Classic API problem uploading computer groups

grahamrpugh
Release Candidate Programs Tester

There is a product issue (PI-008770) affecting JSSImporter and any other API requests which upload computer groups on some Jamf Cloud instances. If you try to upload to an existing computer group via the Classic API (e.g. curl -X PUT), you may see a 502 error. The group may still appear in your instance after several minutes, but the error response breaks any automation workflows.

If you are encountering this issue, for example when using JSSImporter or any automation, PLEASE open a ticket with Jamf and quote the PI. Let’s get this solved!

This is the response when the error occurs:

curl -H "Content-type: application/xml" -H "Accept: application/xml" -k -v -u username" https://jss.company.com:8443/JSSResource/computergroups/id/377 -T "/Users/user/Desktop/SmartGroupTemplate.xml" -X PUT
Enter host password for user 'username':
*  Trying 34.237.9.137...
* TCP_NODELAY set
* Connected to jss.company.com (34.237.9.137) port 8443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=jss.company.com
*  start date: Aug  8 00:00:00 2020 GMT
*  expire date: Sep  7 12:00:00 2021 GMT
*  issuer: C=US; O=Amazon; OU=Server CA 1B; CN=Amazon
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Server auth using Basic with user 'username'
* Using Stream ID: 1 (easy handle 0x7ff25700c400)
> PUT /JSSResource/computergroups/id/377 HTTP/2
> Host: jss.company.com:8443
> Authorization: Basic CODE
> User-Agent: curl/7.64.1
> Content-type: application/xml
> Accept: application/xml
> Content-Length: 641
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
* We are completely uploaded and fine
* http2 error: Invalid HTTP header field was received: frame type: 1, stream: 1, name: [upgrade], value: [h2,h2c]
* HTTP/2 stream 0 was not closed cleanly: PROTOCOL_ERROR (err 1)
* stopped the pause stream!
* Connection #0 to host jss.company.com left intact
curl: (92) HTTP/2 stream 0 was not closed cleanly: PROTOCOL_ERROR (err 1)
* Closing connection 0

If you enforce HTTP/1.1, we get:

< HTTP/1.1 502 Bad Gateway

Setting a longer timeout with curl has no effect.

7 REPLIES 7

tlarkin
Honored Contributor

We see this problem all the time since upgrading to 10.23. I just want to put this out there, that the API can never fail in any version of jamf. Integration and automation rely on the API always working. Please make this a critical blocker feature of jamf and if the API breaks it blocks the current build until fixed.

zachary_fisher
New Contributor III

Same here and am on RC of Jamf Cloud.

ThijsX
Valued Contributor
Valued Contributor

Same here on EU-Central-1.

grahamrpugh
Release Candidate Programs Tester

You may see this in the error if you are experiencing the problem:

Response Code: 502  Response: Please excuse the inconvenience. It appears your request has timed out. Please try again shortly.. Please contact us if you need immediate assistance or would like more information.

grahamrpugh
Release Candidate Programs Tester

I also have confirmed reports that this does not just affect cloud instances, but some on-premises instances too.

syncron
New Contributor II

Also running into this with several different customers.

el2493
Contributor III

I seem to get this when just creating a Smart User Group in the Jamf Cloud website (not using API). I can only see part of the error message becase it's partially blocked by the left pane of the website, but it seems to be the same as what @grahamrpugh quoted. What I can read:

...rily Unavailable ...pears your request has timed out. Please try again shortly. ...re assistance or would like more information.