Moving from Apache to NGINX for Munki

531 views
Skip to first unread message

Luke Tinker

unread,
Dec 14, 2016, 6:45:05 PM12/14/16
to munki-dev
Hi Everyone,

I am currently in the process of moving my Munki servers to NGINX instead of Apache for performance reasons,
the issue is the munki client does not seem to want to send over the client certificates,
I am getting Error 400, No required SSL certificate was sent.

In a web browser if i attempt to visit the URL i get asked for a client certificate,
selecting the appropriate certificate loads the request fine,

as far as testing environment goes,
I have 2 MacOS clients
Host1: MacOS Sierra, 10.11.6 with Munki Client 2.4.0.2601 
Host2: OSX Mavericks 10.9.5 with Munki Client 2.8.2.2855 (attached verbose run relating to connection)


The Server is CentOS 7.3.1611, nginx 1.10.2.
running openssl verify -CAfile says all is OK,

really I know I'm just at the stage where i know the client is just not sending the certificate,
I am just not sure why,
pointing back to the Apache server works perfectly fine as expected.

grateful for any thoughts or comments.


Cheers,
Luke

SaniMunkiCheckOnly151216.txt

Gregory Neagle

unread,
Dec 14, 2016, 6:56:42 PM12/14/16
to munk...@googlegroups.com
From your included transcript:

<html>
<head><title>400 The SSL certificate error</title></head>
<body bgcolor="white">
<center><h1>400 Bad Request</h1></center>
<center>The SSL certificate error</center>
<hr><center>nginx</center>
</body>
</html>
Retrieving list of software for this machine...
Bytes received: 224
Status: 400

It's not clear to me why you think that means  "No required SSL certificate was sent." -- it looks just as or more likely that the server simply does not like the client cert that is being offered.

You should examine /Library/Managed Installs/Keychains/munki.keychain to see what's actually installed in that keychain, and if there is an identity preference set for https://munki.local in that keychain.

-Greg

--
Find related discussion groups here:
https://github.com/munki/munki/wiki/Discussion-Group
---
You received this message because you are subscribed to the Google Groups "munki-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to munki-dev+...@googlegroups.com.
To post to this group, send email to munk...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
<SaniMunkiCheckOnly151216.txt>

Luke Tinker

unread,
Dec 14, 2016, 7:39:52 PM12/14/16
to munki-dev
Thanks Greg,

Turns out i should check the errors I'm getting on one client is the same as the one on the other,
in this attached outputs example the issue was caused because i am using Intermediary CAs and did not set the 'ssl_verify_depth' relative to the Intermediary CA which was bundled in the server config,
I am still getting the "No required SSL certificate was sent" message on the other client but I'll see what the configuration differences are between the two clients before posting more about that.

Cheers,
Luke

GR Pugh

unread,
Dec 16, 2016, 8:42:33 AM12/16/16
to munk...@googlegroups.com
Run "sudo managedsoftwareupdate -vvv" and look at the logs in /Library/Managed Installs/Logs for cert errors.

If you are being asked to verify a certificate in your browser, it is not going to work in Munki. You need to have it already verified. If it’s a trusted certificate, putting the RootCA cert on the client should do it. If it’s self-signed, there is more to do.  Something like http://technology.siprep.org/using-https-self-signed-certificates-and-basic-authentication-with-munki/ might help.

Cheers
Graham

Luke Tinker

unread,
Jan 10, 2017, 11:53:44 PM1/10/17
to munki-dev
Thanks Graham,

The verbosity with munki is the first thing i check, its where that error came from,
the No requested SSL Certificate issue was actually due to the format of the certificates, they were not being bundled in the munki.keychain thus never being submitted to the server.

Cheers,
Luke
Reply all
Reply to author
Forward
0 new messages