Help

Changing SSL Cert Leads to 'Unable to Contact SCEP'

cbhsl
New Contributor II

Posted on ‎02-04-2017 03:18 AM

hey guys,

I am new to the Whole Casper/JSS side of things.
I was wondering if someone answer me a simple question.

If i was to change the SSL Certfificate for our JSS Server,
Devices are unable to enrol, they proceed to show the following error in /var/log/jamf.log

-915 Unable to Contact SCEP

if I am to revert the certificate back to using the internal CA, it functions fine.
I know I am over looking something and my searching of the site doesn't yield much information.

Appreciate any help someone can give.

Regards,

Nathan

0 Kudos
5 REPLIES 5

neilmartin83
Contributor II

Posted on ‎02-04-2017 05:19 AM

I encountered this with @davidacland last week. The cause was in the certificate keystore (pfx) I was provided with; it didn't include the intermediate CA certificate that issued it (shown in the 'Issuer' field) which the JSS needs to present along with the server certificate itself in order for clients to trust it. Appending the intermediate certificate to the chain in the keystore, then re-importing the new keystore into Tomcat via the JSS solved it.

You can download the intermediate cert from your certificate's provider (DER format) - usually by Googling the Issuer CN in the cert you received from them.

Once downloaded, I used KeyStore Explorer to append it (I'm a sucker for a GUI): http://keystore-explorer.org/ - it's available on Windows and macOS. Open your keystore with it, right click the certificate and choose Edit Certificate Chain, Append Certificate and choose the intermediate CA cert you just downloaded.

c0b298ff172e44c6a5dfd2aced936abe

0 Kudos

cbhsl
New Contributor II

Posted on ‎02-04-2017 05:30 PM

Oh Wicked.

Thanks for that will get it done in the next half and hour and report back!

Very Much appreciated!

0 Kudos

cbhsl
New Contributor II

Posted on ‎02-04-2017 11:16 PM

@neil.martin83

I examined my certficiate chain, It already includes all the intermediate chain.

6a8482013c284715808ade811126415d

0 Kudos

neilmartin83
Contributor II

Posted on ‎02-05-2017 01:15 AM

@cbhsl

Hm, so Tomcat should be presenting all of that to clients. What do you get if you point a web browser at your JSS URL? Does it prompt with trust issues?

The other thing we did as a troubleshooting step before we found the root cause (which I'm not sure was related or necessary now) was to replace the APNS certificate (delete it and request/install a new one). But be VERY careful because if you do that, it means all your devices need to be enrolled into MDM again - can be automated with Macs (watch out if you use a profile to configure wi-fi - if they're using that connection, it will drop when they re-enroll and the profile gets removed, then they can't pull down the new profile because no connection...) but iOS devices need to be re-enrolled by hand.

Wasn't a huge deal for us as we're only running Macs and were migrating to a new JSS (URL change) so were having to re-enroll them into MDM anyway.

0 Kudos

cbhsl
New Contributor II

Posted on ‎02-05-2017 02:26 AM

When I have the SSL Cert installed, the devices do not have any trust issues.
The system only has 20 Machines on it so far , as I have just rebuilt the entire infrastructure.

I will try the APNS Certfificate as well :)
Our WIFI is handled by a third party (Aruba Clearpass).

Will try it and report back!

Thanks Neil.