JAMF binary could not connect to the JSS because the web certificate is not trusted?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-09-2015 01:12 PM
Hi JAMF Nation!
After using Casper Imaging, I run into a couple of issues.
1) The Mac's do not enroll into the JSS Take that back. It shows up in the JSS as unmanaged, that's about it.
Running sudo jamf policy manually in terminal gives this error:
JSS Username: xxxx
JSS Password: xxxx (admin pass and username on JSS)
SSH Username:xxxx
SSH Password:xxx
Downloading required CA Certificate(s)...
2015-03-09 15:06:35.214 jamf[980:3523] NSURLConnection/CFURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9812)
2015-03-09 15:06:35.244 jamf[980:3523] NSURLConnection/CFURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9812)
There was an error.
Error enrolling computer: Unable to establish trust with the JSS - The jamf binary could not connect to the JSS because the web certificate is not trusted.
I even restarted the Tomcat and MySQL servers.
2) The management account doesn't show, but it shows in Casper Admin
3) Mac's do not bind to AD after imaging. We have the directory binding set in the JSS and it's the first thing after "Prepare First Run Script".
Any help would be greatly appreciated JAMF!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-09-2015 02:40 PM
I think de-selecting
Click Computer Management.
In the "Computer Management - Management Framework" section, click Security.
Deselect the Enable SSL certificate verification checkbox.
Might have worked, I'll in the morning when I get to work.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-09-2015 03:03 PM
@Poseiden951 Does your JSS have a proper cert that hasn't expired? If you're unchecking that box, i'm more inclined to see it as a cert prob
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-09-2015 03:12 PM
The tomcat cert? (which expires on 06/16/2015). I also haven't tested it out yet, I don't know if it has worked or not.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-09-2015 03:20 PM
when you go to the url of your server Https://<jss.company.com>:8443, the cert there.
The other thing that becomes problematic is if time is off.
- RD
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-10-2015 06:41 AM
That cert is valid until June, unchecked everything in Security in the JSS. Still fails to recon or enroll.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-10-2015 08:16 AM
What happens when you try to manually enroll the machine through:
sudo jamf enroll -prompt
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-10-2015 09:41 AM
This is what I get:
There was an error.
Error enrolling computer: Unable to establish trust with the JSS - The jamf binary could not connect to the JSS because the web certificate is not trusted.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-10-2015 09:44 AM
Do you have NTP on?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-10-2015 09:49 AM
We have been running into the same issue and, for us, it stems back to the following known defect:
[D-006627] When restarting a computer that has been imaged using Casper Imaging, the computer
fails to enroll if attempting to connect to the JSS via an Apple Thunderbolt to Ethernet Adapter.
All of our failures are related to imaging using the Thunderbolt to Ethernet adapters.
We have had to export a valid JSS cert and apply it to the System keychain on the system that is failing to connect.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-10-2015 09:52 AM
I'm using regular old Ethernet Netbooting, I will trying exporting a cert to the machine. Thank you @JRossA
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-10-2015 12:35 PM
Company has an NTP, but I can't get OS X to recognize it during imaging.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-10-2015 12:38 PM
From My Testing:
#!/bin/sh
uuid=`/usr/sbin/system_profiler SPHardwareDataType | grep "Hardware UUID" | cut -c22-57`
#set time based on location
systemsetup -setusingnetworktime off # this confirms that network time service is turned off while we edit it
systemsetup -setnetworktimeserver time.apple.com # this sets the time server
# enable location services
/bin/launchctl unload /System/Library/LaunchDaemons/com.apple.locationd.plist
/usr/bin/defaults write /var/db/locationd/Library/Preferences/ByHost/com.apple.locationd.$uuid LocationServicesEnabled -int 1
/usr/sbin/chown -R _locationd:_locationd /var/db/locationd
/bin/launchctl load /System/Library/LaunchDaemons/com.apple.locationd.plist
# set time zone automatically using current location
/usr/bin/defaults write /Library/Preferences/com.apple.timezone.auto Active -bool true
/usr/sbin/systemsetup -setusingnetworktime on
/usr/sbin/systemsetup -gettimezone
/usr/sbin/systemsetup -getnetworktimeserver
/usr/sbin/ntpdate -u time.apple.com
worked for me. (although I don't take credit for this)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-24-2015 10:45 PM
Hi @Poseiden951 ,
I stumbled on the same issue as yours.
Have you managed to get it working?
Thanks
Jack
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-25-2015 06:08 AM
It just went away a couple of weeks later, I don't know how. But I re-issued my Tomcat certificate, restarted my JSS box and recreated my images.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-19-2016 08:51 AM
I upgraded my test JSS from 9.82 to 9.91 and ran casper imaging (9.81) on a computer afterwards, the image and applications, scripts all ran fine but the computer did not get enrolled, i get the 'JAMF binary could not connect to the JSS because the web certificate is not trusted'
everything was fine prior to the upgrade to 9.91. The certificate says its valid to 2017
what could be causing this?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-19-2016 01:05 PM
@tcandela you should be using the same version of Casper Imaging as the version of the JSS. It's a bad idea to mix them.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-21-2016 05:48 PM
I am using the same version now but do not understand why I am getting this
Downloading required CA Certificate(s)...
2016-04-21 20:41:55.315 jamf[1803:20712] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813)
2016-04-21 20:41:55.333 jamf[1803:20712] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813)
There was an error.
Error enrolling computer: Unable to establish trust with the JSS - The jamf binary could not connect to the JSS because the web certificate is not trusted.
i get this during casperimaging
and afterwards when running sudo jamf enroll -prompt
I check firefox from the JSS and the certificate is good until 2017
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-21-2016 05:52 PM
i look in the JSS's KEYCHAIN System --> Certificates and it has Casper.local - certificate - Feb 2017
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-21-2016 06:06 PM
from the OS X computer I was able to go to https://casper.local:8443/enroll and it downloaded the quickadd.pkg I then installed the .pkg and the computer enrolled.
still do not understand why i was getting this during casperimaging and from the jamf enroll -prompt
There was an error.
Error enrolling computer: Unable to establish trust with the JSS - The jamf binary could not connect to the JSS because the web certificate is not trusted.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-24-2016 11:27 AM
unlike the first computer I was able to get a second computer enrolled via Casper Imaging. This time when Casper Imaging popped up i entered the JSS url and checked the box that said 'allow untrusted SSL Certificate'.
The first computer I do not remember if I got the prompt to enter JSS url or not.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-08-2017 05:29 AM
Any update on this from Jamf?!?! We have been getting many reports lately from students/staff and we are thinking about turning off all of our policies that rely on Login/Logout hooks because of it's lack of reliability. We currently do our drive mapping via login scripts for our domain users. Our temporary solution has been creating a Self Service policy to allow users to map the drives if the login script failed to run. On a campus of around 150 machines, this has been happening multiple times every day. We'd hate to convert everything to launch daemons just to have the issue fixed in an upcoming JSS upgrade.
Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-12-2017 07:59 PM
We have some Macs have the same issue, the web app works fine on Firefox, but not on Safari or Chrome, the browser show the certificate is not trusted, and when I run "jamf checkJSSconnection", it also show the certificate is not trusted.
It is wildcard certificate and issued by GoDaddy.
I tried re-enroll that mac with all method, and tried reset the keychain, but the issue is still there. I thought it might be related to the OS. the OS version was 10.11.4, so I installed all the updates related to Security and OS updates, the certificate still shows as not trusted in 10.11.6. Next, I downloaded the Sierra installer and upgrade the OS to Sierra(10.12.4), then I run the JSSconnection again, Wow, "the JSS is available.", and the certificate show trusted both in Safari and Chrome, everything works normal! I'm going to upgrade other macs which have the same issue to Sierra and see if that can fix it too.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-31-2017 11:42 AM
I am getting this error as well on a newly imaged machine. Just updated to Casper 9.98. Machine won't enroll thru imaging or the terminal prompt. I've gone to Keychain Access and manually trusted the cert given by the JSS. Expiration date is 3/2018. Any ideas?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-31-2017 12:14 PM
This might be helpful:
As of the Casper Suite v9.98, the Enabling SSL certificate verification checkbox has been changed to the SSL Certificate Verification pop-up menu with the options: "Always", "Always except during enrollment", and "Never". To configure SSL certificate verification, log in to the JSS with a web browser and in the top-right corner of the page, navigate to Settings > Computer Settings > Security.
If performing a fresh install of the Casper Suite v9.98 or later, the SSL Certificate Verification setting is set to "Always except during enrollment" by default.
If upgrading from the Casper Suite v9.97 or earlier to the Casper Suite v9.98 or later and you previously enabled SSL certificate verification, the setting is set to "Always" by default. If you did not enable SSL certificate verification before upgrading, the setting is set to "Always except during enrollment" by default.
https://www.jamf.com/jamf-nation/articles/455/change-to-the-ssl-certificate-verification-setting-in-the-casper-suite-v9-98-or-later
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-31-2017 12:37 PM
Thanks. Do you know if this requires a JSS restart? I've changed it to always but i'm still getting the error on my test machine.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-31-2017 12:40 PM
I would try setting it to "Always except during enrollment" which is LESS restrictive than "Always"
I believe this does not require a restart.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-31-2017 09:56 AM
Hey all! I'm running into the same issues described above. I'm running 9.100.0-t1499435238 in my development Jamf Pro instance and run into the below error despite which method of enrollment I use (i.e. user-initiated web enrollment, QuickAdd package or sudo jamf enroll -prompt
from the CLI).
There was an error. Error enrolling computer: Unable to establish trust with the JSS - The jamf binary could not connect to the JSS because the web certificate is not trusted.
I have also listed my Settings>Computer Management - Management Framework>Security settings for reference which were adjusted at one point. I haven't restarted the Tomcat service after these settings were modified but did manage to test using the three aforementioned enrollment methods, all of which reproduce the above error.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-31-2017 10:39 AM
UPDATE: I've rebuilt the SSL certificate to no avail. Here are the steps that I took.
From JSS Settings > Apache Tomcat Settings: 1. Click Edit. 2. Check "Change the SSL Certificate for HTTPS" and click Next. 3. Check "Generate a certificate from the JSS's built-in CA and click Next. 4. Click Done. 5. Log onto Jamf Pro server and restart Tomcat service.
After performing the above, the expiration date on the SSL certificate is now set to 07/31/2018, as expected.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-31-2017 12:08 PM
Resolved: completely remove your binary/framework between tests and then try again :)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-31-2017 01:43 PM
Instead of completely removing your binary, try running the following command:
sudo jamf trustJSS
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-03-2017 07:25 AM
@mlavine, this worked for me! Thank you so much! Was just about to call uncle and file a support ticket... :)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-03-2017 10:51 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-06-2017 06:16 PM
@mlavine that command doesn't work for me.
I have to use certificate from the JSS's built-in CA instead of the wildcard certificate from Godaddy.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-30-2017 09:21 AM
@Steven.Xu did you check time and date on the computer?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-30-2017 07:33 PM
@Chriskmpruitt the time and the date was correct. I checked my ssl certificate here (https://www.sslshopper.com/ssl-checker.html), and the result show my certificate missed something, so I recreate the certificate and upload the certificate to JSS, and that works, and no error when check the ssl certificate.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-14-2017 04:20 PM
@Steven.Xu thanks for the tip and URL! I was able to find my problem (intermediate certs were missing) and recreating my cert did the trick.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-09-2018 12:47 PM
We are having same "web certificate trust" issues - our network admin updated our Tomcast server with a wildcard SSL and is now adding "intermediate certs"..I am really hoping this will resolve our DEP enrollment problems..Haven't been able to get DEP to work for nearly a month!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-24-2018 11:53 AM
@wilfredov Did you make any progress on this? We use a wildcard cert as well and are having the same issues.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-05-2018 05:28 PM
Same issue here after upgrading JSS to 10.4.1, before the upgrade never happened. I tried to recreate the JSS Built-in Cert as we are not using a SSL, but it still no go. Not sure what happened or what to do next. keep this thread posted in case I find a solution