MDS Cert issues

I am trying to use Munki, that is within MDS with TLS. I am getting invalid certificate errors, when accessing the URL from another machine.

When I run munki on a different machine, or the one with Munki / MDS I get these errors:

 Allowing OS to handle authentication request
Download error -1202: The certificate for this server is invalid. You might be connecting to a server that is pretending to be “deploy.local” which could put your confidential information at risk.

Munki Machine:
Allowing OS to handle authentication request
2020-07-17 09:42:07.295 Python[73950:810811] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9843)
Download error -1202: The certificate for this server is invalid. You might be connecting to a server that is pretending to be “deploy” which could put your confidential information at risk.
SSL error detail: (-9843, ‘Peer host name mismatch’)

Other Machine:
SSL error detail: (-9813, ‘Cert chain not verified by root’)
Keychain list
“/Users/paulc/Library/Keychains/login.keychain-db”
Default keychain info
“/Users/paulc/Library/Keychains/login.keychain-db”
Headers: None

All this cert stuff makes my brain hurt. I am sure I am missing something simple. Any guidance would help.

It means that the hostname that it is connecting to (deploy) is probably deploy.local. Update the hostname and generate the certificate again and it should work

tim

Thanks, I figured out the issue on the server, but still getting the issue on my test machine. The page works fine in a browser, and shows secured, now that I added the cert to the keychain, but still getting the error when I run munki.

 Download error -1202: The certificate for this server is invalid. You might be connecting to a server that is pretending to be “deploy.local” which could put your confidential information at risk.
SSL error detail: (-9813, 'Cert chain not verified by root')
***Keychain list***
    "/Users/paulc/Library/Keychains/login.keychain-db"
***Default keychain info***
    "/Users/paulc/Library/Keychains/login.keychain-db"

it sounds like either the cert has a different dns (cn) name than the one that is being connected to, or the certificate is not trusted in the keychain.

tim

I’m having the exact same problem.

What DNS/CN/Common name is shown on the SSL Certificate when you connect via a browser to MDS? You can also look in Keychain Access.

tim