So just resolved an issue with my JAMF Pro server install. I self-host my servers with a clustered LAN/DMZ configuration. Last week, on 4/26/18, the servers stopped being able to auto-renew the Proxy Push Certificate, as well as stopped being able to talk to DEP or VPP services.
Turns out to be an update to my Sonicwall Content Filtering Service causing pretty much every SSL API connection to outside servers to start failing. The fix was to turn off the Content Filtering Service on the DMZ and the internal VLAN that the master server was hosted on. Just posting this here to give anyone else a clue on how to troubleshoot this.
We used nc (netcat) to initially determine the problem. Normally, nc will return a "Succeeded" message if it is able to reach the requested port. This was the first clue. The nc command was as follows:
nc -vz <url> <port>
So this means that the servers could reach the port.
Next step was to make sure SSL could read the SSL certificate. This is where the failures showed up. Using the openssl s_client command, we discovered that my servers were unable to receive any input from the remote servers. The openssl command was as follows:
openssl s_client -showcerts -connect <url:port>
When attempting to connect to any external server, the command simply returned CONNECTED (00000003), which means it could connect to the remote server, but was unable to read anything returning from that connection. Normally, you would see a huge output with a bunch of details about the SSL certificate on the remote host.
I finally figured out the cause because while I was logged into my Sonicwall (which disables the Content Filtering for my computer), the openssl command worked fine, but it still failed on my servers. Once it was narrowed down to that, I turned off the Content Filtering on the DMZ, which allowed to server hosted there to communicate properly with the remote hosts.
So self-hosted JAMF Pro Servers need to not be behind Content Filtering when connecting to external services (jamfcloud, vpp, dep, patchmanagement, proxy push certificates).
