Posted on 10-15-2019 10:04 AM
Today I replaced the SSL cert for one of our storage servers. I used the JSS built-in CA to create the cert and installed it in the usual manner.
While everything appears to be fine on pre-Catalina clients, the Catalina clients fail (refuse?) to connect to the server. When enabling debug mode I see the following:
Tue Oct 15 18:44:50 catalina jamf[26008]: [DEBUG] Failed to download bom file https://mdm-stor-1.x.y/Packages/ONLYOFFICE-5.1.pkg/index.bom to /Library/Application Support/JAMF/tmp/index.bom: Connection failure: "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “mdm-stor-1.x.y” which could put your confidential information at risk."
Tue Oct 15 18:44:50 catalina jamf[26008]: [DEBUG] Downloading flat package https://mdm-stor-1.x.y/Packages/ONLYOFFICE-5.1.pkg...
Tue Oct 15 18:44:50 catalina jamf[26008]: [DEBUG] Exception caught (code -1202). HTTP result code: 403
When using curl from a Catalina client and I feed it the proper node certificate I am able to fetch the package in question.
Any idea why jamf on Catalina might fail to connect to the storage server while curl succeeds?
Solved! Go to Solution.
Posted on 10-15-2019 11:11 AM
@mschroder Catalina requires a SAN matching the server DNS name now - Requirements for trusted certificates in iOS 13 and macOS 10.15
Posted on 10-15-2019 11:11 AM
@mschroder Catalina requires a SAN matching the server DNS name now - Requirements for trusted certificates in iOS 13 and macOS 10.15
Posted on 10-15-2019 01:11 PM
I did wonder whether the SAN requirement could play a role, but I don't think I had a SAN entry in the previous certs, and they also worked for Catalina clients. But I will certainly check this tomorrow.
Posted on 10-15-2019 01:29 PM
Just did a quick check, and saw that I did have a SAN entry in the previous certs - don't know why I missed that before. OK, at least I know now what the next action will be...
Posted on 10-16-2019 02:18 AM
@sdagley I recreated the certs, this time with a SAN entry and now also the Catalina clients are happy. Thanks for pointing this out!