Profile Manager Error 500 on client enrollment

A year and a half later and this has come back to haunt me! Really loosing my patience with Apple Server 😟

I currently use active directory for all my users, DNS, DHCP and then use Profile Manager to manage the iPads / Mac stuff etc.

My question is - what exactly does MY Open Directory contain / store? Does it keep record of the devices that are attached to Profile Manager or is Profile Manager a separate system / database? \

Basically if I turn my Open Directory service off and on again, will this loose any data in my Profile Manager?

thanks

I have got the same problem 😐

I had a similar issue. Unfortunately I had to almost completely rebuild . I tried this option http://pintofcode.com/blog/2013/2/28/restoring-profile-manager which did not work either. I even restored from a Time Machine backup without success. However after trying the restore I moved the Server.app out of Applications then back in. In this case it destroyed my OD but I was able to get the profile server up and running without doing a full rebuild.

I want to properly test this but I wondered if I could backup my OD, move the server app then restore the OD and have things work. I'm not real hopeful about that.

A couple of other things you might look at.

Check the Access Control settings for all of your servers private keys in Keychain Access. I didn't look at this info when I had my issue and it's possible something wasn't right there. It appears that all of mine allow access by any app.

I believe I saw that someone else had the issue and just ran a Server update and things were fixed. I tried running the Combo update for 10.8.4 but that didn't help. I suspect a 10.8.5 update and server update will be coming out soon. You might wait for that to see if those updates help. Run the Combo updater when it comes out then the server update.

I'm very interested if you find a real solution.

I fixed it!!!! After days of investigating I figured out that my System.keychain was not valid anymore. So I created a new one with

sudo systemkeychain -vfcC "password"

I recommend to use the C-Option with a password. So you have access after getting it from time machine. Afterwards go with configuring profilemanager. All your certificates will be created automatically. But in my case the following certificates didn't appear:

com.apple.kerberos.kdc

com.apple.systemdefault

Device Management Identity Certificate

I assume this was the problem (missconfigured Kerberos) was causes the error above. I fixed this issue with

sudo /usr/libexec/configureLocalKDC

I configured the profile manager again and finally it works.

If you want to build it up from scratch you can do as follows (with sudo), Make sure that all your private certificate, your OD and other important datas are backuped well.

rm -R /var/root/Library/Application\ Support/Certificate\ Authority

rm /etc/certificates/*

rm /Library/Server/Web/Config/apache2/sites/0000_any_443_.conf

rm /Library/Keychains/System.keychain

slapconfig -destroyldapserver

/Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/backend/wipeDB. sh

/Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin stop devicemgr

systemkeychain -vfcC "password"

sudo /usr/libexec/configureLocalKDC

Configure profile manager within Server App

Maybe you need to repair dovecot manually by editing /Library/Server/Mail/Config/dovecot/conf.d/10-ssl.conf and pointing the certificate parameters to the the apropriate ones stored at /etc/certificates

Maybe this works for you as for my did. I do not guarantee for any loss of data!!

If you are going from scratch, you will loose OD Users and Devices in profile manager.

But before setting back od and pm I would check, if your certificates are there and valid and if kerberos is fine

Hi,

I actually got this error (EXCEPTION: 500 Internal Server Error - Could not retrieve root certificate from open directory server.) and I wasted a lot of time on this.

In my case, I upgraded OS X Server 3.0.3 to 3.1, which scrapped my Profile Manager DB after deleting a person from Wiki... But that's another story.

Anyways, I came back to 3.0.3 through Time Machine (thank you TM!) by copying /Applications/Server.app (3.0.3) and the entire /Library/Server folder.

But this is where I got error 500 while trying to enroll a device. Turns out that Profile Manager depends on many things (APN, DNS, plists, etc.) and one of these things are Open Directory. Turns out that it was "simply" turned off in the OS X Server interface. I simply turned it back on, and error 500 was gone...

So, basically, Profile Manager needs Open Directory, even if you're not using it.

Might not be the source of your problem, but it was mine. And after a few days wasted, I'm happy to see that it was this simply.

(It would have been nice for OS X Server to say: "Hey, by the way, OD is turned off... This could cause an issue. You might want to turn it back on"...)

I was having the same issue.

Lucky me, all I needed to do to fix the problem was to turn Open Directory off and back on again.

I was having the exact same problem for over a year, and basically gave up completely on Profile Manger, but after revisiting it for the 4th or 5th time today discovered a solution that may work for you.

Basically http://pintofcode.com/blog/2013/2/28/restoring-profile-manager wasn't too far off, it's just missing a few crucial steps, clearing out the CA's from your LDAP records, and purging "/var/root/Library/Application Support/Certificate Authorities/" folder. You will loose your CA's and have to reinstall all of your trust profiles if you don't have a Certificate signed by an Trusted CA, but you don't need to completely destroy your OpenDirectory and loose all of you user's passwords.

I've got a write up on my github page that may help. https://github.com/eahrold/OSX_Server_Notes/blob/master/Fixing_Profile_Manger.md

These lengthy steps involving destroying the Open Diectory Master, wiping the Profile Manager database, destroying the LDAP Server, then rebuilding from the ground up, fixed this problem for me: https://discussions.apple.com/thread/6108331

Have you made sure the server is still selected to sign configuration profile (including the Trust Profile) in Profile Manager? I found that in switching to Server 3+ it unset this drop-down from the Profile Manager tab and turning it back on was just a matter of verifying the existing certificate you were using in the Server App - Certificates page, then navigating to the Profile Manager page and re-checking the box next to "Sign Configuration Profiles".

I have actually seen this happen on a couple of different servers, so I think it is a problem inherent in the update to Server 3.

A reboot fixed this for me, please try this before going through any lengthy OD/PM rebuild routines!!

reboot fixed for me as well! Thanks, man!

I need some help.

I tried sudo systemkeychain -vfcC "password" command and lost all my certificate under server app.
I did time machine backup and restore keychain system file and got certificate back but now profile manager is not starting.

Safari cannot connect to the server.

Locally or remotely.

I am not Mac pro and need some help getting it back up and running.

Log says

unable to find the passphrase for exported private key.

Since i changed password for systemkeychain its the issue.