Network connection interrupted with JDS.

rquinquis
New Contributor III

Hello there,

I have some trouble with my JDS, when i try to download packages from self service connection is lost. My JDS is pingable and if i download packages directly from https://jds../CasperShare/*.dmg it's fine.

Logs are :

An error occurred while running the policy "Test Mbam" on the computer "***********".

Actions from policy log:
    [STEP 1 of 5]
    Executing Policy Test Mbam
    [STEP 2 of 5]
    Downloading https://jds.**********.***/CasperShare/MalwareBytes.dmg...
    The network connection was interrupted while downloading the package from https://jds.*********.***/CasperShare/MalwareBytes.dmg. Attempting to reconnect...
    Downloading https://jds.**********.***/CasperShare/MalwareBytes.dmg...
    Error: MalwareBytes.dmg is not available on the HTTP server.
    [STEP 3 of 5]
    [STEP 4 of 5]
    Inventory will be updated when all queued actions in Self Service are complete.
    [STEP 5 of 5]

The complete policy log is available in the JSS at:
https://*******.*******.****:8443/policies.html?id=67&o=l


Computer Info: 
ID:     **

I know that JDS is deprecated but any idea?

7 REPLIES 7

gda
Contributor

Check the SSL cert of the JDS. The cert could have expired and has been renewed automatically.

rquinquis
New Contributor III

@gda

I check my webserver.cer :

******@jds:/usr/local/jds/certs$ openssl x509 -inform der -in webserver.cer -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 891666952 (0x3525c208)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=****** ******* JSS Built-in Certificate Authority
        Validity
            Not Before: Oct 25 10:00:11 2017 GMT
            Not After : Oct 26 10:00:11 2018 GMT

gda
Contributor

Check also the Subject Alternative Name of the JDS cert.
I think during the renewel process the JDS cert is now invalid because the cert doen't have a Subject Alternative Name for your JDS, only for your JSS.

rquinquis
New Contributor III

There is a subject alternative name for the JSS only :

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 891666952 (0x3525c208)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=***** **** JSS Built-in Certificate Authority
        Validity
            Not Before: Oct 25 10:00:11 2017 GMT
            Not After : Oct 26 10:00:11 2018 GMT
        Subject: O=***** *******, OU=JAMF Distribution Server, CN=jds.*****.fr
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:

                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                5E:E0:0D:95:B9:43:01:7D:EB:36:57:C5:C4:46:47:15:78:5F:AB:41
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Alternative Name: 
                DNS:casper.*****.fr, DNS:*.casper.****.fr
            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:https://casper.*****.fr:8443//CA/JAMFCRLServlet

            X509v3 Authority Key Identifier: 
                keyid:AF:AA:D0:90:EE:70:EF:0E:FE:5F:7C:29:2D:2F:62:B3:E4:26:D9:3D

    Signature Algorithm: sha256WithRSAEncryption

gda
Contributor

And thats the issue. When you try to open the JDS URL from the logs you got, then your browser should reject the certificate. Safari returns a message stating, that the remote server pretends to be your JDS, but in fact, the cert says something different.

So currently I don't know a way to get a cert for the JDS with the correct SAN.

I run in to the same issue several months ago and I had to switch to a file DP with https access. :(

rquinquis
New Contributor III

I have to switch too but we have multiple remote sites, cloud solutions seems to be the right answer.

were_wulff
Valued Contributor II

@rquinquis

It sounds like you may be running into PI-004248.

Please get in touch with support if you haven't already so they can take a look and either verify or rule out PI-004248 and, if it's determined this is what you're seeing, implementing the workaround to get it going again.

Also, please be aware that the JDS is in End of Life status and will be discontinued at the end of 2017 so when you contact support, it may be worth discussing getting switched over to alternative file distribution methods if you’ve not already decided on what the plan is for your environment.

Jamf no longer recommends using the JDS and support for it will eventually be discontinued.

Thanks!
Were Wulff
Jamf Customer Experience