HTTPS Distribution Question

Kaltsas
Contributor III

You'll have to forgive me if this is a bonehead question, I'm new to the Casper Suite and I'm trying to get the master Distribution Point setup with HTTPS. I believe I have the share setup correctly as far as I know but I'm getting the following error when trying to deploy a package via policy.

Executing Policy Install XXXX...
[STEP 1 of 2]
Downloading XXXX.pkg...
This package is a PKG or an MPKG, and the index.bom file is not found. Attempting to open the package as a flat package...
Downloading https://xxxx.xxxx.edu/CasperShare/Packages/XXXX.pkg...
Error: Could not connect to the HTTP server to download XXXX.pkg

I'm running a Windows 2008 VM

I have the share setup, SSL setup (self-signed certificate), casperinstall and casperadmin users setup and configured within the Distribution Point on the JSS

However on the client machine if I navigate to the link the client should be requesting the file from https://xxxx.xxxx.edu/CasperShare/Packages/XXXX.pkg I am able to authenticate with the read only casperinstall credentials and download the file with no trouble.

I'm sure this is a simple fix but after poking around for a couple hours I'm at a loss as to where the hangup is.

Thanks,

-alex-

6 REPLIES 6

lindell
New Contributor

Do you have HTTPS and 443 configured for that distribution point in the JSS? That would be the first thing to check.

Kaltsas
Contributor III

Yes,

Use HTTP downloads
Use SSL

both checked, port 443.

I suppose I should fall back to HTTP on 80 to see if this is a cert thing, since the share itself seems to be configured correctly.

Kaltsas
Contributor III

Which took about 10 seconds to verify. If I switch back to HTTP on 80 the policy goes off without a hitch.

I'm using a self signed cert, perhaps thats the issue. I'm a bit muddled on how the whole trust thing works in this arrangement.

ernstcs
Contributor III

You didn't mention which version of the JSS on you're on.

My guess is your clients won't authenticate properly for HTTPS unless you have a certificate in place that is trusted.

Another easy test for this is I believe, if you are able to connect to your JSS using Casper Admin or Casper Remote without the "Allow invalid certificate" box checked at startup, then proper certificates are in place assuming you're working from a managed system.

If If you need to force that box to come up while launching either application press the option button as well to clear your preferences.

Might want to have a read through of this thread as well, @Kaltsas

https://jamfnation.jamfsoftware.com/article.html?id=115

spowell01
Contributor

Theres a bug in 9.2 that we found. The response from our rep is below....no external access to our JSS until they can get their stuff straightened out.

Thanks for the update and additional info. I did a bit more research based on the items you mentioned. Unfortunately, this seems to be a bug: D-005455. Here is some more details:

Steps to Reproduce:
1. Set up an HTTP or HTTPS distribution point that requires authentication to access
2. Add the distribution point to the JSS
3. Enable HTTP or HTTPS, and give it an authentication type of "Username or Password"
4. Enter in credentials that have access to the distribution point set up in step 1
5. Create a policy to install a package from the DP
6. Run the policy on a client

Expected Results:
The policy installs the package successfully.

Actual Results:
The policy fails to download the package and returns the error "Could not connect to the HTTP server to download <package name>."

Additional Details:
Works every time when the DP is non-authenticated.

jnice22
New Contributor II

I know this is an old discussion but I wanted to throw my 2 cents in. I just had the same issue and wanted to give some insight on how to troubleshoot.

If you are using a distribution point and downloading via https with a self signed cert it will not work unless the self signed cert has been added to the trusted roots on the client.

Easy way to test is to use curl on the client system. 1. If you are using the password prompt option disable this. Re-enable after we make sure we are able to download via https. 2. Go to the DP website on the client using Safari and attempt to download the file using the users account. You will be notified that the cert is not trusted. Trust the cert. This should download the file. If it does not you have another issue. 3. We now know you are able to download the file if the cert is trusted. Now try the same thing from terminal. curl -O https://yourdp.something.com/dp/somefile.pkg (this should work because it will pull the trusted cert from the users keychain) here is where things get more interesting. The jss will use the root account to do this. The root account will check the system keychain for the trusted certs. It will not exist here because it is self signed. You can either get a signed cert or you can add it. 4. Check to see if you can do the same thing as root. "sudo curl -O https://yourdp.corp.something.com/dp/somefile.pkg" You will probably receive an error regarding the trust chain. 5. To resolve this you will need to add your cert into the system keychain (not best practice but this will resolve the issue) open keychain under login you should see the cert you trusted when you initially went to the site using safari. Export this cert to someplace handy. 6. Back in terminal run the following command: sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" "/path/to/your/servername.cer"

You now have a trusted cert. Try to do the install again from the jss. If this works re-enable the login and try again.

Hope this helps.