OK so it works me now, even though I have this in the mattermost log for each push:
2016/07/04 14:16:04 ERROR Failed to send apple push sid=cwkhfejkhfjkerhfjkerhfjkerhfjkre did=yxverjferhfjerhfjkrehf err=INVALID_TOKEN
APN dev cert and matching URL for apple push server (without password, otherwise it will fail because it cannot unlock it), right 0400 permission on the key file.