JAMF binary could not connect to the JSS because the web certificate is not trusted?

Poseiden951
Contributor

Hi JAMF Nation!

After using Casper Imaging, I run into a couple of issues.

1) The Mac's do not enroll into the JSS Take that back. It shows up in the JSS as unmanaged, that's about it.

Running sudo jamf policy manually in terminal gives this error: JSS Username: xxxx
JSS Password: xxxx (admin pass and username on JSS)
SSH Username:xxxx
SSH Password:xxx
Downloading required CA Certificate(s)...
2015-03-09 15:06:35.214 jamf[980:3523] NSURLConnection/CFURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9812)
2015-03-09 15:06:35.244 jamf[980:3523] NSURLConnection/CFURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9812)

There was an error.

Error enrolling computer: Unable to establish trust with the JSS - The jamf binary could not connect to the JSS because the web certificate is not trusted.

I even restarted the Tomcat and MySQL servers.

2) The management account doesn't show, but it shows in Casper Admin

3) Mac's do not bind to AD after imaging. We have the directory binding set in the JSS and it's the first thing after "Prepare First Run Script".

Any help would be greatly appreciated JAMF!

43 REPLIES 43

Poseiden951
Contributor

I think de-selecting

Click Computer Management.
In the "Computer Management - Management Framework" section, click Security.
Deselect the Enable SSL certificate verification checkbox.

Might have worked, I'll in the morning when I get to work.

rderewianko
Valued Contributor II

@Poseiden951 Does your JSS have a proper cert that hasn't expired? If you're unchecking that box, i'm more inclined to see it as a cert prob

Poseiden951
Contributor

@rderewianko

The tomcat cert? (which expires on 06/16/2015). I also haven't tested it out yet, I don't know if it has worked or not.

rderewianko
Valued Contributor II

when you go to the url of your server Https://<jss.company.com>:8443, the cert there.

The other thing that becomes problematic is if time is off.
- RD

Poseiden951
Contributor

@rderewianko

That cert is valid until June, unchecked everything in Security in the JSS. Still fails to recon or enroll.

rderewianko
Valued Contributor II

What happens when you try to manually enroll the machine through:
sudo jamf enroll -prompt

Poseiden951
Contributor

@rderewianko

This is what I get:

There was an error.

Error enrolling computer: Unable to establish trust with the JSS - The jamf binary could not connect to the JSS because the web certificate is not trusted.

rderewianko
Valued Contributor II

Do you have NTP on?

DraconicBlue
New Contributor III

We have been running into the same issue and, for us, it stems back to the following known defect:

[D-006627] When restarting a computer that has been imaged using Casper Imaging, the computer
fails to enroll if attempting to connect to the JSS via an Apple Thunderbolt to Ethernet Adapter.

All of our failures are related to imaging using the Thunderbolt to Ethernet adapters.

We have had to export a valid JSS cert and apply it to the System keychain on the system that is failing to connect.

Poseiden951
Contributor

I'm using regular old Ethernet Netbooting, I will trying exporting a cert to the machine. Thank you @JRossA

Poseiden951
Contributor

@rderewianko

Company has an NTP, but I can't get OS X to recognize it during imaging.

rderewianko
Valued Contributor II

@Poseiden951

From My Testing:

#!/bin/sh
uuid=`/usr/sbin/system_profiler SPHardwareDataType | grep "Hardware UUID" | cut -c22-57`
#set time based on location
systemsetup -setusingnetworktime off # this confirms that network time service is turned off while we edit it
systemsetup -setnetworktimeserver time.apple.com # this sets the time server


# enable location services
/bin/launchctl unload /System/Library/LaunchDaemons/com.apple.locationd.plist
/usr/bin/defaults write /var/db/locationd/Library/Preferences/ByHost/com.apple.locationd.$uuid LocationServicesEnabled -int 1
/usr/sbin/chown -R _locationd:_locationd /var/db/locationd
/bin/launchctl load /System/Library/LaunchDaemons/com.apple.locationd.plist

# set time zone automatically using current location 
/usr/bin/defaults write /Library/Preferences/com.apple.timezone.auto Active -bool true
/usr/sbin/systemsetup -setusingnetworktime on 
/usr/sbin/systemsetup -gettimezone
/usr/sbin/systemsetup -getnetworktimeserver
/usr/sbin/ntpdate -u time.apple.com

worked for me. (although I don't take credit for this)

jacopo_pulici
Contributor

Hi @Poseiden951 ,
I stumbled on the same issue as yours.
Have you managed to get it working?
Thanks

Jack

Poseiden
New Contributor III

@Jachk

It just went away a couple of weeks later, I don't know how. But I re-issued my Tomcat certificate, restarted my JSS box and recreated my images.

tcandela
Valued Contributor II

I upgraded my test JSS from 9.82 to 9.91 and ran casper imaging (9.81) on a computer afterwards, the image and applications, scripts all ran fine but the computer did not get enrolled, i get the 'JAMF binary could not connect to the JSS because the web certificate is not trusted'

everything was fine prior to the upgrade to 9.91. The certificate says its valid to 2017

what could be causing this?

mpermann
Valued Contributor II

@tcandela you should be using the same version of Casper Imaging as the version of the JSS. It's a bad idea to mix them.

tcandela
Valued Contributor II

I am using the same version now but do not understand why I am getting this

Downloading required CA Certificate(s)...
2016-04-21 20:41:55.315 jamf[1803:20712] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813)
2016-04-21 20:41:55.333 jamf[1803:20712] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813)

There was an error.

Error enrolling computer: Unable to establish trust with the JSS - The jamf binary could not connect to the JSS because the web certificate is not trusted.

i get this during casperimaging
and afterwards when running sudo jamf enroll -prompt

I check firefox from the JSS and the certificate is good until 2017

tcandela
Valued Contributor II

i look in the JSS's KEYCHAIN System --> Certificates and it has Casper.local - certificate - Feb 2017

tcandela
Valued Contributor II

from the OS X computer I was able to go to https://casper.local:8443/enroll and it downloaded the quickadd.pkg I then installed the .pkg and the computer enrolled.

still do not understand why i was getting this during casperimaging and from the jamf enroll -prompt

There was an error.

Error enrolling computer: Unable to establish trust with the JSS - The jamf binary could not connect to the JSS because the web certificate is not trusted.

tcandela
Valued Contributor II

unlike the first computer I was able to get a second computer enrolled via Casper Imaging. This time when Casper Imaging popped up i entered the JSS url and checked the box that said 'allow untrusted SSL Certificate'.

The first computer I do not remember if I got the prompt to enter JSS url or not.

bmccune
Release Candidate Programs Tester

Any update on this from Jamf?!?! We have been getting many reports lately from students/staff and we are thinking about turning off all of our policies that rely on Login/Logout hooks because of it's lack of reliability. We currently do our drive mapping via login scripts for our domain users. Our temporary solution has been creating a Self Service policy to allow users to map the drives if the login script failed to run. On a campus of around 150 machines, this has been happening multiple times every day. We'd hate to convert everything to launch daemons just to have the issue fixed in an upcoming JSS upgrade.

Thanks!

Steven_Xu
Contributor
Contributor

We have some Macs have the same issue, the web app works fine on Firefox, but not on Safari or Chrome, the browser show the certificate is not trusted, and when I run "jamf checkJSSconnection", it also show the certificate is not trusted.

It is wildcard certificate and issued by GoDaddy.

I tried re-enroll that mac with all method, and tried reset the keychain, but the issue is still there. I thought it might be related to the OS. the OS version was 10.11.4, so I installed all the updates related to Security and OS updates, the certificate still shows as not trusted in 10.11.6. Next, I downloaded the Sierra installer and upgrade the OS to Sierra(10.12.4), then I run the JSSconnection again, Wow, "the JSS is available.", and the certificate show trusted both in Safari and Chrome, everything works normal! I'm going to upgrade other macs which have the same issue to Sierra and see if that can fix it too.

Kyuubi
Contributor

I am getting this error as well on a newly imaged machine. Just updated to Casper 9.98. Machine won't enroll thru imaging or the terminal prompt. I've gone to Keychain Access and manually trusted the cert given by the JSS. Expiration date is 3/2018. Any ideas?

Sandy
Valued Contributor II

@Kyuubi

This might be helpful:

As of the Casper Suite v9.98, the Enabling SSL certificate verification checkbox has been changed to the SSL Certificate Verification pop-up menu with the options: "Always", "Always except during enrollment", and "Never". To configure SSL certificate verification, log in to the JSS with a web browser and in the top-right corner of the page, navigate to Settings > Computer Settings > Security.

If performing a fresh install of the Casper Suite v9.98 or later, the SSL Certificate Verification setting is set to "Always except during enrollment" by default.

If upgrading from the Casper Suite v9.97 or earlier to the Casper Suite v9.98 or later and you previously enabled SSL certificate verification, the setting is set to "Always" by default. If you did not enable SSL certificate verification before upgrading, the setting is set to "Always except during enrollment" by default.

https://www.jamf.com/jamf-nation/articles/455/change-to-the-ssl-certificate-verification-setting-in-the-casper-suite-v9-98-or-later

Kyuubi
Contributor

@Sandy

Thanks. Do you know if this requires a JSS restart? I've changed it to always but i'm still getting the error on my test machine.

Sandy
Valued Contributor II

I would try setting it to "Always except during enrollment" which is LESS restrictive than "Always"

I believe this does not require a restart.

sepiemoini
Contributor III
Contributor III

Hey all! I'm running into the same issues described above. I'm running 9.100.0-t1499435238 in my development Jamf Pro instance and run into the below error despite which method of enrollment I use (i.e. user-initiated web enrollment, QuickAdd package or sudo jamf enroll -prompt from the CLI).

There was an error. Error enrolling computer: Unable to establish trust with the JSS - The jamf binary could not connect to the JSS because the web certificate is not trusted.

I have also listed my Settings>Computer Management - Management Framework>Security settings for reference which were adjusted at one point. I haven't restarted the Tomcat service after these settings were modified but did manage to test using the three aforementioned enrollment methods, all of which reproduce the above error.

33c9dc2838254364b05c1d7ef9f942da

sepiemoini
Contributor III
Contributor III

UPDATE: I've rebuilt the SSL certificate to no avail. Here are the steps that I took.

From JSS Settings > Apache Tomcat Settings: 1. Click Edit. 2. Check "Change the SSL Certificate for HTTPS" and click Next. 3. Check "Generate a certificate from the JSS's built-in CA and click Next. 4. Click Done. 5. Log onto Jamf Pro server and restart Tomcat service.

After performing the above, the expiration date on the SSL certificate is now set to 07/31/2018, as expected.

sepiemoini
Contributor III
Contributor III

Resolved: completely remove your binary/framework between tests and then try again :)

mlavine
Contributor

Instead of completely removing your binary, try running the following command:

sudo jamf trustJSS

lizmowens
New Contributor III

@mlavine, this worked for me! Thank you so much! Was just about to call uncle and file a support ticket... :)

gachowski
Valued Contributor II

@mlavine

You are a ROCK STAR!!!

C

Steven_Xu
Contributor
Contributor

@mlavine that command doesn't work for me.
I have to use certificate from the JSS's built-in CA instead of the wildcard certificate from Godaddy.

Chriskmpruitt
Contributor

@Steven.Xu did you check time and date on the computer?

Steven_Xu
Contributor
Contributor

@Chriskmpruitt the time and the date was correct. I checked my ssl certificate here (https://www.sslshopper.com/ssl-checker.html), and the result show my certificate missed something, so I recreate the certificate and upload the certificate to JSS, and that works, and no error when check the ssl certificate.

robby_c137
New Contributor III

@Steven.Xu thanks for the tip and URL! I was able to find my problem (intermediate certs were missing) and recreating my cert did the trick.

wilfredov
New Contributor

We are having same "web certificate trust" issues - our network admin updated our Tomcast server with a wildcard SSL and is now adding "intermediate certs"..I am really hoping this will resolve our DEP enrollment problems..Haven't been able to get DEP to work for nearly a month!

MadPossum
New Contributor III

@wilfredov Did you make any progress on this? We use a wildcard cert as well and are having the same issues.

dfracassa
New Contributor III

Same issue here after upgrading JSS to 10.4.1, before the upgrade never happened. I tried to recreate the JSS Built-in Cert as we are not using a SSL, but it still no go. Not sure what happened or what to do next. keep this thread posted in case I find a solution