32.412823+02:00 s972 xapsd[46491] github.com/freswa/dovecot-xaps-daemon/internal.(*Apns).checkDelayed(0xc0000a63c0)
2023-04-27T11:15:32.412827+02:00 s972 xapsd[46491] 	github.com/freswa/dovecot-xaps-daemon/internal/apns.go:138 +0x41b
2023-04-27T11:15:32.412834+02:00 s972 xapsd[46491] github.com/freswa/dovecot-xaps-daemon/internal.(*Apns).createDelayedNotificationThread.func1()
2023-04-27T11:15:32.412838+02:00 s972 xapsd[46491] 	github.com/freswa/dovecot-xaps-daemon/internal/apns.go:120 +0x53
2023-04-27T11:15:32.412842+02:00 s972 xapsd[46491] created by github.com/freswa/dovecot-xaps-daemon/internal.(*Apns).createDelayedNotificationThread
2023-04-27T11:15:32.412848+02:00 s972 xapsd[46491] 	github.com/freswa/dovecot-xaps-daemon/internal/apns.go:118 +0x8d

I noticed after upgrading to the latest version that push isnt working anymore.
I checked the database.json and I could see that last my phone date was 2 days before (when I updated the software)
So I started clean and deleted all old files and build the lastest again..

When starting the service it now instantly fails with:
xapsd[994]: 2023/03/24 10:24:30 Post "https://identity.apple.com/pushcert/caservice/new": net/http: HTTP/1.x transport connection broken: malformed MIME header line: 1;: mode=block

We do a cert validity check only upon startup at the moment. We should do a check at least every 10d.

Hi again.

Once again, first of all, thanks so much for this project. Push Notifications might seem like a minor thing, but once you've lived without them, it feels weird to not have them.

I was troubleshooting a certificate renewal issue on one of my 2 mail systems that run this, and noticed that xapsd seems to only match usernames in a case sensitive fashion.
One of my users set up their account starting the username with a capital letter, but on their devices they have signed in with their username all lowercase (does iOS mail just automatically lower-case the username that is entered?). Obviously this works for logging in and getting/sending mail via IMAP/SMTP, but xapsd reports a warning every time a message is delivered to their inbox:

time="2023-03-03T15:24:27+11:00" level=warning msg="No registration found for username: Username"

When I look in the json database, their username is recorded lowercase. In testing with the user, they do not receive push notifications (though they had not realised they should be so not the end of the world)

Just wondering if case sensitivity is intentional or if an update could be implemented to fix this?

I'd offer to make a PR myself (if it isn't an intentional feature), but I have no experience in Go and would need 3 management levels and corporate legal approval to make or contribute to open source projects. Happy to throw beer money around for it though 😅

In the configuration, we have both 11619 and 11620 available.
Given 11619 appears in dovecot-xaps-plugin as where to send notifications to, is 11620 optional, or is it where client devices will connect to?

And in firewall setup, would I only allow connections to 11619 from the local system and not external systems, and 11620 from external systems, or if 11620 is in use should 11619 still be externally accessible?

When starting xaps, I get the following error:
xapsd[837548]: time="2024-04-19T10:36:26+02:00" level=fatal msg="not a valid logrus Level: """

I haven't add or changed the loglevel. And I tried to comment out the loglevel. Nothing helps. Do you have an idea?

Older versions of this program said that a certificate had to be extracted from OSX server in order to work. Now you are apparently downloading them from somewhere?

How are how are certificates retrieved from Apple? Is this something similar to certbot (https://certbot.eff.org/) where a new certificate is generated and resigned on a regular basis so that I don't have to do manual maintenance? Or, is this just a one time certificate that is downloaded and it happens to be a bit more convenient than manually extracting from an old OSX server install? What is the oldest version of OSX server that counts for a valid license?

If is possible to run the daemon to listen a port instead a socket file? I have multiple servers and im thinking that, instead of running the daemon on every server, just run the daemon on one server and configure the plugin on the others servers to send the notifications to that server instead of local socket

For the last while, the push daemon dies regularly on me, with the error:

level=fatal msg="Error:Post \"https://api.push.apple.com/3/device/xxxxxx\": context deadline exceeded"

I've tried looking through the code and putting debugging info around every http call and can't find anything as yet..

Any ideas?

Hi, I've been trying to update from the original xapsd implementation from st3fan today to yours (because it seems you're still maintaining it and it would avoid me from keeping a very old OSX VM image just to renew the certs...).

Unfortunately it seems xapsd is not able to get a certificate, at least for now. I followed the guidelines for the password (the account has double auth enabled, could it be an issue ?), and ended up adding some debug logs into your Go source code (I'm actually not very familiar with Go, but as a day to day .NET C# and F# senior dev I think I can deal with it :) ).

First time (only) I launched xapsd I got this error

Dec 19 10:53:54 mail.zoc.me xapsd[23671]: 2020/12/19 10:53:54 Error -20358 while retrieving certificates:
Dec 19 10:53:54 mail.zoc.me xapsd[23671]: {Response:{Status:{ErrorDescription:Exception from DS ErrorMessage:Invalid Session ErrorCode:-20358} Certificates:[]} Header:{ClientIPAddress:1 LanguagePreference:1 TransactionId:1 ClientOSVersion:2.1 ClientOSName:MAC OSX ClientApplicationName:XServer ClientApplicationCredential:1}}

But since then no clear error messages (even after deleting the xapsd db to restart from a clean state).

So, basically I decided to dump the response from Apple when submitting certs request and this is what I get:

2020/12/19 12:11:20 <html>
<head><title>502 Bad Gateway</title></head>
<body>
<center><h1>502 Bad Gateway</h1></center>
<hr><center>Apple</center>
</body>
</html>

Then the process fails with this:

2020/12/19 12:11:20 plist: error parsing text property list: unexpected hex digit h' at line 0 character 2

which I guess is "expected" given what the parser gets as input....

Have you ever seen this from Apple ?
Could I've been blacklisted from my first attempt ?
Did you succeed to get certificates using xapsd recently ?

Thanks for your work and time.

Sorry for the question as it's somewhat unrelated, but as you all have the the relevant certificates and obviously also care about push notifications - has anyone of you also push for card/caldav running? If so, can you please point me to the project if there is any public source?

IF there isn't (I couldn't find any), would the xaps-daemon as it is be able to support those, too? Or would it need adjusting (I'm fully aware that CCS (or any other carddav/caldav server) would still need the plugin to even speak to the daemon in the first place - but this might be easier to get if it just needs to support the dovecot-xaps-daemon instead of the full way up to Apple's servers (with http/2 etc).

As far as I can see (and think to understand) only the first 9 of the 10 vendorCerts are being used (only here as Intn(9) would result in numbers from 0 to 8, ergo only the first 9 of the array)

This isn't an issue as in "it will/ might not work" but I assume it's not as it was intended (as I can't see the 10th cert being used anywhere else either)

The default /etc/xapsd/xapsd.yaml doesn't seem to get loaded correctly when running xapsd without any command line options:

FATA[0000] not a valid logrus Level: ""

It appears that the loglevel value is empty "". Other settings (databaseFile in particular) failed to load as well, except the "appleId" settings since the apns certificate request/generation worked at some point.

I'm using the default xapsd.yaml as is, the only settings I'm interested in changing is the loglevel. "databaseFile" failed to load after hard coding "loglevel", so something is odd with loading of the config.

I am able to work around the issue by hard coding all the various offending settings.

This is running on a fresh Debian 10 install. Could be environmental but I'm not sure.

Post "https://identity.apple.com/pushcert/caservice/renew": dial tcp 17.179.244.134:443: connect: connection refused

The xapsd-daemon seems to stop responding to all dovecot requests when trying to renew the certificate, and Apple seems to either have problem, or have shut down the service to renew certs (I hope not!)

The cert generated for my server should work until 2023-04-21 07:50:19, but the service won't respond to dovecot requests because it's stuck in a loop trying to renew the cert, is there any workaround, or are we all gonna get shafted by Apple? :(

Appreciate any support on this...

Push used to be working perfectly, and suddenly it has stopped working. No configuration changes were done.

tail /var/log/dovecot-lmtp.log (shows that the push notification is being sent)

Mar 02 09:36:50 lmtp(7374): Info: Connect from local
Mar 02 09:36:50 lmtp([email protected])<7374><10VXCaIsH2LOHAAAsB2X3g>: Debug: Sending notification: {"Username":"[email protected]","Mailbox":"INBOX","Events": ["MessageNew"]}
Mar 02 09:36:50 lmtp([email protected])<7374><10VXCaIsH2LOHAAAsB2X3g>: Info: sieve: msgid=<[email protected]>: stored mail into mailbox 'INBOX'
Mar 02 09:36:50 lmtp(7374): Debug: Notification sent successfully: 200 OK

I can see only one user entry in /var/lib/xapsd/database.json - for some reason other users or other accounts are not being registered there?

{
  "Users": {
    "[email protected]": {
      "Accounts": {
        "77979361-B13A-46F9-ABB3-****REDACTED***": {
          "DeviceToken": "960087EB1D051D10F79***********REDACTED**********",
          "Mailboxes": [
            "Junk",
            "INBOX",
            "Sent",
            "Notes"
          ],
          "RegistrationTime": "2022-03-02T09:47:54.855456616+01:00"
        }
      }
    }
  },

I've tried countless times to restart and airplane mode the device (apple iphone), the device does not get any push. Nor do other devices seem to register?

I've also tried to recompile the plugin and use the updated .so files, no joy there either.

Dovecot version: 2.3.18

I've been using the original daemon from st3fan and also moved to this fork.

Any help is appreciated, thank you.

I have several iOS devices. An old iPhone, a new iPhone (which started out life as a clone of the old one), and an iPad.
When I start mail, they all register. However, the old iPhone and new iPhone have the same AccountID, but different DeviceTokens. It looks like the code currently only supports one DeviceToken per AccountId. Whichever registers last wins.
Looks like the Account data structure and the Registration functions in database.go would have to be modified to support this?

FreeBSD 12.2.

xapsd only runs for a limited period of time, and then starts having issues with its database:

DEBU[0000] Opening databasefile at /var/db/xapsd/database.json
FATA[0000] Cannot open databasefile: /var/db/xapsd/database.json

Increasing loglevel to trace did not help get any extra information. Removing the database and generating a new certificate makes it run again. The certs used to be valid for a year. Has it changed to five days now or is the culprit elsewhere?

[Edit: Apple sent an e-mail about issuing a new certificate and it's indeed still valid for a year.]