Munki failing SSL cert chain trust when using certificates deployed through configuration profile?

[Nathan Perkins]

Hello,

I've deployed our root CA and intermediate CA certificates with JAMF through configuration profile. I can see that they are in the system keychain and show as "always trust" for all the trust settings. When I visit my munki repo in Safari and Chrome, the SSL connection shows as valid and the cert chain shows trusted through the root certificate in my system keychain via the configuration profile.

Munki is telling me that the certificate for the server is invalid and refusing to connect. From the logs, it looks like Munki might be checking only the administrator login keychain.

Getting manifest sfo-lap-rd3765.company.org...

2018-03-12 09:32:05.145 Python[21441:193596] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813)

    Download error -1202: The certificate for this server is invalid. You might be connecting to a server that is pretending to be "sfo-macmanagement.company.org" which could put your confidential information at risk.

    SSL error detail: (-9813L, u'Cert chain not verified by root')

    ***Keychain list***

        "/Users/administrator/Library/Keychains/login.keychain-db"

    ***Default keychain info***

        "/Users/administrator/Library/Keychains/login.keychain-db"

    Headers: None

ERROR: Could not retrieve managed install primary manifest.

We've been using these same certificates for the last year and a half but before we were deploying them manually and trusting them using security add-trusted-cert. 

Best,

Nathan

[Eric Graham]

Hi Nathan,

Did you ever figure out the solution to this?  I'm getting the same error.

Thanks,

Eric