Help

Child JDS Instances not able to replicated when new packages are uploaded

Go to solution
mmazzamuto
New Contributor II

Posted on ‎06-08-2017 03:01 AM

Hi,

I'm having an issue with JDS where by it will not copy new packages across all JDS DPs.

I have tried lots of things:
- checked connectivity between JSS and the JDS
- checked connectivity between master JDS and a child JDS
- checked DNS wasn't an issue
- Ran inventory on each JDS - Restarted the JDS instances
- Changing master distribution point and uploading to that.
- Restarted tomcat service for jss incase there was anything on that side.

I can see that existing packages are replicating fine because i have a test jds server that i can use to select specific packages, which works. The problem is uploading new packages.

See the screenshot of the JDS dashboard. The package is visible to the servers but not is happening.

Please help!

e1b78486f04f42ae86500b2114808152

0 Kudos
Reply
1 ACCEPTED SOLUTION

Go to solution
mmazzamuto
New Contributor II

Posted on ‎06-09-2017 02:56 AM

Ok so after a bit more investigation i have fixed the issue

On the affected parent server of a child that isn't replicating, I first reinstalled the ca-certificate package..

sudo apt-get install --reinstall ca-certificates

Then re-enrolled the jds into jss..

sudo jamfds enroll

Then on the child, I ran inventory to see if this has worked...

sudo jamfds inventory

View solution in original post

0 Kudos
Reply
6 REPLIES 6

Go to solution
al_platt
Contributor II

Posted on ‎06-08-2017 05:37 AM

We used to get this alot. Usually a reboot or a re enrol of the JDS would fix.

Eventually we gave up and built some linux boxes running apache to use for HTTPS. Rsync from the master DP and you're good to go.

0 Kudos
Reply

Go to solution
jordy_witteman
New Contributor III

Posted on ‎06-08-2017 05:54 AM

We had a similar issue with stuck progress bars between two Ubuntu 14.04 servers refusing to replicate because of a TLS handshake error. We got it working by adding 'SSLInsecureRenegotiation on' in /etc/apache2/sites-enabled/jds.conf on the master JDS. Hope it helps!

0 Kudos
Reply

Go to solution
rdwhitt
Contributor II

Posted on ‎06-08-2017 07:15 AM

Are these Mac or Linux JDSs?
What version of the JSS?
On one of the child JDS boxes, what is the output of the jamf.log when it attempts to replicate the file?

0 Kudos
Reply

Go to solution
mmazzamuto
New Contributor II

Posted on ‎06-09-2017 01:54 AM

Hi all, I tried 'SSLInsecureRenegotiation on' in jds.conf and a re-enroll. Both don't work.

This is a common entry in the logs:

2017-06-09 09:10:06,829 ERROR (60, 'server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none')

I've tried to update the ca-certificates package but it's on the latest version.

Also tried 'update-ca-certificates' to make sure trusted ca's were up-to-date.

This also happens on a couple of other instances, meaning I make them parent of certain child nodes and it does the same thing. Not sure what would have brought this on as this was working perfectly well around a week and a half ago when I last uploaded packages. There have not been software updates run on these servers that could have affected this.

0 Kudos
Reply

Go to solution
mmazzamuto
New Contributor II

Posted on ‎06-09-2017 02:56 AM

Ok so after a bit more investigation i have fixed the issue

On the affected parent server of a child that isn't replicating, I first reinstalled the ca-certificate package..

sudo apt-get install --reinstall ca-certificates

Then re-enrolled the jds into jss..

sudo jamfds enroll

Then on the child, I ran inventory to see if this has worked...

sudo jamfds inventory
0 Kudos
Reply

Go to solution
jrippy
Contributor III

Posted on ‎06-09-2017 02:02 PM

I know this question has been answered but if you run into a similar issue on macOS Server after a Server.app 5.2 upgrade, here's the fix.
This is for the MASTER JDS only. The Child JDS nodes will always try to replicate over TLSv1 (for now) but can't connect due to the following changes on the MASTER.

First stop the web server either by the GUI or

sudo serveradmin stop web

Then proceed to modify the apache conf (using vim but anything will work, nano, emacs, etc.)

vim /Library/Server/Web/Config/apache2/sites/0000_127.0.0.1_34543_.conf

Make sure you still have a JDS section denoted by

# vvvJDSvvv
...
# ^^^JDS^^^

I found the Server.app upgrade removed the Include line:

Include /Library/JDS/conf/apache_aliases.conf

It also switched all the SSL and Proxy protocols to using only TLSv1.2
Find those and add TLS 1 and 1.1.
The lines will look something like the following and there may be multiple lines to change.

SSLProtocol -all +TLSv1.2
SSLProxyProtocol -all +TLSv1.2

change to

SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2
SSLProxyProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2

Finally, restart the web app again either by the GUI or

sudo serveradmin start web

Hope that helps.

0 Kudos
Reply