jds behind nginx load balancer problem

New Contributor

Has anyone had any success setting up a jds behind a nginx load balancer. I'm seeing a lot of errors in /usr/local/jds/logs/jamf.log 661 ERROR Communication error with the JSS, 661 ERROR (60, 'server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none')

When we look at the JDS in the JSS we get
Display Name - no name
Root - Yes
Parent JDS Instance - NONE
JDS URL: https://FQDN
Reported IP Address
jamfds binary Version:
Operating System:
Operating System Version:
Total Memory:
Available Memory:
Hard Drive Size: -1024 B
Hard Drive Used Space: -1 %


New Contributor III

I would probably avoid using the JDS at all until they resolve the bugs with it.
I haven't tested in 9.31 but last time i tried to use the JDS, it tried to upload the entire casper repo to the SQL database... that is upload the packages and dmgs into a database table. made for one very very large sql database!
I'd stick with DP's and use scripts to sync them if needed. theres a couple of good scripts around here for doing just that

Valued Contributor II


That's actually expected behavior and how the JDS works; it first uploads to the database (The downloadable_file_chunk_data table) then moves on to the actual JDS repository and empties out the table space it occupied in the database itself.
If the table doesn't automatically flush, it generally means something got stuck along the way or we ran out of space on the computer running MySQL, and we can manually flush it and try again (after adding more space, if that was the issue).
The wording in the Admin's Guide is a bit unclear and indicates that we only need at least 100GB free on the JDS itself, and support has been working to try and get the wording changed to indicate that we also need to have at least that much space free on the computer that hosts the MySQL database as well.


Have we tried uploading the certificate(s) to the JDS itself? In some instances, usually if we're using a third party certificate or a wildcard certificate, it may be required to import your certificates to the JDS, and the error that you're getting indicates that might be the case here, since it's looking for a .crt file (/etc/ssl/certs/ca-certificates.crt) and isn't finding one. Generally, we need to have the root and intermediate CAs imported into the JDS for that to work.

If we're using a third party certificate, the best way to get instructions on how to get that certificate imported to your JDS machine is to check the documentation for the specific certificate you've got, as the instructions are all a bit different between vendors. We have a general 'how to import certificates' KB here, but I'd still strongly recommend going to the vendor's website to get the instructions specific to their certificates: https://jamfnation.jamfsoftware.com/article.html?id=138

In some instances, the load balancer may also require it, but for that you'd want to check the load balancer's documentation since they're all slightly different.

If you run into trouble with that or have further questions that either our documentation or the certificate vendor's documentation doesn't answer, your best next step would be to get in touch with your Technical Account Manager either by giving them a call or sending an e-mail to support@jamfsoftware.com


Amanda Wulff
JAMF Software Support

New Contributor

Hi Amanda, our certificate at the moment is a self-signed by the jss, we will be moving to a wildcard certificate hopefully in the next week or two.

Valued Contributor II

Hey @Derrick.meyer

Just to make sure I’m reading correctly: When you say you’re using a self signed certificate, do you mean you’re using the JSS’ built in CA (somewhere in the issuer name it will say "JSS Built-in Certificate Authority" if you are), or does it actually say “self signed” when you go to System Settings >> Apache Tomcat Settings?

If it actually says self signed, that’s going to be part of the problem; the JDS does need to either use the JSS’ built in CA or a third party certificate.
If we're using the built in CA, we want to make sure we've checked the box that says 'Allow untrusted SSL certificate' during the installation process. If that was left unchecked, we can just re-run the installer and make sure it's checked this time.

A valid wildcard certificate should work just fine, though wildcards can involve a slightly different setup than a standard third party certificate.

There are a couple of threads on JAMF Nation that go into what’s required to get a wildcard cert up and going, and the steps are a bit different than they are for a standard third party certificate.

@talkingmoose and @Kumarasinghe both left good comments on wildcards in the other thread you’d posted as well:


This discussion contains a lot of good information on getting Tomcat to use a wildcard cert; as you can see by just skimming that one, it can be a bit trickier than just using a standard 3rd party cert, but it can be done, the steps are just a little different: https://jamfnation.jamfsoftware.com/discussion.html?id=5521


I found a few other links that are Thawte specific as well.



Once that’s all done, we’ll still need to import the certificate into the JDS as well so the JDS also trusts it.
Sam Fortuna’s response in this thread gives the instructions on how to do that: https://jamfnation.jamfsoftware.com/discussion.html?id=9333

This part of the error you’re receiving (“CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none’”) tells us that the JDS is not finding the certificate that it’s looking for and that we likely need to import it.

If you end up needing assistance with the above, it would be best to first look through KB articles provided by Thawte, as the specific instructions can vary between vendors, and our KB ( https://jamfnation.jamfsoftware.com/article.html?id=138 ) is a fairly generic ‘how to’ overview. Your Technical Account Manager may also be able to help out, though for specific instructions on your particular certificate, it’ll likely be faster to consult their instructions directly.


Amanda Wulff
JAMF Software Support