PDA

View Full Version : "Trying to add a bogus certificate..." when sending out Profiles...




BryanSchmiedele
Aug 27, 2013, 02:36 PM
I am trying to insall a profile from Profile Manager 2 in Mac OS X Server to iPhones and am haging a terrible problem.

Let me outline the steps I am taking:

1. I enter my iPhone as a placeholder.
2. I create a new device group.
3. I add my iPhone placeholder to the group.
4. Send the Enrollement Profile to myself via email.
5. Install the Profile.

The group configuration is only to allow the device to be managed. Right now I am not even adding an app.

It looks like the profiles install, but I cannot add an app, and when I check the server logs I get this:

Aug 27 14:17:22 macserver.scoularmobile.com ProfileManager[49671] <Info>: CertUpdateHandler.run: replace/etc/certificates/Server Fallback SSL Certificate.61099C29AB0DBD78984CCCDE81DDE22C61DBB872.cert.pem0x00/etc/certificates/Device Management Identity Certificate.022C5A531765B92DC641255102513F71D982FCA9.cert.pem0x00
Aug 27 14:17:25 macserver.scoularmobile.com ProfileManager[49682] <Info>: CertUpdateHandler.run: replace/etc/certificates/Device Management Identity Certificate.0E3D10FD44E2752F0F5E0DB7F2CE5B2B6782580E.cert.pem0x00/etc/certificates/Device Management Identity Certificate.022C5A531765B92DC641255102513F71D982FCA9.cert.pem0x00
Aug 27 14:17:56 macserver.scoularmobile.com ProfileManager[49701] <Info>: CertUpdateHandler.run: replace/etc/certificates/Server Fallback SSL Certificate.61099C29AB0DBD78984CCCDE81DDE22C61DBB872.cert.pem0x00/etc/certificates/Device Management Identity Certificate.DB71C616FBA8EA95D6FE36E3014CEC544CD38B01.cert.pem0x00
Aug 27 14:17:59 macserver.scoularmobile.com ProfileManager[49711] <Info>: CertUpdateHandler.run: replace/etc/certificates/Device Management Identity Certificate.022C5A531765B92DC641255102513F71D982FCA9.cert.pem0x00/etc/certificates/Device Management Identity Certificate.DB71C616FBA8EA95D6FE36E3014CEC544CD38B01.cert.pem0x00
Aug 27 14:18:22 macserver.scoularmobile.com ruby[49605] <Info>: Pruning certificate chain to 18446744073709551615
Aug 27 14:18:22 macserver.scoularmobile.com ruby[49605] <Debug>: Trying to add a bogus certificate
Aug 27 14:18:22 macserver.scoularmobile.com ruby[49605] <Debug>: An error occured while inserting an untrusted certificate into the chain
Aug 27 14:18:22 macserver.scoularmobile.com ProfileManager[49605] <Info>: Pushed to <Device:"Bryan's iPhone"> with token 6BqFL5HRWYcCaBELhMoZUDt5I0iIyaunTH2PyMGEq8o=, {"mdm":"1463916F-C541-437F-B364-C9B44F61A73C","time":"1377631101.888488"}

What the heck is wrong? Please help, I am at my wit's end.

Bryan



alexrmc92
Aug 28, 2013, 02:00 AM
I am trying to insall a profile from Profile Manager 2 in Mac OS X Server to iPhones and am haging a terrible problem.

Let me outline the steps I am taking:

1. I enter my iPhone as a placeholder.
2. I create a new device group.
3. I add my iPhone placeholder to the group.
4. Send the Enrollement Profile to myself via email.
5. Install the Profile.

The group configuration is only to allow the device to be managed. Right now I am not even adding an app.

It looks like the profiles install, but I cannot add an app, and when I check the server logs I get this:

Aug 27 14:17:22 macserver.scoularmobile.com ProfileManager[49671] <Info>: CertUpdateHandler.run: replace/etc/certificates/Server Fallback SSL Certificate.61099C29AB0DBD78984CCCDE81DDE22C61DBB872.cert.pem0x00/etc/certificates/Device Management Identity Certificate.022C5A531765B92DC641255102513F71D982FCA9.cert.pem0x00
Aug 27 14:17:25 macserver.scoularmobile.com ProfileManager[49682] <Info>: CertUpdateHandler.run: replace/etc/certificates/Device Management Identity Certificate.0E3D10FD44E2752F0F5E0DB7F2CE5B2B6782580E.cert.pem0x00/etc/certificates/Device Management Identity Certificate.022C5A531765B92DC641255102513F71D982FCA9.cert.pem0x00
Aug 27 14:17:56 macserver.scoularmobile.com ProfileManager[49701] <Info>: CertUpdateHandler.run: replace/etc/certificates/Server Fallback SSL Certificate.61099C29AB0DBD78984CCCDE81DDE22C61DBB872.cert.pem0x00/etc/certificates/Device Management Identity Certificate.DB71C616FBA8EA95D6FE36E3014CEC544CD38B01.cert.pem0x00
Aug 27 14:17:59 macserver.scoularmobile.com ProfileManager[49711] <Info>: CertUpdateHandler.run: replace/etc/certificates/Device Management Identity Certificate.022C5A531765B92DC641255102513F71D982FCA9.cert.pem0x00/etc/certificates/Device Management Identity Certificate.DB71C616FBA8EA95D6FE36E3014CEC544CD38B01.cert.pem0x00
Aug 27 14:18:22 macserver.scoularmobile.com ruby[49605] <Info>: Pruning certificate chain to 18446744073709551615
Aug 27 14:18:22 macserver.scoularmobile.com ruby[49605] <Debug>: Trying to add a bogus certificate
Aug 27 14:18:22 macserver.scoularmobile.com ruby[49605] <Debug>: An error occured while inserting an untrusted certificate into the chain
Aug 27 14:18:22 macserver.scoularmobile.com ProfileManager[49605] <Info>: Pushed to <Device:"Bryan's iPhone"> with token 6BqFL5HRWYcCaBELhMoZUDt5I0iIyaunTH2PyMGEq8o=, {"mdm":"1463916F-C541-437F-B364-C9B44F61A73C","time":"1377631101.888488"}

What the heck is wrong? Please help, I am at my wit's end.

Bryan

do you have official certificated for "macserver.scoularmobile.com"? If so i suggest installing them and seeing if that fixes the issue.

The logs don't look bad, the error is on the debug log level which means it usually isn't a big deal.

mire3212
Sep 17, 2013, 08:15 PM
Aug 27 14:17:22 macserver.scoularmobile.com ProfileManager[49671] <Info>: CertUpdateHandler.run: replace/etc/certificates/Server Fallback SSL Certificate.61099C29AB0DBD78984CCCDE81DDE22C61DBB872.cert.pem0x00/etc/certificates/Device Management Identity Certificate.022C5A531765B92DC641255102513F71D982FCA9.cert.pem0x00


This indicates it's mostly trying to use the wrong certificate. Make sure to set the certificate in the 'Certificates' section of the Server app to the Open Directory Root Certification Authority signed certificate (it will be signed by the Intermediate CA). Also make sure to check the box in Profile Manager under 'Sign Configuration Profiles' and make sure to specify the Code Signing certificate that is also signed by the Open Directory Certification Authority -- also signed from the Intermediate CA as before.