SSL Expiration False Positive After Upgrading Jamf Pro to 10.21

@dng2000 Sounds like you're experiencing this issue: HTTPS connection to specific sites fail with cURL on macOS

@sdagley Thank you for sharing that link. Frankly, I still believe this problem originates on the side of the Jamf Pro server after upgrading both of my environments to 10.21 because the error can be reproduced in macOS 10.13.6 Build 17G66. I escalated to Jamf Support earlier to investigate this hopefully it can be as simple as tweaking something in Tomcat. In the meantime, I'm very curious to know if anyone else who upgraded their on-prem environment to 10.21 and faced this same issue.

Now that I found https://thesslonline.com/blog/sectigo-addtrust-external-ca-root-expiring-may-30-2020 in addition to what @sdagley mentioned (thanks again @sdagley ), and I was able to restore the snapshot of my dev server back to 10.20 and got the same SSL expiration error in curl that I've never seen before. Now I'm realizing this is a coincidence to the Jamf upgrade that I did this past weekend. And it looks like it does match with the SSL issued to me even though the actual cert itself is more than a year away from expiration.

1 s:/C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority 2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root 3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root

@dng2000 It's not your cert that's the issue, it's the Root CA that signed it which isn't being verified properly.

Check that the SSL Cert you are uploading in jamf has a full certificate chain. We have ran into this issue a couple of times because we were only uploading the certificate and not the intermediate certificate at the same time.

https://www.jamf.com/jamf-nation/articles/138/using-openssl-to-create-a-certificate-keystore-for-tomcat

EDIT: Appears Comodo Intermediate certificate expired 3 days ago. This caused my enrolments to start to fail, however the browser didn't have the issue at all. I had to re-bundle a newer intermediate/root certificate into my .p12 to get it working again.

We had exactly the same problem as Scott here!
Strange error, but we solved it and switched to Let's Encrypt for the Tomcat-server

We had the same issue. Our cert was from Comodo, and 2 of their intermediate certs expired on May 30. We renewed the cert with GlobalSign and all is well now.

I just worked my way through this Sectigo issue after having a freshly reloaded computer refusing to go managed after DEP enrollment. You can see if you're affected using this site: https://www.sslshopper.com/ssl-checker.html - If you get a red X about intermediate certificates expiring, this is your problem. In the case of us we have a wildcard cert through Namecheap, and I was able to redownload my purchase which had an updated certificate chain. I merged them all into a pfx file, reuploaded, and the computer had the jamf binary and config profiles before I even got past the login screen. Whew!