JDS Ubuntu Installation - The SSL certificate is invalid. Verify that it is not self-signed or expired, and that the hostname matches.

Graves
New Contributor

JSS and JDS installs are 9.21.

I am receiving the same error on two different Ubuntu 12.04 servers when I try to install a JDS:

The SSL certificate is invalid. Verify that it is not self-signed or expired, and that the hostname matches.

We just updated our GoDaddy SSL cert on our current JSS running on an Xserve, and have had no issues with machines checking in or errors when hitting the site.

On this Ubuntu server, I have set /etc/hostname to jds3.myserver.org and updated /etc/hosts file:

127.0.0.1       localhost
127.0.1.1       jds3.myserver.org

Running

hostname --fqdn

returns jds3.myserver.org

This is what the setup looks like:

JDS Hostname: jds3.myserver.org
JSS URL: https://jss.myserver.org:8443
JSS Username: myuser
JSS Password: 
Allow untrusted SSL certificate?  (y/n): n

The SSL certificate is invalid. Verify that it is not self-signed or expired, and that the hostname matches.



check /usr/local/jds/logs/jamf.log for more information.

The logs show:

2013-12-19 10:00:02,262 INFO Checking for policies...
2013-12-19 10:00:02,266 ERROR 140608240228096:error:02001002:system library:fopen:No such file or directory:bss_file.c:126:fopen('/usr/local/jds/certs/private.key','r')
140608240228096:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:129:
Traceback (most recent call last):
  File "<string>", line 2244, in main
  File "<string>", line 469, in policy
  File "<string>", line 1456, in policy
  File "<string>", line 1132, in _sign_message
  File "/usr/local/jenkins/workspace/jamfds-build-release/label/jenkinsubuntu01.jamfsw.corp/build/pyi.linux2/jamfds/out00-PYZ.pyz/M2Crypto.EVP", line 366, in load_key
BIOError: 140608240228096:error:02001002:system library:fopen:No such file or directory:bss_file.c:126:fopen('/usr/local/jds/certs/private.key','r')
140608240228096:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:129:

I can run the JDS installer on a 10.8.5 Mac with Server 2.2, and the install finishes successfully.

1 ACCEPTED SOLUTION

SamF
Contributor

You'll need to make sure that the GoDaddy root CA is trusted from the JDS. If it's not, try downloading the certificate, open it and save the contents. It should look something like:

-----BEGIN CERTIFICATE-----
Huge string of text
-----END CERTIFICATE-----

Copy that and save it out to a file like so: /usr/local/share/ca-certificates/CertFile.crt. After saving the file run the following command to update the keychain:

sudo update-ca-certificates

View solution in original post

5 REPLIES 5

thanzig
New Contributor II

Silly question, but did you restart Tomcat after updating the certs?

Graves
New Contributor

Yes, Tomcat has been restarted since we updated the SSL cert.

SamF
Contributor

You'll need to make sure that the GoDaddy root CA is trusted from the JDS. If it's not, try downloading the certificate, open it and save the contents. It should look something like:

-----BEGIN CERTIFICATE-----
Huge string of text
-----END CERTIFICATE-----

Copy that and save it out to a file like so: /usr/local/share/ca-certificates/CertFile.crt. After saving the file run the following command to update the keychain:

sudo update-ca-certificates

View solution in original post

Graves
New Contributor

I followed the above steps and the JDS installed and enrolled! Thank you for the answer!

markposey
New Contributor

If you are running RHEL or CENTOS, please do the following:

Install the ca-certificates package:

yum install ca-certificates

Enable the dynamic CA configuration feature:

update-ca-trust enable

Add it as a new file to /etc/pki/ca-trust/source/anchors/:

cp foo.crt /etc/pki/ca-trust/source/anchors/

Use command:

update-ca-trust extract