Jamf Nation Community

user-cQyuobzqxl · ‎03-25-2021

Hello, yesterday installed new Jamf, Ubuntu 20.04 / 10.28.0-t1615386406.
Setup ldap (without ssl), install trusted certificate for ssl, and install push certificate. When I go to push cert setting, edit, and press test button - i have error: The connection was not established. See logs for more details. Logs attached. Pls help!

2021-03-25 20:14:39,764 [WARN ] [10-thread-1] [nsConnectionEventListener] - [apns] callFailed due to: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:349)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:292)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:287)
    at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1356)
    at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1231)
    at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1174)
    at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
    at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443)
    at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:421)
    at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:182)
    at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:171)
    at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1408)
    at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1314)
    at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:440)
    at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:411)
    at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.kt:351)
    at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.kt:310)
    at okhttp3.internal.connection.RealConnection.connect(RealConnection.kt:178)
    at okhttp3.internal.connection.ExchangeFinder.findConnection(ExchangeFinder.kt:236)
    at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.kt:109)
    at okhttp3.internal.connection.ExchangeFinder.find(ExchangeFinder.kt:77)
    at okhttp3.internal.connection.Transmitter.newExchange$okhttp(Transmitter.kt:162)
    at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.kt:35)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:112)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:87)
    at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.kt:82)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:112)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:87)
    at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.kt:84)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:112)
    at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.kt:71)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:112)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:87)
    at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.kt:184)
    at okhttp3.RealCall.execute(RealCall.kt:66)
    at com.jamfsoftware.apns.connection.sender.ApnsPushNotificationSender.accept(ApnsPushNotificationSender.java:72)
    at com.jamfsoftware.apns.connection.sender.test.ApnsTestNotificationSender.send(ApnsTestNotificationSender.java:25)
    at com.jamfsoftware.apns.connection.ApnsConnectionVerifier.isOk(ApnsConnectionVerifier.java:23)
    at com.jamfsoftware.apns.scheduler.circuitbreaker.watcher.ApnsWatcher.run(ApnsWatcher.java:21)
    at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
    at java.base/java.util.concurrent.FutureTask.runAndReset(FutureTask.java:305)
    at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:305)
    at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
    at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
    at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
    at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
    at java.base/sun.security.validator.Validator.validate(Validator.java:264)
    at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313)
    at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:222)
    at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
    at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1340)
    ... 41 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
    at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
    at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
    at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
    ... 47 more

user-cQyuobzqxl · ‎03-26-2021

Answer on my own question:
For some reason JAVA trust store missing trust root certificates. https://developer.apple.com/library/archive/technotes/tn2265/_index.html#//apple_ref/doc/uid/DTS40010376-CH1-TNTAG31

First download these two cert to local:
https://www.geotrust.com/resources/root_certificates/certificates/GeoTrust_Global_CA.pem
https://www.entrust.com/root-certificates/entrust_2048_ca.cer
Add these cert to JAVA trust store.
keytool -import -alias GeoTrust_Global_CA -file ./GeoTrust_Global_CA.pem -keystore /usr/lib/jvm/java-11-openjdk-amd64/lib/security/cacerts
keytool -import -alias entrust_2048_ca -file ./entrust_2048_ca.cer -keystore /usr/lib/jvm/java-11-openjdk-amd64/lib/security/cacerts

NOTE: Default password is: changeit

Restart machine and test, fo to settings > Push Cert > MDM Push Notification Certificate > Edit > Test If everything is good, you should have: The connection was successfully established. Also check log at: /usr/local/jss/logs/JAMFSoftwareServer.log

2021-03-26 13:08:00,672 [INFO ] [Thread-15 ] [pnsPushNotificationSender] - [apns] APNs HTTP2 client created at 2021-03-26T13:08:00.672933

MZKMR · ‎03-28-2021

Thx you are my HERO!!!!!!!

Jamf Nation Community

MDM Push Notification Certificate