Trouble with new SSL cert for storage servers

mschroder
Valued Contributor

Today I replaced the SSL cert for one of our storage servers. I used the JSS built-in CA to create the cert and installed it in the usual manner.

While everything appears to be fine on pre-Catalina clients, the Catalina clients fail (refuse?) to connect to the server. When enabling debug mode I see the following:

Tue Oct 15 18:44:50 catalina jamf[26008]: [DEBUG] Failed to download bom file https://mdm-stor-1.x.y/Packages/ONLYOFFICE-5.1.pkg/index.bom to /Library/Application Support/JAMF/tmp/index.bom: Connection failure: "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “mdm-stor-1.x.y” which could put your confidential information at risk."
Tue Oct 15 18:44:50 catalina jamf[26008]: [DEBUG] Downloading flat package https://mdm-stor-1.x.y/Packages/ONLYOFFICE-5.1.pkg...
Tue Oct 15 18:44:50 catalina jamf[26008]: [DEBUG] Exception caught (code -1202).  HTTP result code: 403

When using curl from a Catalina client and I feed it the proper node certificate I am able to fetch the package in question.

Any idea why jamf on Catalina might fail to connect to the storage server while curl succeeds?

1 ACCEPTED SOLUTION

sdagley
Esteemed Contributor II
4 REPLIES 4

sdagley
Esteemed Contributor II

@mschroder Catalina requires a SAN matching the server DNS name now - Requirements for trusted certificates in iOS 13 and macOS 10.15

mschroder
Valued Contributor

I did wonder whether the SAN requirement could play a role, but I don't think I had a SAN entry in the previous certs, and they also worked for Catalina clients. But I will certainly check this tomorrow.

mschroder
Valued Contributor

Just did a quick check, and saw that I did have a SAN entry in the previous certs - don't know why I missed that before. OK, at least I know now what the next action will be...

mschroder
Valued Contributor

@sdagley I recreated the certs, this time with a SAN entry and now also the Catalina clients are happy. Thanks for pointing this out!