Skip to main content
Question

Certificate problem?

  • November 24, 2011
  • 3 replies
  • 26 views
A
  • Anonymous

So, our brand new JSS has been blessed with a proper certificate from Terena.
Since Terena is an intermediate, I had to import the certificate chain in the Tomcat configuration.
There is no problem connecting to the JSS via for example Safari, it is content with the chain supplied.

What seems to be the problem is that the jamf binary does not fully like a certificate chain.
Trying
jamf checkJSSConnectivity
on a client gives a green light and I can do a recon fine, but it refuses to get any polices with the error "could not connect to the JSS".

Am I barking up the wrong tree or has anybody else seen this?

I am thinking about maybe one thing I could have done differently;
when importing the certificates in the keystore, I imported the certificate and the chain, not the individual certificates in the chain (to the root keystore).
From what I've gathered in the jungle called certificates, the chain is just one file containing all the certs needed.

When doing a tcpdump on the client I can tell that the chain is supplied to the client, but it seems like it doesn't like it.

Patrik Sonestad
sysadm Lund university

    3 replies

    J
    Forum|alt.badge.img+9
    • jafuller
    • Contributor
    • December 9, 2011

    Patrik,
    I believe I'm running into this type of issue as well. Can you explain
    more about what you found to be the issue and how you resolved it?
    -- James Fuller | Starbucks

    stevewood
    Forum|alt.badge.img+38
    • stevewood
    • Hall of Fame
    • December 9, 2011

    +1 here
    On Fri, Dec 9, 2011 at 9:12 AM, James Fuller <JaFuller at starbucks.com> wrote:

    Just installed a valid cert from RapidSSL on our JSS. The cert works fine
    for web traffic, yet when I tried to cache a policy from the command line
    on a machine, I received the "unable to connect". I did as Patrik did and
    verified connectivity (jamf checkJSSConnectivity) and was even able to run
    a recon. However any attempt to cache a policy did not work.

    I then tried using Casper Remote from the machine, and it too was failing. I went into the preferences for Casper Remote and checked the "Allow
    Invalid Certificate" and everything started working fine.

    I'm not certain that should be the proper fix, but that's what worked for
    me.

    Any one else?

    Steve

    A
    • Anonymous
    • December 9, 2011

    Well, the "workaround" so far is to not use autorun (ouch).
    JAMF support has assured me that the issue will be fixed in the next release.

    //P

    9 dec 2011 kl. 16:12 skrev James Fuller:

    Terms & ConditionsCookie settingsAccessibility statement