The Jamf binary could not connect to the JSS because the web certificate is not trusted.

bazcurtis
New Contributor III

Hi,

I am having an issue with sudo jamf recon. I’m getting this error. The jamf binary could not connect to the JSS because the web certificate is not trusted.

I am running a JSS self signed certificate. I can login to the JSS fine from the machine. The machine is running 10.12.6. The JSS is running 10.1.

I have tried to do a trustjss and it seems happy with that. The machine was enrolled remotely from the Recon app.

Any help would be much appreciated.

3 REPLIES 3

mike_paul
Contributor III
Contributor III

TLDR: Recreate or create a signed Tomcat SSL certificate.

Does your JSS have a Self Signed certificate or a certificate created and signed and created by the JSS built in Certificate Authority?

When you initially setup a JSS the installer creates a self signed cert but you are directed to go through the wizard to create a signed SSl cert by the built in certificate authority, which is a valid cert, but client devices wouldnt have an inherited trust to any certs created by it like it would if they were created by a trusted certificate authority (godaddy, verisign, digicert, etc).

Also, no MDM (macOS or iOS) is possible with self signed certs.

The client computer's trust to the JSS built in certificate authority and in turn certs created by it is established at enrollment. How stringent the verification after trust to the CA is determined by the "SSL Certificate Verification" settings within JSS > Settings > Computer Management > Security.

Since your using the built in ssl cert already (vs a third party one) there is no harm in verifying your JSS url (since thats the CN used in the cert) and then going back through the JSS > Settings > System Settings > Apache Tomcat Settings > Edit > Change the SSL certificate used for HTTPS > Generate a certificate from the Jamf Pro's built-in CA > Restart Tomcat and that should be good to establish trust after that.

If you looking for more information on how these things work there is this blog post here: https://www.jamf.com/blog/enhancements-to-certificate-security-for-mdm-enrollment/

bazcurtis
New Contributor III

Thanks Mike.

I am using a self signed cert. I did get it working in the end by setting SSL verification to, None and restarting Tomcat.

I was also playing with Configuration Profiles and none of those work. I believe, as you say, this is due to the self signed certificate as well. I have to use a trusted 3rd party certificate for push to work, correct. Would this also stop VPP app being installed?

Thanks for the quick reply.

Best wishes Michael

bazcurtis178
New Contributor

I have it working with a trusted certificate from Go Daddy. For those whose who are interested I used the basis of this article - https://www.jamf.com/jamf-nation/articles/115/enabling-ssl-on-tomcat-with-a-public-certificate. I ran the following commands on my Mac and then upload the p12 file to the JSS via the GUI.

This made the CSR and new private key

openssl req -new -newkey rsa:2048 -nodes -out /Users/username/Desktop/csr.pem -keyout /Users/username/Desktop/priv.pem

Once I had the certificate from Go Daddy I used this command to make the p12.

openssl pkcs12 -export -out /Users/username/Desktop/SSLCertificate.p12 -inkey /Users/username/Desktop/priv.pem -in /Users/username/Desktop/go-daddy.crt -certfile /Users/username/Desktop/gdig2.crt.pem -certfile /Users/username/Desktop/gd_bundle-g2-g1.crt

Once I restarted Tomcat I had a Configuration Profile appear on the test Mac within 5 minutes

Thanks for the help