SSL Expiration False Positive After Upgrading Jamf Pro to 10.21

dng2000
Contributor II

For those who upgraded to Jamf Pro 10.21 on prem, may I please as for a favor of running 'curl -o /dev/null https://<yourjssserver>:8443' (replacing <yourjssserver> with your environment's URL) on a Mac and see if you get the following error message? This started happening after upgrading both my dev and production environments to 10.21 and curious to know if others are having this same problem besides me. My org's SSL certificate is issued by InCommon RSA Server CA and is still many months away from expiration. Strangely, this error doesn't come up with curl in Linux, only on macOS.

curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

8 REPLIES 8

sdagley
Esteemed Contributor II

@dng2000 Sounds like you're experiencing this issue: HTTPS connection to specific sites fail with cURL on macOS

dng2000
Contributor II

@sdagley Thank you for sharing that link. Frankly, I still believe this problem originates on the side of the Jamf Pro server after upgrading both of my environments to 10.21 because the error can be reproduced in macOS 10.13.6 Build 17G66. I escalated to Jamf Support earlier to investigate this hopefully it can be as simple as tweaking something in Tomcat. In the meantime, I'm very curious to know if anyone else who upgraded their on-prem environment to 10.21 and faced this same issue.

dng2000
Contributor II

Now that I found https://thesslonline.com/blog/sectigo-addtrust-external-ca-root-expiring-may-30-2020 in addition to what @sdagley mentioned (thanks again @sdagley ), and I was able to restore the snapshot of my dev server back to 10.20 and got the same SSL expiration error in curl that I've never seen before. Now I'm realizing this is a coincidence to the Jamf upgrade that I did this past weekend. And it looks like it does match with the SSL issued to me even though the actual cert itself is more than a year away from expiration.

1 s:/C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority 2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root 3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root

sdagley
Esteemed Contributor II

@dng2000 It's not your cert that's the issue, it's the Root CA that signed it which isn't being verified properly.

Scott_Watkins
New Contributor II

Check that the SSL Cert you are uploading in jamf has a full certificate chain. We have ran into this issue a couple of times because we were only uploading the certificate and not the intermediate certificate at the same time.

https://www.jamf.com/jamf-nation/articles/138/using-openssl-to-create-a-certificate-keystore-for-tomcat

EDIT: Appears Comodo Intermediate certificate expired 3 days ago. This caused my enrolments to start to fail, however the browser didn't have the issue at all. I had to re-bundle a newer intermediate/root certificate into my .p12 to get it working again.

martenblank
New Contributor III

We had exactly the same problem as Scott here!
Strange error, but we solved it and switched to Let's Encrypt for the Tomcat-server

ooshnoo
Valued Contributor

We had the same issue. Our cert was from Comodo, and 2 of their intermediate certs expired on May 30. We renewed the cert with GlobalSign and all is well now.

mking529
Contributor

I just worked my way through this Sectigo issue after having a freshly reloaded computer refusing to go managed after DEP enrollment. You can see if you're affected using this site: https://www.sslshopper.com/ssl-checker.html - If you get a red X about intermediate certificates expiring, this is your problem. In the case of us we have a wildcard cert through Namecheap, and I was able to redownload my purchase which had an updated certificate chain. I merged them all into a pfx file, reuploaded, and the computer had the jamf binary and config profiles before I even got past the login screen. Whew!