Child JDS Instances not able to replicated when new packages are uploaded

mmazzamuto
New Contributor II

Hi,

I'm having an issue with JDS where by it will not copy new packages across all JDS DPs.

I have tried lots of things:
- checked connectivity between JSS and the JDS
- checked connectivity between master JDS and a child JDS
- checked DNS wasn't an issue
- Ran inventory on each JDS - Restarted the JDS instances
- Changing master distribution point and uploading to that.
- Restarted tomcat service for jss incase there was anything on that side.

I can see that existing packages are replicating fine because i have a test jds server that i can use to select specific packages, which works. The problem is uploading new packages.

See the screenshot of the JDS dashboard. The package is visible to the servers but not is happening.

Please help!

e1b78486f04f42ae86500b2114808152

1 ACCEPTED SOLUTION

mmazzamuto
New Contributor II

Ok so after a bit more investigation i have fixed the issue

On the affected parent server of a child that isn't replicating, I first reinstalled the ca-certificate package..

sudo apt-get install --reinstall ca-certificates

Then re-enrolled the jds into jss..

sudo jamfds enroll

Then on the child, I ran inventory to see if this has worked...

sudo jamfds inventory

View solution in original post

6 REPLIES 6

al_platt
Contributor II

We used to get this alot. Usually a reboot or a re enrol of the JDS would fix.

Eventually we gave up and built some linux boxes running apache to use for HTTPS. Rsync from the master DP and you're good to go.

jordy_witteman
New Contributor III

We had a similar issue with stuck progress bars between two Ubuntu 14.04 servers refusing to replicate because of a TLS handshake error. We got it working by adding 'SSLInsecureRenegotiation on' in /etc/apache2/sites-enabled/jds.conf on the master JDS. Hope it helps!

rdwhitt
Contributor II

Are these Mac or Linux JDSs?
What version of the JSS?
On one of the child JDS boxes, what is the output of the jamf.log when it attempts to replicate the file?

mmazzamuto
New Contributor II

Hi all, I tried 'SSLInsecureRenegotiation on' in jds.conf and a re-enroll. Both don't work.

This is a common entry in the logs:

2017-06-09 09:10:06,829 ERROR (60, 'server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none')

I've tried to update the ca-certificates package but it's on the latest version.

Also tried 'update-ca-certificates' to make sure trusted ca's were up-to-date.

This also happens on a couple of other instances, meaning I make them parent of certain child nodes and it does the same thing. Not sure what would have brought this on as this was working perfectly well around a week and a half ago when I last uploaded packages. There have not been software updates run on these servers that could have affected this.

mmazzamuto
New Contributor II

Ok so after a bit more investigation i have fixed the issue

On the affected parent server of a child that isn't replicating, I first reinstalled the ca-certificate package..

sudo apt-get install --reinstall ca-certificates

Then re-enrolled the jds into jss..

sudo jamfds enroll

Then on the child, I ran inventory to see if this has worked...

sudo jamfds inventory

jrippy
Contributor II

I know this question has been answered but if you run into a similar issue on macOS Server after a Server.app 5.2 upgrade, here's the fix.
This is for the MASTER JDS only. The Child JDS nodes will always try to replicate over TLSv1 (for now) but can't connect due to the following changes on the MASTER.

First stop the web server either by the GUI or

sudo serveradmin stop web

Then proceed to modify the apache conf (using vim but anything will work, nano, emacs, etc.)

vim /Library/Server/Web/Config/apache2/sites/0000_127.0.0.1_34543_.conf

Make sure you still have a JDS section denoted by

# vvvJDSvvv
...
# ^^^JDS^^^

I found the Server.app upgrade removed the Include line:

Include /Library/JDS/conf/apache_aliases.conf

It also switched all the SSL and Proxy protocols to using only TLSv1.2
Find those and add TLS 1 and 1.1.
The lines will look something like the following and there may be multiple lines to change.

SSLProtocol -all +TLSv1.2
SSLProxyProtocol -all +TLSv1.2

change to

SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2
SSLProxyProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2

Finally, restart the web app again either by the GUI or

sudo serveradmin start web

Hope that helps.