Help

Not able to download from JDS, possible certificate issue ?

Go to solution
May
Contributor III

Posted on ‎02-26-2016 08:48 AM

Hi all,

I'm flumoxed on this one!

Yesterday i noticed that any policies that download pkgs or dmgs from the JDS were failing, (Self Service and recurring), policies that do not download are successful. I've tested on 4 different Macs at different sites and all get the same errors.

There are a few threads saying that spaces in the file names can cause a similar issue and it was fixed in 9.72, we're using 9.72 and these have been working 100% for the last few years up till yesterday.

Looking at the JSS logs i get 40+ lines of

Downloading https://fqdn/CasperShare/Software Update.pkg... Error: Could not connect to the HTTP server to download Software Update.pkg

if i trigger the same policy from Terminal the error is this

Downloading https://fqdn/CasperShare/Software Update.pkg... 2016-02-26 10:22:09.563 jamf[95462:5647] NSURLConnection/CFURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9814) Error: Could not connect to the HTTP server to download Software Update.pkg

If copy/paste the package url into Safari it downloads with no issues at all

I've also noticed that now when i open Casper Admin it gives me a certificate error, showing that the cert has expired, i'm assuming the download issue could be related to this ?

Checking on the JSS the Tomcat cert is definitely valid, i know we installed it in December.
If i view the certificate by right clicking on the JSS URL in Safari it also shows the same valid certificate.
I'm not sure where this old certificate is being picked up from ? i've spoken to the network team and been assured that nothing has changed...

This is the message when opening Casper Admin
0e57d9be86074616b995c6e6400f471d

Any ideas what may be causing this or where else i should start digging ?

Thanks,
Andy

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
stevewood
Honored Contributor II
Honored Contributor II

Posted on ‎02-26-2016 08:56 AM

@May did you check the cert on the JDS too? I'll bet the issue is with the cert there and not the one on the JSS.

You could try running the JDS setup utility again. I believe during the setup process the JDS will re-certify itself with the JSS. That is, after all, where the JDS gets its cert, unless you are using a public cert on the JDS.

Actually, you may be able to just use the enroll verb with jamfds:

jamfds enroll --prompt

View solution in original post

0 Kudos
8 REPLIES 8

Go to solution
stevewood
Honored Contributor II
Honored Contributor II

Posted on ‎02-26-2016 08:56 AM

@May did you check the cert on the JDS too? I'll bet the issue is with the cert there and not the one on the JSS.

You could try running the JDS setup utility again. I believe during the setup process the JDS will re-certify itself with the JSS. That is, after all, where the JDS gets its cert, unless you are using a public cert on the JDS.

Actually, you may be able to just use the enroll verb with jamfds:

jamfds enroll --prompt
0 Kudos

Go to solution
May
Contributor III

Posted on ‎02-26-2016 09:15 AM

Thanks @stevewood

I just re-ran the JDS installer, restarted Tomcat but it still has the same issue, do you know how i can view the JDS certificate ? i can't see anything in JSS > JDS Instances.
Does the JDS not use the same certificate as Tomcat ?

Cheers

0 Kudos

Go to solution
May
Contributor III

Posted on ‎02-26-2016 09:31 AM

I just tried this command from this thread [https://jamfnation.jamfsoftware.com/discussion.html?id=8246](thread)

What do you get if you run 'openssl s_client -connect jss.mycompany.com:8443'?

This is the result
CONNECTED(00000003)
98372:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:/SourceCache/OpenSSL098/OpenSSL098-52.8.3/src/ssl/s23_clnt.c:593:

0 Kudos

Go to solution
stevewood
Honored Contributor II
Honored Contributor II

Posted on ‎02-26-2016 09:56 AM

@May what OS is your JDS running on? I'm running on Ubuntu, and I can view the certs in the Certs folder:

/usr/local/jds/certs

By using the following on each .cer file in that folder, I can view the info for the cert:

openssl x509 -inform der -in jss_ca.cer -noout -text

Just change out the .cer file that you want to view. You can find out what cert files are being used by Apache by looking in:

/etc/apache2/sites-enabled/jds.conf

You can also see what SSL Protocols are enabled in here too.

Go to solution
May
Contributor III

Posted on ‎02-26-2016 10:52 AM

Thanks @stevewood i found it

It's on OS X, the path is /Library/JDS/certs the one that's expired it's the webserver.cer
just trying to find how that gets installed

0 Kudos

Go to solution
May
Contributor III

Posted on ‎02-26-2016 11:26 AM

@stevewood it's now working, thanks!

If i'd followed all of your advice i would have got it running quicker!

The jamfds enroll --prompt command worked, it renewed the webserver.cer and downloads from the JDS are now working, interestingly re-installing the JDS did not renew the certificate.

Do you know if this is this something that will need to be run manually each time before that cert expires or should it be automated ?

Thanks again for your help!
Andy

0 Kudos

Go to solution
stevewood
Honored Contributor II
Honored Contributor II

Posted on ‎02-26-2016 11:34 AM

@May glad it worked out for you! I believe that each time you upgrade the JDS to the latest version, the certificate is renewed. However, don't take my word for it, perhaps shoot an email to your TAM and ask them.

Also, I think the cert expiration date is pushed way out there, like 5 years or so, so I'm not certain it should expire anytime soon.

0 Kudos

Go to solution
May
Contributor III

Posted on ‎02-26-2016 11:52 AM

@stevewood cheers,
the expiry on the cert is a year after using jamfds enroll --prompt to renew it, i'm setting a calendar event ;)!

0 Kudos