Munki SSL 10.12 (woops, fixed)

346 views
Skip to first unread message

Wes Brown

unread,
Sep 22, 2016, 3:45:28 PM9/22/16
to munki-dev
Hey folks,

I'm having an issue with Munki when I try to connect to my server from a Munki install on a fresh install of 10.12 Final via SSL.  I get the following error:

Checking for available updates...

2016-09-22 14:28:57.030 Python[871:13670] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813)

ERROR: Could not retrieve manifest austin from the server: Error -1202: The certificate for this server is invalid. You might be connecting to a server that is pretending to be “servername.whatever.com” which could put your confidential information at risk.

ERROR: Could not retrieve managed install primary manifest.


This error doesn't happen on 10.11.6.  I have the same CA certificates installed on both machines and even went to the point of trusting the server directly on 10.12.


Anyone else having this issue?

Wes Brown

unread,
Sep 22, 2016, 3:57:00 PM9/22/16
to munki-dev
And by fixed in the title I mean I fixed this post as I put my actual server name in it... Still got the issue though.

jtr...@gmail.com

unread,
Sep 23, 2016, 9:54:36 AM9/23/16
to munki-dev
I was seeing something similar in my DEV environment. Things seemed to work if I rolled the CA certificate chain into a configuration profile and then installed that, but eventually I decided that it was worth the money to just buy a real SSL certificate from a trusted authority. That solved the problem.

Wes Brown

unread,
Sep 28, 2016, 10:54:13 AM9/28/16
to munki-dev
Hey,

I made a Profile with my issuing CA and issued it to the machine.  I found it had to be installed as a Device Profile and not a User Profile and then it worked great!  Thanks so much for your help.

Steve Maser

unread,
Sep 30, 2016, 2:59:52 PM9/30/16
to munki-dev
So, in general, there is an http and https file transfer issue in 10.12.0 that we have an open bug report with Apple about (not explicitly Munki related).

File transfers over http or https of larger files (which you can test just by making a 5G empty .dmg file on your repository and then just running curl -O http://<url-to-file> -- or https)  -- will fail on an alarming frequency that does not happen on 10.9-10.11

This failure happens more with larger files than smaller files (so you'll see it more with a test 5G file than a 1G file...)

If you can reproduce this *please file this bug* -- we are seeing a lot of our larger munki-deployed app packages just not download to the client computers without trying multiple times.  Apple needs to get more BRs on this to raise it's urgency.

Thanks!


Wes Brown

unread,
Sep 30, 2016, 3:02:55 PM9/30/16
to munk...@googlegroups.com
Hey Steve,

I don't think the issue you are talking about was what I was experiencing.  Mine seemed to be related to self signed certs.

--
Find related discussion groups here:
https://github.com/munki/munki/wiki/Discussion-Group
---
You received this message because you are subscribed to a topic in the Google Groups "munki-dev" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/munki-dev/g0-GIlzPwIM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to munki-dev+unsubscribe@googlegroups.com.
To post to this group, send email to munk...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.



--


Wes BROWN
Senior IT Infrastructure Engineer

816 Congress Ave, 6th Floor, Austin, TX 78701

Ben Goodstein

unread,
Oct 1, 2016, 1:01:20 PM10/1/16
to munki-dev
Just out of interest, are you seeing this in VMware Fusion VMs or on physical boxen? There is a long standing bug with VMWare Fusion and http downloads when behind NAT.

Allister Banks

unread,
Oct 1, 2016, 1:32:18 PM10/1/16
to munk...@googlegroups.com
Did you post it to open radar? Radar #?

Wes Brown

unread,
Oct 1, 2016, 1:48:44 PM10/1/16
to munk...@googlegroups.com

Hmm I am running my webserver on an esxi box.  Odd that deploying the certificate to my client as a profile would fix it if that is the issue though.


Steve Maser

unread,
Oct 3, 2016, 4:24:39 PM10/3/16
to munki-dev
If you are asking about the bug with https downloads crapping out:

1)  Not doing this in a VM -- this is with multiple mac hardware (clean os-only installs, too...)

2)  Filed with Apple Bug Reporter -- bug # 27245227

Please pile on this one!

powershell_guru

unread,
Mar 25, 2021, 6:00:42 PMMar 25
to munki-dev

I just came across this again so I thought I would post a fix (again) just in case anyone else came into the same issue.  When you're dealing with an internally signed CA etc, the root and intermediate certificates will need to be added to the system keychain specifically as Munki isn't running as the local logged on user.
Reply all
Reply to author
Forward
0 new messages