GSX Certificate Renewal - 'Test Connection' returns Successful, but doesn't find devices

jkf
New Contributor III

1_Test_Successful.png4_lookup_Serials_Not_Found.pngWe've just completed our annual Apple GSX Certificate renewal.

We got the new cert, converted it to a .p12, imported into Jamf, clicked 'Test', and got the 'A connection to the GSX Server was successful' result.

When we run the GSX Lookup on all devices, though, 100% of our inventory returns as "Serial Numbers Not Found"

This worked 2hrs ago on the old cert, so it seems to be a break between the cert and our GSX account.

I'm trying to work this with Apple, but getting to anyone with GSX knowledge is pretty difficult.

Apple's cert renewal instructions here: ( https://gsxapiut.apple.com/apidocs/ut/html/WSFaq.html ) have been wrong for 2+ years:
"...

The FQDN is a very important field and it's case sensitive. Please be sure to provide the following value for this field:
For test environment CSR : Applecare-APP157-[SoldTo ID].Test.apple.com
For production environment CSR : Applecare-APP157-[SoldTo ID].Prod.apple.com

For example,if your soldTo is 0000012345, the value should be Applecare-APP157-0000012345.Test.apple.com for test
and Applecare-APP157-0000012345.Prod.apple.com for production.
The leading zero's are important and the soldTo should always be 10 digits.

 per the Apple Renewal Engineer who emailed me this year (and also last year):

Checking that CSR it appears to have our legacy formatting for Common Name. Please create a new CSR and ensure the Common name is:

AppleCare-Partner-0000623133.Prod.apple.com


...so I'm hesitant to trust this process from Apple's end. I'll probably just attempt another renewal from scratch, but first wanted to see if anyone had seen this issue?

1 ACCEPTED SOLUTION

jkf
New Contributor III

@alexloew, I finally heard back from Jamf Support after 5 days: this is related to a recent GSX API change.

Per my Jamf Support contact:
 - Upgrading to 10.34.6 or newer will fix the issue.
- This was announced from Jamf in the 10.36 release notes here  , but nowhere else (image of relevant section follows). I suggested, and she acknowledged, that as a known issue this could be better documented.

Screen_Shot_2022-04-11_at_10_17_57_AM.png


Scheduling our upgrade now, but I'll assume this fixes it, and will update this post if that's not the case.

View solution in original post

7 REPLIES 7

alexloew
New Contributor II

Yup also running into this exact issue, wish I had a solution πŸ˜ž

jkf
New Contributor III

@alexloew, I finally heard back from Jamf Support after 5 days: this is related to a recent GSX API change.

Per my Jamf Support contact:
 - Upgrading to 10.34.6 or newer will fix the issue.
- This was announced from Jamf in the 10.36 release notes here  , but nowhere else (image of relevant section follows). I suggested, and she acknowledged, that as a known issue this could be better documented.

Screen_Shot_2022-04-11_at_10_17_57_AM.png


Scheduling our upgrade now, but I'll assume this fixes it, and will update this post if that's not the case.

MrChris
New Contributor II

Two and a half months later - has anyone been able to identify the cause of this issue/problem - or were you able to get it resolved via the Upgrade to 10.34.6 or later?

 

I'm having the same issue at this time -- GSX connection shows green and passes it's test - but any attempt to pull purchasing information/device information results in all devices appearing in the 'Serial Number Not Found' tab.

 

The certificate was just configured in mid-may; and review shows it's formatted correctly (based on your shared info from the Apple Engineer who assisted you). Any thoughts?

jkf
New Contributor III

Hey @MrChris - our upgrade fixed the issue right away!

MrChris
New Contributor II

Sadly - our upgrade to latest release last week did not resolve the error/problem. We went from 10.31.x to 10.39.1.

At this stage - I'm just trying to confirm the FQDN within the SSL is in the correct format - as it's listed different within the GSX documentation and JSS documentation: 

<AppleCare-Partner-XXXXXXXXXX.Prod.apple.com> where XXXXXXX is the company or organizations Apple-assigned sold to number, including leading zeros (GSX)

and

<AppleCare-APP157-[Soldto number].Prod.apple.com> (Jamf Nation/JSS Support).

jkf
New Contributor III

@MrChris- These are the pasted instructions from our internal KB, which worked for me earlier this year.
FQDN: Apple is very specific about the Fully Qualified Name for the certificate, and the instructions on their site are incorrect.

As of March 2020, you should use the following:

AppleCare-Partner-0000123456.Prod.apple.com    (where '123456' is the company's Apple-assigned "sold to" number)


(for reference, the incorrect format still shown on Apple's website in 2022 is: || Applecare-APP157-[SoldTo ID].Prod.apple.com || ← don't use this format )

MrChris
New Contributor II

Thanks @jkf - I've submitted for a new certificate from the GSX API folks using the 'AppleCare-Partner-0000123456.Prod.apple.com' formatting. 

 

When I get the response and upload - will hope that clears up the issue. Thanks for your time!