Posted on 10-26-2017 02:03 AM
Hello there,
I have some trouble with my JDS, when i try to download packages from self service connection is lost. My JDS is pingable and if i download packages directly from https://jds../CasperShare/*.dmg it's fine.
Logs are :
An error occurred while running the policy "Test Mbam" on the computer "***********".
Actions from policy log:
[STEP 1 of 5]
Executing Policy Test Mbam
[STEP 2 of 5]
Downloading https://jds.**********.***/CasperShare/MalwareBytes.dmg...
The network connection was interrupted while downloading the package from https://jds.*********.***/CasperShare/MalwareBytes.dmg. Attempting to reconnect...
Downloading https://jds.**********.***/CasperShare/MalwareBytes.dmg...
Error: MalwareBytes.dmg is not available on the HTTP server.
[STEP 3 of 5]
[STEP 4 of 5]
Inventory will be updated when all queued actions in Self Service are complete.
[STEP 5 of 5]
The complete policy log is available in the JSS at:
https://*******.*******.****:8443/policies.html?id=67&o=l
Computer Info:
ID: **
I know that JDS is deprecated but any idea?
Posted on 10-26-2017 02:49 AM
Check the SSL cert of the JDS. The cert could have expired and has been renewed automatically.
Posted on 10-26-2017 03:10 AM
I check my webserver.cer :
******@jds:/usr/local/jds/certs$ openssl x509 -inform der -in webserver.cer -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 891666952 (0x3525c208)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=****** ******* JSS Built-in Certificate Authority
Validity
Not Before: Oct 25 10:00:11 2017 GMT
Not After : Oct 26 10:00:11 2018 GMT
Posted on 10-26-2017 03:13 AM
Check also the Subject Alternative Name of the JDS cert.
I think during the renewel process the JDS cert is now invalid because the cert doen't have a Subject Alternative Name for your JDS, only for your JSS.
Posted on 10-26-2017 03:28 AM
There is a subject alternative name for the JSS only :
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 891666952 (0x3525c208)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=***** **** JSS Built-in Certificate Authority
Validity
Not Before: Oct 25 10:00:11 2017 GMT
Not After : Oct 26 10:00:11 2018 GMT
Subject: O=***** *******, OU=JAMF Distribution Server, CN=jds.*****.fr
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
5E:E0:0D:95:B9:43:01:7D:EB:36:57:C5:C4:46:47:15:78:5F:AB:41
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Alternative Name:
DNS:casper.*****.fr, DNS:*.casper.****.fr
X509v3 CRL Distribution Points:
Full Name:
URI:https://casper.*****.fr:8443//CA/JAMFCRLServlet
X509v3 Authority Key Identifier:
keyid:AF:AA:D0:90:EE:70:EF:0E:FE:5F:7C:29:2D:2F:62:B3:E4:26:D9:3D
Signature Algorithm: sha256WithRSAEncryption
Posted on 10-26-2017 05:35 AM
And thats the issue. When you try to open the JDS URL from the logs you got, then your browser should reject the certificate. Safari returns a message stating, that the remote server pretends to be your JDS, but in fact, the cert says something different.
So currently I don't know a way to get a cert for the JDS with the correct SAN.
I run in to the same issue several months ago and I had to switch to a file DP with https access. :(
Posted on 10-27-2017 03:24 AM
I have to switch too but we have multiple remote sites, cloud solutions seems to be the right answer.
Posted on 11-01-2017 08:10 AM
It sounds like you may be running into PI-004248.
Please get in touch with support if you haven't already so they can take a look and either verify or rule out PI-004248 and, if it's determined this is what you're seeing, implementing the workaround to get it going again.
Also, please be aware that the JDS is in End of Life status and will be discontinued at the end of 2017 so when you contact support, it may be worth discussing getting switched over to alternative file distribution methods if you’ve not already decided on what the plan is for your environment.
Jamf no longer recommends using the JDS and support for it will eventually be discontinued.
Thanks!
Were Wulff
Jamf Customer Experience