Jamf Nation Community

Hello everyone!
Last week we finally decided to upgrade to JAMF PRO 10.16 in our company and that also required migrating from Java 8 to Java 11 in our case. After successful installation on test environment we decided to go with the upgrade on production. Everything worked fine in general, it was pretty straightforward following the provided KB's, but after the upgrade, we seem to face one major issue with the LDAP server configuration, as you can see below in the jamf server logs.

Basically, there is an error while trying to use SSL which is obviously necessary, seems like it is a Java-related certificate problem, as the logs say, moreover the LDAP server account and the server itself wasn't changed at all during or before the update. So, what have we already tried?

1. Uploading new certificate for LDAP server
2. Reinstalling Java
3. Importing new LDAP-server certificates into Java keystore

After doing all this things, restarting JAMF, it seems that there is still one cert expired, but looking for the exact date you can see in the log on the physical RHEL machine that we have JAMF installed on, doesn't show any results.

Have anyone of you guys faced a similar issue? Any ideas what may have caused it? What certificate might still be needed and how to find that out?

Thank you in advance for any clues and your input.
Regards,
Dawid

2019-10-30 09:35:54,736 [ERROR] [Thread-308 ] [LDAPConnectionVerifier ] - Error while checking LDAP server with ID: 1 javax.naming.CommunicationException: <LDAP_server_name>:636 [Root exception is javax.net.ssl.SSLHandshakeException: NotAfter: Thu Jul 25 15:46:23 CEST 2019] at java.naming/com.sun.jndi.ldap.Connection.<init>(Connection.java:237) at java.naming/com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137) at java.naming/com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1610) at java.naming/com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2752) at java.naming/com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:320) at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192) at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210) at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153) at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83) at java.naming/javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:730) at java.naming/javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305) at java.naming/javax.naming.InitialContext.init(InitialContext.java:236) at java.naming/javax.naming.InitialContext.<init>(InitialContext.java:208) at java.naming/javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101) at com.jamfsoftware.jss.objects.system.ldap.diagnostics.LDAPConnectionVerifier.openConnection(LDAPConnectionVerifier.java:96) at com.jamfsoftware.jss.objects.system.ldap.diagnostics.LDAPConnectionVerifier.isReachable(LDAPConnectionVerifier.java:46) at com.jamfsoftware.jss.objects.system.ldap.diagnostics.LDAPConnectionVerifier.isReachable(LDAPConnectionVerifier.java:33) at com.jamfsoftware.jss.objects.system.ldap.LDAPServerHTMLResponse.checkIsServerReachable(LDAPServerHTMLResponse.java:499) at com.jamfsoftware.jss.objects.system.ldap.LDAPServerHTMLResponse.readObjectChangesFromRequest(LDAPServerHTMLResponse.java:300) at com.jamfsoftware.jss.frontend.HTMLResponse.performSave(HTMLResponse.java:1590) at com.jamfsoftware.jss.frontend.HTMLResponse.process(HTMLResponse.java:739) at com.jamfsoftware.jss.frontend.HTMLController.processRequest(HTMLController.java:146) at com.jamfsoftware.jss.frontend.HTMLController.doPost(HTMLController.java:78) at javax.servlet.http.HttpServlet.service(HttpServlet.java:660) at javax.servlet.http.HttpServlet.service(HttpServlet.java:741) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at com.jamfsoftware.jss.sso.filter.SsoFilter.doFilter(SsoFilter.java:66) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at com.jamfsoftware.jss.frontend.JSSAccessFilter.doFilter(JSSAccessFilter.java:71) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.apache.catalina.filters.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:109) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at com.jamfsoftware.jss.frontend.JSSLoadingFilter.doFilter(JSSLoadingFilter.java:182) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:528) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:798) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:810) at org.apache.tomcat.util.net.Nio2Endpoint$SocketProcessor.doRun(Nio2Endpoint.java:1775) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at org.apache.tomcat.util.net.AbstractEndpoint.processSocket(AbstractEndpoint.java:1082) at org.apache.tomcat.util.net.Nio2Endpoint$Nio2SocketWrapper$2.completed(Nio2Endpoint.java:569) at org.apache.tomcat.util.net.Nio2Endpoint$Nio2SocketWrapper$2.completed(Nio2Endpoint.java:547) at org.apache.tomcat.util.net.SecureNio2Channel$1.completed(SecureNio2Channel.java:968) at org.apache.tomcat.util.net.SecureNio2Channel$1.completed(SecureNio2Channel.java:897) at java.base/sun.nio.ch.Invoker.invokeUnchecked(Invoker.java:127) at java.base/sun.nio.ch.Invoker$2.run(Invoker.java:219) at java.base/sun.nio.ch.AsynchronousChannelGroupImpl$1.run(AsynchronousChannelGroupImpl.java:112) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) at java.base/java.lang.Thread.run(Thread.java:834) Caused by: javax.net.ssl.SSLHandshakeException: NotAfter: Thu Jul 25 15:46:23 CEST 2019 at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:320) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:263) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:258) at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:641) at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:460) at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:360) at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443) at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:421) at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:177) at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164) at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152) at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063) at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402) at java.naming/com.sun.jndi.ldap.Connection.createSocket(Connection.java:348) at java.naming/com.sun.jndi.ldap.Connection.<init>(Connection.java:216) ... 64 more Caused by: java.security.cert.CertificateExpiredException: NotAfter: Thu Jul 25 15:46:23 CEST 2019 at java.base/sun.security.x509.CertificateValidity.valid(CertificateValidity.java:274) at java.base/sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:675) at java.base/sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:648) at com.jamfsoftware.jss.objects.system.ldap.diagnostics.ssl.HostnameStrictDelegatingTrustManager.checkServerTrusted(HostnameStrictDelegatingTrustManager.java:35) at java.base/sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:1510) at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:625) ... 76 more