I believe I had an internet hiccup while I was installing a fresh Lion server, and I don't think I got all the push notification certificates setup. I'm seeing logs go crazy with xscertd messages, probably about 5 per minute.
Is there a way to re-initiate that process without nuking the server and starting over?
Mac mini, Mac OS X (10.7), Server 10.7
I'm seeing the same thing -
Fresh install of 10.7 -
crazy xscertd messages such as:
xscertd: Returning response with code 200 to ....
kernel: nstat_lookup_entry failed: 2
also
when I try to enroll a device an error "The server certificate for "https://....../device/management/api/device/ota_service" is invalid. is desplayed on the device and it fails
I thought it was my 10.6 setup so I wiped it clean and installed 10.7 fresh. Got the exact same result.
The second half you're seeing here, I've resolved. the "The server certificate for "https://....../device/management/api/device/ota_service" is invalid. " message was eliminated by me applying a valid (not self signed) ssl certificate on the web server. I used a free 90 day one to start from comodo, but then moved to a cheap wildcard one for the entire server. Nothing fancy, but $94 a year.
Apparently your device MUST have established trust with the server's SSL certificate before it will allow it to import a profile. I'm unsure of how to do this manually without a purchased certificate, but I'm sure it's possible.
Also the xscertd messages have slowed down a lot since I put the certificate in, not sure if it's completely eliminated it though.
To trust a self signed certificate, one must install the Certificate Authority Root certificate to your iOS device.
When you build selfSigned certs you have created your own Certification Authority which signs your certs (instead of the commercial CA like comodo,GoDaddy etc.)
As this CA (yours) is not known to the iOS device, you need to add it to it's CA Root trusted store.
For that, just email it (the CA root cert) to your device and open it from the iOS device. Trust it. You are set!
Then all self signed certificates signed from your CA Root will be trusted. Just as if you were Verisign .. ;-)
I, too, am seeing tons of the following set of messages:
Aug 5 08:03:37 XXXXXXXXX xscertd[10497]: Received connection from XXX.XXX.XXX.XXX:63595
Aug 5 08:03:37 XXXXXXXXX xscertd[10497]: Received request from XXX.XXX.XXX.XXX:63595
Aug 5 08:03:37 XXXXXXXXX xscertd[10497]: Processing request from XXX.XXX.XXX.XXX:63595 of /rfc2585/IntermediateCA_PR...
Aug 5 08:03:37 XXXXXXXXX xscertd[10497]: Returning response with code 200 to XXX.XXX.XXX.XXX:63595Any further thoughts on this?
The Teknologist's post is right on the money. Except the whole point of the installing a Trust Profile from the 2nd tab that shows up in the Enroll your Device webpage is to get your Certificate into iOS's Certificate Store so when you enroll the device the Remote Management and MDM profiles are then trusted.
So back to the issue at hand I also had it today under 10.7.5 and the following seemed to put it right.
Some of my Certifcates in the KeyChain App were set to Custom Settings, Always Trust which I must have changed for some other reason. I set them all back to Sys Defaults and then returned to Server.app and selected None for the Servers Certificate from the Settings area. Then set it back to my certificate. I then did the same in the Profile Manager area for signing profiles, and turned Profile Manager Off then back On again.
I then got prompted that my Trust Profile was trying to install a Root CA and did I want to proceed which I did. It then all worked and enroled fine again.
Matt
Push Notifications not working, xscertd spamming logs.