- Jamf Nation Community
- Products
- Jamf Pro
- Re: JSS cert not working - Macs not checking in
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-29-2011 09:23 AM
We had a valid certificate in place when JSS was at 7.1, and when we moved to 7.31 we made sure the certificate continued to work.
Today we noticed that roughly 200 of the 1800 Macs in JSS are checking in...and the remaining 1600 Macs show Last Time of over 30 days.
Is there a way to validate the certificate is working properly? What could have hosed it?
Thanks,
Don
--
https://donmontalvo.com
https://donmontalvo.com
Solved! Go to Solution.
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-29-2011 11:00 AM
Using a client system that hasn't checked in, can you look at the trust chain and see what the client thinks the trust status is?
j
---
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-29-2011 09:35 AM
Is your cert signed by a private CA?
---
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-29-2011 09:41 AM
You should be able to navigate to your JSS in a web browser from any of
On 9/29/11 11:23 AM, "Don Montalvo" <donmontalvo at gmail.com> wrote:
the problem machines and check the cert there. Click the lock icon in the
browser to view.
--
William Smith
Technical Analyst
Merrill Communications LLC
(651) 632-1492
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-29-2011 09:55 AM
Hi Jared,
Yes it was created as per the below article and worked for months:
http://jamfsoftware.com/kb/article.php?id=019
Per this article we deselected the cert option, pending confirmation the certificate is still valid since we moved from 7.1 to 7.31:
http://jamfsoftware.com/kb/article.php?id=051
Thanks,
Don
--
https://donmontalvo.com
https://donmontalvo.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-29-2011 10:53 AM
Hi William,
Long time no see. :) Ya, we actually get this error when we try to enable the checkbox in JSS:
http://donmontalvo.com/jamf/JSS_invalid_certificate.png
Not sure how it could break. We have our team looking into it.
Just curious...is the "-k" option in QuickAdd postflight force it to require valid cert?
#################################################### ## Create the configuration file at /private/etc/jamf.conf #################################################### /usr/sbin/jamf createConf -url 'https://*:8443/' -k
Don
--
https://donmontalvo.com
https://donmontalvo.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-29-2011 11:00 AM
Using a client system that hasn't checked in, can you look at the trust chain and see what the client thinks the trust status is?
j
---
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-29-2011 11:12 AM
Yes the -k flag will require a valid cert.
j
---
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-15-2012 09:40 PM
Doing some house cleaning on threads I left open-ended. Turns out "-k" tells the Casper agent to not care about the cert. Enabling the cert in JSS triggers removal of the "-k" on the client side. So if you enable the cert today and disable the cert tomorrow, clients won't call in anymore (unless you're able to add "-k" back on the client.
--
https://donmontalvo.com
https://donmontalvo.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-17-2012 12:51 PM
Adding the -k works for policies, but I found that you need to select the "Allow Invalid Certificate" box in the preferences for Casper Remote or it locks up again.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-17-2012 01:02 PM
So looks like Certs signed by a private CA will not work?
