Help

Certificate problem?

Not applicable

Posted on ‎11-24-2011 08:42 AM

So, our brand new JSS has been blessed with a proper certificate from Terena.
Since Terena is an intermediate, I had to import the certificate chain in the Tomcat configuration.
There is no problem connecting to the JSS via for example Safari, it is content with the chain supplied.

What seems to be the problem is that the jamf binary does not fully like a certificate chain.
Trying
jamf checkJSSConnectivity
on a client gives a green light and I can do a recon fine, but it refuses to get any polices with the error "could not connect to the JSS".

Am I barking up the wrong tree or has anybody else seen this?

I am thinking about maybe one thing I could have done differently;
when importing the certificates in the keystore, I imported the certificate and the chain, not the individual certificates in the chain (to the root keystore).
From what I've gathered in the jungle called certificates, the chain is just one file containing all the certs needed.

When doing a tcpdump on the client I can tell that the chain is supplied to the client, but it seems like it doesn't like it.

Patrik Sonestad
sysadm Lund university

0 Kudos
Reply
3 REPLIES 3

jafuller
Contributor

Posted on ‎12-09-2011 07:12 AM

Patrik,
I believe I'm running into this type of issue as well. Can you explain
more about what you found to be the issue and how you resolved it?
-- James Fuller | Starbucks

0 Kudos
Reply

stevewood
Honored Contributor II
Honored Contributor II

Posted on ‎12-09-2011 07:22 AM

+1 here
On Fri, Dec 9, 2011 at 9:12 AM, James Fuller <JaFuller at starbucks.com> wrote:

Just installed a valid cert from RapidSSL on our JSS. The cert works fine
for web traffic, yet when I tried to cache a policy from the command line
on a machine, I received the "unable to connect". I did as Patrik did and
verified connectivity (jamf checkJSSConnectivity) and was even able to run
a recon. However any attempt to cache a policy did not work.

I then tried using Casper Remote from the machine, and it too was failing. I went into the preferences for Casper Remote and checked the "Allow
Invalid Certificate" and everything started working fine.

I'm not certain that should be the proper fix, but that's what worked for
me.

Any one else?

Steve

0 Kudos
Reply

Not applicable

Posted on ‎12-09-2011 07:35 AM

Well, the "workaround" so far is to not use autorun (ouch).
JAMF support has assured me that the issue will be fixed in the next release.

//P

9 dec 2011 kl. 16:12 skrev James Fuller:

0 Kudos
Reply