MDS Cert issues

urbanstudio · July 17, 2020, 1:43pm

I am trying to use Munki, that is within MDS with TLS. I am getting invalid certificate errors, when accessing the URL from another machine.

When I run munki on a different machine, or the one with Munki / MDS I get these errors:

 Allowing OS to handle authentication request
Download error -1202: The certificate for this server is invalid. You might be connecting to a server that is pretending to be “deploy.local” which could put your confidential information at risk.

Munki Machine:
Allowing OS to handle authentication request
2020-07-17 09:42:07.295 Python[73950:810811] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9843)
Download error -1202: The certificate for this server is invalid. You might be connecting to a server that is pretending to be “deploy” which could put your confidential information at risk.
SSL error detail: (-9843, ‘Peer host name mismatch’)

Other Machine:
SSL error detail: (-9813, ‘Cert chain not verified by root’)
Keychain list
“/Users/paulc/Library/Keychains/login.keychain-db”
Default keychain info
“/Users/paulc/Library/Keychains/login.keychain-db”
Headers: None

All this cert stuff makes my brain hurt. I am sure I am missing something simple. Any guidance would help.

tperfitt · July 17, 2020, 5:06pm

It means that the hostname that it is connecting to (deploy) is probably deploy.local. Update the hostname and generate the certificate again and it should work

tim

urbanstudio · July 17, 2020, 7:02pm

Thanks, I figured out the issue on the server, but still getting the issue on my test machine. The page works fine in a browser, and shows secured, now that I added the cert to the keychain, but still getting the error when I run munki.

 Download error -1202: The certificate for this server is invalid. You might be connecting to a server that is pretending to be “deploy.local” which could put your confidential information at risk.
SSL error detail: (-9813, 'Cert chain not verified by root')
***Keychain list***
    "/Users/paulc/Library/Keychains/login.keychain-db"
***Default keychain info***
    "/Users/paulc/Library/Keychains/login.keychain-db"

tperfitt · July 27, 2020, 4:30pm

it sounds like either the cert has a different dns (cn) name than the one that is being connected to, or the certificate is not trusted in the keychain.

tim

nlcolvi · August 5, 2020, 7:13pm

I’m having the exact same problem.

tperfitt · August 7, 2020, 3:28pm

What DNS/CN/Common name is shown on the SSL Certificate when you connect via a browser to MDS? You can also look in Keychain Access.

tim