+36We had a valid certificate in place when JSS was at 7.1, and when we moved to 7.31 we made sure the certificate continued to work.
Today we noticed that roughly 200 of the 1800 Macs in JSS are checking in...and the remaining 1600 Macs show Last Time of over 30 days.
Is there a way to validate the certificate is working properly? What could have hosed it?
Thanks,
Don
Best answer by jarednichols
Using a client system that hasn't checked in, can you look at the trust chain and see what the client thinks the trust status is?
j
---
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436
+24Is your cert signed by a private CA?
---
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436
+36You should be able to navigate to your JSS in a web browser from any of
On 9/29/11 11:23 AM, "Don Montalvo" <donmontalvo at gmail.com> wrote:
the problem machines and check the cert there. Click the lock icon in the
browser to view.
--
William Smith
Technical Analyst
Merrill Communications LLC
(651) 632-1492
+36Hi Jared,
Yes it was created as per the below article and worked for months:
http://jamfsoftware.com/kb/article.php?id=019
Per this article we deselected the cert option, pending confirmation the certificate is still valid since we moved from 7.1 to 7.31:
http://jamfsoftware.com/kb/article.php?id=051
Thanks,
Don
+36Hi William,
Long time no see. :) Ya, we actually get this error when we try to enable the checkbox in JSS:
http://donmontalvo.com/jamf/JSS_invalid_certificate.png
Not sure how it could break. We have our team looking into it.
Just curious...is the "-k" option in QuickAdd postflight force it to require valid cert?
#################################################### ## Create the configuration file at /private/etc/jamf.conf #################################################### /usr/sbin/jamf createConf -url 'https://*:8443/' -k
Don
+24Using a client system that hasn't checked in, can you look at the trust chain and see what the client thinks the trust status is?
j
---
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436
+24Yes the -k flag will require a valid cert.
j
---
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436
+36Doing some house cleaning on threads I left open-ended. Turns out "-k" tells the Casper agent to not care about the cert. Enabling the cert in JSS triggers removal of the "-k" on the client side. So if you enable the cert today and disable the cert tomorrow, clients won't call in anymore (unless you're able to add "-k" back on the client.
Adding the -k works for policies, but I found that you need to select the "Allow Invalid Certificate" box in the preferences for Casper Remote or it locks up again.
+35So looks like Certs signed by a private CA will not work?
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
