I have some trouble with my JDS, when i try to download packages from self service connection is lost. My JDS is pingable and if i download packages directly from https://jds../CasperShare/*.dmg it's fine.
Logs are :
An error occurred while running the policy "Test Mbam" on the computer "***********". Actions from policy log: [STEP 1 of 5] Executing Policy Test Mbam [STEP 2 of 5] Downloading https://jds.**********.***/CasperShare/MalwareBytes.dmg... The network connection was interrupted while downloading the package from https://jds.*********.***/CasperShare/MalwareBytes.dmg. Attempting to reconnect... Downloading https://jds.**********.***/CasperShare/MalwareBytes.dmg... Error: MalwareBytes.dmg is not available on the HTTP server. [STEP 3 of 5] [STEP 4 of 5] Inventory will be updated when all queued actions in Self Service are complete. [STEP 5 of 5] The complete policy log is available in the JSS at: https://*******.*******.****:8443/policies.html?id=67&o=l Computer Info: ID: **
I know that JDS is deprecated but any idea?
I check my webserver.cer :
******@jds:/usr/local/jds/certs$ openssl x509 -inform der -in webserver.cer -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 891666952 (0x3525c208) Signature Algorithm: sha256WithRSAEncryption Issuer: CN=****** ******* JSS Built-in Certificate Authority Validity Not Before: Oct 25 10:00:11 2017 GMT Not After : Oct 26 10:00:11 2018 GMT
Check also the Subject Alternative Name of the JDS cert.
I think during the renewel process the JDS cert is now invalid because the cert doen't have a Subject Alternative Name for your JDS, only for your JSS.
There is a subject alternative name for the JSS only :
Certificate: Data: Version: 3 (0x2) Serial Number: 891666952 (0x3525c208) Signature Algorithm: sha256WithRSAEncryption Issuer: CN=***** **** JSS Built-in Certificate Authority Validity Not Before: Oct 25 10:00:11 2017 GMT Not After : Oct 26 10:00:11 2018 GMT Subject: O=***** *******, OU=JAMF Distribution Server, CN=jds.*****.fr Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 5E:E0:0D:95:B9:43:01:7D:EB:36:57:C5:C4:46:47:15:78:5F:AB:41 X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Alternative Name: DNS:casper.*****.fr, DNS:*.casper.****.fr X509v3 CRL Distribution Points: Full Name: URI:https://casper.*****.fr:8443//CA/JAMFCRLServlet X509v3 Authority Key Identifier: keyid:AF:AA:D0:90:EE:70:EF:0E:FE:5F:7C:29:2D:2F:62:B3:E4:26:D9:3D Signature Algorithm: sha256WithRSAEncryption
And thats the issue. When you try to open the JDS URL from the logs you got, then your browser should reject the certificate. Safari returns a message stating, that the remote server pretends to be your JDS, but in fact, the cert says something different.
So currently I don't know a way to get a cert for the JDS with the correct SAN.
I run in to the same issue several months ago and I had to switch to a file DP with https access. :(
It sounds like you may be running into PI-004248.
Please get in touch with support if you haven't already so they can take a look and either verify or rule out PI-004248 and, if it's determined this is what you're seeing, implementing the workaround to get it going again.
Also, please be aware that the JDS is in End of Life status and will be discontinued at the end of 2017 so when you contact support, it may be worth discussing getting switched over to alternative file distribution methods if you’ve not already decided on what the plan is for your environment.
Jamf no longer recommends using the JDS and support for it will eventually be discontinued.
Jamf Customer Experience