Jamf Nation Community

Hello, we recently switched all of our global DPs to use HTTPs. However I've been observing some "odd" behavior. I developed a script to test each server by curling a test package and checksuming it for each result. The first time I run this script almost all servers fail to even download the package. If a wait a few seconds and rerun the script, all servers succeed. If I keep running the script I will get 100% success. If I wait a few hours or try again the next morning, the servers once agail fail the first time, then work each time there after. The specific error returned by cURL is "HTTP/1.1 500 Internal Server Error" I've pasted in the long error below. I'm worried this issue is causing policy deployment to fail in my environment.

I've been asking around to see if there is anything that may interfere with https in my corporate environment (caching/IPS/IDS/deep packet inspection/proxy etc...), however I've not found anything useful.
Does anyone know of any tests I can run to check https download availability/integrity in a corporate environment?

Thank you!

Long Error (server name/Ip changed to generic values):

*************************************************************************************
Thu Jun 26 09:58:11 PDT 2014
Strict cURL on
* Adding handle: conn: 0x7fd450807a00
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x7fd450807a00) send_pipe: 1, recv_pipe: 0
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* About to connect() to servertest1.company.com port 443 (#0)
*   Trying 10.xx.xx.xx...
* Connected to servertest1.company.com (10.xx.xx.xx) port 443 (#0)
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* TLS 1.0 connection using TLS_RSA_WITH_AES_128_CBC_SHA
* Server certificate: servertest1.company.com
* Server certificate: Company JSS Built-in Certificate Authority
* Server auth using Basic with user 'casper.read.account'
> GET /CasperShare/Packages/test.pkg HTTP/1.1
> Authorization: Basic QS5DYXNwZXIuU1dELlQ3...Iu
> User-Agent: curl/7.30.0
> Host: servertest1.company.com
> Accept: */*
> 
< HTTP/1.1 500 Internal Server Error
< Content-Type: text/html
* Server Microsoft-IIS/7.5 is not blacklisted
< Server: Microsoft-IIS/7.5
< X-Powered-By: ASP.NET
< Date: Thu, 26 Jun 2014 16:58:13 GMT
< Content-Length: 1208
< 
{ [data not shown]
100  1208  100  1208    0     0   1121      0  0:00:01  0:00:01 --:--:--  1120
* Connection #0 to host servertest1.company.com left intact
servertest1.company.com FAILED!!! error: 0

Long success: (server name/Ip changed to generic values, same server as above):

*************************************************************************************
Thu Jun 26 10:00:29 PDT 2014
Strict cURL on
* Adding handle: conn: 0x7fd9b181be00
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x7fd9b181be00) send_pipe: 1, recv_pipe: 0
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* About to connect() to servertest1.company.com port 443 (#0)
*   Trying 10.xx.xx.xx...
* Connected to servertest1.company.com (10.xx.xx.xx) port 443 (#0)
* TLS 1.0 connection using TLS_RSA_WITH_AES_128_CBC_SHA
* Server certificate: servertest1.company.com
* Server certificate: Company JSS Built-in Certificate Authority
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Server auth using Basic with user 'casper.read.account'
> GET /CasperShare/Packages/test.pkg HTTP/1.1
> Authorization: Basic QS5DYXNwZX...vUEQ3
> User-Agent: curl/7.30.0
> Host: servertest1.company.com
> Accept: */*
> 
< HTTP/1.1 200 OK
< Content-Type: application/octet-stream
< Last-Modified: Wed, 18 Dec 2013 18:45:58 GMT
< Accept-Ranges: bytes
< ETag: "0f7de6321fcce1:0"
* Server Microsoft-IIS/7.5 is not blacklisted
< Server: Microsoft-IIS/7.5
< X-Powered-By: ASP.NET
< Date: Thu, 26 Jun 2014 17:00:31 GMT
< Content-Length: 3292
< 
{ [data not shown]
100  3292  100  3292    0     0   2627      0  0:00:01  0:00:01 --:--:--  2629
* Connection #0 to host servertest1.company.com left intact
success: servertest1.company.com

for reference here is a "clean" version of my test script:

#!/bin/bash
declare -x list='testserver1.company.com
testserver3.company.com
testserver3.company.com'

declare -x success=0
declare -x fail=0

declare -x failedServers=""
declare -x successServers=""

#printf "Enter the name of the account to test:
"
#read user

#printf "Enter account password:
"
#read -s password

declare -x user='casper.read.olny.account'
declare -x password='super_secure_passw0rd'
declare -x testPackage='test.pkg'
declare -x packageHash="703dc62aea1c0f7c1bf89a09f31021b0"

#calculate hash by running bash3.2# md5 test.pkg

path="$(cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd)"
echo "current working directory: $path"

for i in $list; do

    echo "*************************************************************************************"
    date
    #echo "Strict cURL off"
    #curl -vvv -u "$user":"$password" -k -o $path/test.pkg https://"$i"/CasperShare/Packages/"$testPackage"
    echo "Strict cURL on"
    curl -vvv -u "$user":"$password" -o $path/test.pkg https://"$i"/CasperShare/Packages/"$testPackage"
    declare -x exitCode="$?"
    if [[ "$exitCode" == "0" ]] && [ -e "$path/test.pkg" ] && [[ "$(md5 -q $path/test.pkg)" == "$hash" ]]; then
        echo "success: $i"
        declare -x successServers="$successServers,$i"
    else
        echo "$i FAILED!!! error: $exitCode"
        declare -x failedServers="$failedServers,$i"
    fi
    rm $path/test.pkg

done


echo "Successful servers:"
echo "$successServers"

echo ""
echo ""

echo "Failed Servers"
echo "$failedServers"

exit