Apple MDM Certificate Signature Verification failed because the signature is invalid

CLG
Contributor

Hi All,

When I try to update the push notification I get this error anyone has any idea why I'm getting this?

Didn't change anything in my server except to update the server from 2012 R2 to R2019. That was the only change I did for my server.

When I Download the signed CSR from Jamf Nation and upload it to the Apple push certificate portal I get this error.

Push.png

 

Thanks

 

1 ACCEPTED SOLUTION

CLG
Contributor

Hey Guy,

Finally, I manage to fix the issue.
We were running on an old version of JAMF.  Updated it to the latest (It was a big jump from 10.14 to 10.46.1)

Updated the SQL server (take SQL dumps before the update and use the JMAF Pro Tools to backup the data)
We brought our server to 10.30.3 Did the certificate update 😁 😀
Then Direct jump to 10.46.1 😎
It was easy because we were running on a VM. We had clones and snapshots.
After each update, we did a snapshot for the safe side and now it's working like a charm 😘.

We got support from JAMF and they were good.

Special thanks to Harvey Zhou from JAMF support. 

View solution in original post

22 REPLIES 22

sw1
New Contributor

Getting exact same error here. 

st00789
New Contributor II

I'm getting this error as well, our JAMF is in the cloud.

CLG
Contributor

Is there any fix? I have only a few days left 😰😰😰😰😰😰😰😰😰😰

st00789
New Contributor II

No, i haven't found a solution, have you been in contact with JAMF support??

AJPinto
Honored Contributor III

This is the way. 

CLG
Contributor

No, probably I will do that 

If I get any update I will let you guys know.


CLG
Contributor

Hi Guys,

This is one of the solutions they provided me I think you guys would have tried this already 
Didn't work for me hope this will help someone

I'm still waiting on their reply  

*********************************************************
We also have a video here the details this process: https://jamf.it/KBV_RenewAPNs

*** IMPORTANT: It is highly recommended that we do not delete the existing push certificate from Jamf Pro when renewing a push certificate. ***

Renew APNS certificate:

1. Navigate to Settings > Global > Push Certificates. Please make note of the last section of letters and numbers in the certificate - will look something like this: -f1abda9e5924. Click on the MDM Push Notification Certificate.
2. Click Renew at the bottom right, and choose "Download signed CSR from Jamf."
3. Follow the link to Apple’s Push Certificate Portal. If that fails, the website is https://identity.apple.com
4. *** IMPORTANT ***: Log in with the same Apple ID used to create the Push Certificate. If we are unable to access that Apple ID, please contact APNS support: https://support.apple.com/en-us/HT208643
5. You should see the Push Certificate listed there (*** IMPORTANT: Do not create a new certificate), the expiration date will be the same as in Jamf, and if we click the italic “i” (info) button you can match the topic ID section to match what we noted earlier.
6. Select the “Renew” button > Upload the signed CSR from Jamf > Save > Select "Download Token
7. Return to Jamf and upload the new Certificate when prompted in the on-screen prompt.
8. Afterward we can test and ensure the certificate is correct by doing an inventory update on a device.



MSD_Admin
New Contributor

Running into the same issue, on both our Dev instance and Prod - Are we thinking this is a JAMF-side issue or Apple?

Update: After working with chat support we were able to resolve the issue. In our case it was the CSR Signer that was not working. Support provided one that was compatible with older versions of JAMF. The link provided within the older version of JAMF was creating bad certs that Apple was not accepting.

I recommend you reach out to support and see if they can send you an appropriate link for your version if you run into this.

waiting for their reply.
I already send some files 

CLG
Contributor

Another Solution that JAMF support provided us.
Did not work for us
Hope this will help someone 

*****************************************************************


The issue seems to be related to the change of signing link for this task because our system was changed from Jamf Nation to Jamf ID. If it's relatively old 10.30 ish or even old, we can try to renew it via this workflow below.

- Go to Jamf settings - Global - Push certificates
- Select 2nd option "Download CSR and sign later using Jamf Account"
- download the certSigningRequest file and process to next step
- Do NOT open the link on your server. Instead, log in your Jamf ID via this link and sign the CSR file
https://account.jamf.com/products/jamf-pro/csr-signer
- Proceed to the rest renew steps via Apple push portal

javidmajdi
New Contributor

This was very helpful and worked for me. Thanks for sharing it.

st00789
New Contributor II

Ours started working, i logged into JAMF yesterday and noticed our cloud provider had updated JAMF and i was able to update the certificate without issue, so i'm unsure what our issue was.

CLG
Contributor

What is the JAMF version you are running on? is it 10.46?

st00789
New Contributor II

Yeah, it's running 10.46.

Thanks 😊

st00789
New Contributor II

Is that the version you are running?

No, we are running on an older version probably I will update the JAMF server and see.

We are running an on-premises server on top of the VM

st00789
New Contributor II

Yeah, i'd give that a go, i hadn't gotten around to contacting JAMF support yet, so i very much doubt JAMF support would of done anything.

st00789
New Contributor II

Just curious, how'd you go??

CLG
Contributor

Hey Guy,

Finally, I manage to fix the issue.
We were running on an old version of JAMF.  Updated it to the latest (It was a big jump from 10.14 to 10.46.1)

Updated the SQL server (take SQL dumps before the update and use the JMAF Pro Tools to backup the data)
We brought our server to 10.30.3 Did the certificate update 😁 😀
Then Direct jump to 10.46.1 😎
It was easy because we were running on a VM. We had clones and snapshots.
After each update, we did a snapshot for the safe side and now it's working like a charm 😘.

We got support from JAMF and they were good.

Special thanks to Harvey Zhou from JAMF support. 

relievant
New Contributor II

To anyone having this issue with an on-prem server, my issue was resolved by rebooting the server. You may be able to get away with just restarting Tomcat, but I had the opportunity for a reboot and used it. Renewal process worked perfectly normal after the reboot. Hope this helps!