Proxy Push Certificate Expiring

itsupport
New Contributor III

We have 2 push certificates installed on JSS. One for MDM and one for Proxy settings. My understanding is that the Proxy one is for communication between devices and JAMF. This is expiring today and the "Renew" button doesn't do anything when clicked. It just refreshes the page. I've logged into our Apple account at apple.identity.com and can only see our MDM certificate.

Is anyone able to provide some more information on the Proxy certificate?

9 REPLIES 9

bentoms
Release Candidate Programs Tester

@itsupport I'd contact your TAM.

wakco
Contributor

We have the same issue. What version of Casper Suite is it (we are still on 9.80).

Note, the guide says the push proxy certificates should renew automatically. So it is interesting to see they have expired. For the moment I'd say give it 24 hours before contacting JAMF.

itsupport
New Contributor III

I think I figured it out. Our JSS installation is now on a windows server and requires Java (JRE/JDK) to work. I looked at the JSS logs and saw that it could no longer see a java class. It looks like Java had updated itself and caused Tomcat to stop working. I tried to fix it by changing some Tomcat settings and point to the new Java installation but couldn't get it to work so had to restore the server to an earlier date and stop java installing updates automatically.

mike_levenick
New Contributor III
New Contributor III

Hey @itssupport (and anyone else having this issue) would you mind if I ask what version of Java you upgraded to, as well as what version you reverted to which resolved the issue? Also the JSS version you're on, and the version of Windows Server you're running.

Thanks!

wakco
Contributor

While I do not know the details, the person that handles our server had noticed some scheduler issue, and when rebooting was then able to trace back the problems to Java... "Traced issues back to Java, refreshing and re-setup and all ok again, even that cert that had expired has updated itself...".

But I did find out we are running Windows 2008R2 & Java 8 u60.

itsupport
New Contributor III

@mike.levenick - Java updated to 8.65 which caused the issue. We rolled the server back to when java was on 8.51 and it is working again. We're running Windows 2012 R2 Datacenter.

I noticed that some .jar files where missing from the JSS installation (C:Program FilesJSSTomcatin) such as tomcat-juli.jar and bootstrap.jar . I'm not sure how these went missing but the only thing that changed was Java update and windows updates.

It's working now as we restored to an earlier date so I can't get much more information.

mike_levenick
New Contributor III
New Contributor III

Thanks everyone, much appreciated.

It seems that everyone I've talked to that has experienced this issue had it happen after upgrading to Java 1.8.0_65--although for the life of me, I cannot seem to break it in my environment.

I tried a fresh install on 2012R2 with Java 8 u45, installed a proxy cert, and then upgraded to u65 and was still able to renew my proxy certs. I tried completely removing u45 and reinstalling u65 and it still worked just fine. So I tried setting my system clock ahead a week and a day to expire the cert and was still able to renew it.

I am trying on 2008R2 right now, but I suggest if anyone is able to replicate this that they contact their TAM to provide more information so that we can continue troubleshooting and isolate the root cause of the issue.

McLeanSchool
New Contributor III

Ugh, came back from Thanksgiving break and we're experiencing the same issue. Java auto-updated to 1.8.0_66-b18 and the proxy cert isn't working. Trying a few things to fix it, I'll post an update in a bit.

McLeanSchool
New Contributor III

Got it up and running!

I uninstalled Java completely on the server, then reinstalled Java following these steps from the guide available at http://www.jamfsoftware.com/resources/manually-installing-the-jamf-software-server/:

Step 3: Install and Configure Java and JCE Java is required to start Tomcat, the web application server that runs the JSS. Launch the JDK Installer. Follow the onscreen instructions to install the software. Use the default settings to configure the installation. Download the JCE if you haven’t already. Then extract the downloaded file. Copy the following files from the extracted folder to C:Program FilesJavajre<version>libsecurity: local_policy.jar US_export_policy.jar Accept the prompt to replace the existing files. 17 1. 2. 3. 4. 5. 6. 7. 8. Note: Before installing the JSS on Windows, it is recommended that you verify that the JAVA_HOME and JRE_HOME environment variables are pointed at the correct locations. For more information, see the following Knowledge Base article: Configuring the JAVA_HOME and JRE_HOME Environment Variables on a Windows Server

Make sure the system variables for Java are correct with the latest version of Java installed:
9fc83baa35654e0c8d56199edeeda70d

Make sure Tomcat has the correct settings by checking it's properties in the following program: C:Program FilesJSSTomcatin omcat7w

For some reason, our Tomcat install was not set to use the default Java options. I checked the "Use default" box to fix this.
7ba29f12c6ad409fa7731e392cbeca08

After rebooting the server, JSS started up correctly and automatically updated our Proxy cert.