JSS Certificate Communication Problem

apple4ever
New Contributor

We have a signed certificate from GeoTrust on our JSS. So I enabled the new "Use certificate communication with JSS" setting. The warnings said nothing about ensuring that the clients can access the JSS with the certificate- only to ensure that the JSS has a valid certificate.

Well now a bunch of our 10.5 Macs can't connect to the JSS because they don't trust the certificate. I looked and the GeoTrust Root CA is not installed on there. I installed it on one, and now Safari doesn't give the untrusted message, but running jamf log still doesn't work.

Any ideas how I can fix this?

On side note- after all of this, I just found the extension attribute to check for compatibility. I wish in the documentation would have indicated to run that before enabling the setting.

1 ACCEPTED SOLUTION

ryan_yohnk
New Contributor II
New Contributor II

I would keep an eye on the thread Don posted. It sounds like a very similar issue. While the command apple4ever posted will add the CA certificate to the System trust, curl on 10.5 uses a different list of trusted CAs. There's a post on the other thread about how to update the list of trusted CAs on 10.5 machines. Let us know if that helps.

Ryan

View solution in original post

4 REPLIES 4

apple4ever
New Contributor

I should also know that I tried the following command:

sudo /usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ~/Desktop/GeoTrust_Root.cer

That still didn't work.

donmontalvo
Esteemed Contributor III

FYI, another thread with similar issue:

https://jamfnation.jamfsoftware.com/discussion.html?id=3761

Don

--
https://donmontalvo.com

ryan_yohnk
New Contributor II
New Contributor II

I would keep an eye on the thread Don posted. It sounds like a very similar issue. While the command apple4ever posted will add the CA certificate to the System trust, curl on 10.5 uses a different list of trusted CAs. There's a post on the other thread about how to update the list of trusted CAs on 10.5 machines. Let us know if that helps.

Ryan

apple4ever
New Contributor

Yep, that was the problem. I had to actually manually add the root CA certs to the bundle, but once I did that and put it in the right place, it work.

Thanks!