External JSS Enrol Errors

jonnydford
Contributor II

Hey guys,

Little bit stuck with where to go next with our external JSS and not being able to enrol from it.

Downloading required CA Certificate(s)...
 verbose: Successfully downloaded the certificate "JSS Built-in Certificate Authority".
 verbose: Successfully added the certificates to the System keychain...
 verbose: Unable to find a JAMF Device Identity in the JAMF Keychain.
 verbose: Unable to find a JAMF Device Identity in the JAMF Keychain.
 verbose: Error submitting enrollment status to the JSS: Security Error - A security error has occurred.

There was an error.

     Error enrolling computer: Connection failure: "The request timed out."

Anyone else seen these messages?

11 REPLIES 11

tron_jones
Release Candidate Programs Tester

Is your time correct? Also do you have the JAMF keychain in /Library/Application Support/JAMF/JAMF.keychain.

Check this discussion out, helped fix mine a while back.

MAD0oM
Contributor

@jonnydford Certainly could be time. If not.. could be a port not opened? externally for your internal JSS?

jonnydford
Contributor II

Time is correct (it happens on all macs I try).

The JAMF.Keychain gets added around the same time as the 'verbose: Unable to find a JAMF Device Identity in the JAMF Keychain.' error.

Testing the same method internally gives the same JAMF Keychain error, but then goes on to enrol using the device certificate.

The two things I can think of: 1 - It's not pulling down a correct certificate/corrupt JAMF Keychain.
2 - There's a port that's blocking it externally.

bentoms
Honored Contributor III
Honored Contributor III

@jonnydford I'd speak to JAMF & double check that all prerequisites for an external JSS have been met (ports etc to internal).

It kind of sounds like the SCEP enrolment part is failing.

lisacherie
Contributor II

Had the same error - latency between JSS Webapp hosts and the database. (hosts in data centers on opposite coasts).

Not sure your infrastructure - test out enrollment to specific webapp hosts:

sudo jamf enroll -prompt -overrideJSS https://yourjsshost1:8443 -verbose
sudo jamf enroll -prompt -overrideJSS https://yourjsshost2:8443 -verbose

Also check recon to the hosts after enrolled via the internal host- you might see recons and checkins successful, however enrollment failing (which will help you confirm ports are open).

sudo jamf recon -overrideJSS https://yourjss:8443 -verbose

@keaton helped us with this problem.

davidacland
Honored Contributor II
Honored Contributor II

Sounds like SCEP enrollment to me which I think is port 1640 inbound to the server.

andyinindy
Contributor II

Not sure if this is applicable in your situation, but we were having the same issue with enrollments timing out, and it was because of database issues (table locks). Adding the following to the my.cnf fixed it:

optimizer_search_depth = 3

Is your database using MyISAM or Innodb?

lisacherie
Contributor II

Database is using innodb, switched over from MyISAM some time ago and saw improved performance.

lisacherie
Contributor II

I'm pretty sure the default port for SCEP enrollment is also 8443 for Casper, however Apple uses 1640 for Profile Manager.

Though happy to learn something new if I'm wrong.

davidacland
Honored Contributor II
Honored Contributor II

@lisacherie quite possible that I'm getting the two mixed up! If it's easy for you to do it could be worth ruling it out I guess.

jonnydford
Contributor II

Thanks guys.

I did some testing last night and copied the TomcatSSLKeystore file from my internal to my external JSS and tested enrolling.

While the QuickAdd package doesn't work still, doing a jamf enroll -prompt does. It does take a lot longer than if I were to enrol internally.

I wonder if it's just a time out problem whereby it's not finished sending all of the information in 60 seconds now. Any way to up the timeout limit?

@lisacherie Thanks, I'll try an enrol to a specific box to see if that gives us any more information.