I was setting up a new Win2k12R2 server with IIS8 to be a new DP today and ran into a issue that had me running in circles.
When running a policy, the local JAMF binary would error:
2016-03-29 09:35:45.992 jamf[###.###] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9843)
The network connection was interrupted while downloading the package from https://my.server.com/Packages/DebugTest.pkg. Attempting to reconnect...
This turned out to be a issue with the certificate I installed on my DP and not a network drop as reported by the JAMF binary. The SAN hostname for my server was incomplete and this caused the kCFStreamErrorDomainSSL error found in the JAMF log. Further complicating things was the placement of the root certificate the test server was using. I had it in my user keychain in stead of system keychain. This prevented some system processes from validating the trust chain. Moving the root cert to the system keychain didn't fix thing. In stead, I had to push it to my Mac via a MDM profile to get the system binaries to recognize it. I'm not sure why a drag-and-drop didn't work.... But in the end I've got my test DP ready for load testing.
I wanted to mention this in case others are having similar problems.
Here is a list of some useful tools to troubleshoot server cert issues:
OpenSSL via Terminal:
openssl s_client -showcerts -connect my.server.com:443
Java KeyTool via Terminal (prints the cert contents in stead of base64):
keytool -printcert -sslserver my.server.com:443
Apple nscurl in diagnostic mode via Terminal:
nscurl --ats-diagnostics https://my.server.com
cURL in verbose mode via Terminal:
curl -v https://my.server.com
