MDM Profilemanager Error "attempt to connect to 127.0.0.1:3328 (127.0.0.1) failed"

Question

Level 1

4 points

MDM Profilemanager Error "attempt to connect to 127.0.0.1:3328 (127.0.0.1) failed"

I'm running Profilemanager on Yosemite Server. Main Problem is, that i cannot apply integrate further devces thru Profilemanager or https://URL to MDM/mydevices. Error simply nothing or Internal Server Error in the Browser

HTTP Error Log shows the following permanently errors for a connect to Port 3328 and 3329 on localhost.

[Fri Oct 24 09:13:53.604064 2014] [proxy:error] [pid 3420] (61)Connection refused: AH00957: HTTP: attempt to connect to 127.0.0.1:3328 (127.0.0.1) failed

[Fri Oct 24 09:13:53.604262 2014] [proxy:error] [pid 3420] AH00959: ap_proxy_connect_backend disabling worker for (127.0.0.1) for 60s

[Fri Oct 24 09:13:53.604292 2014] [proxy_http:error] [pid 3420] [client xx.xx.xx.xx:23688] AH01114: HTTP: failed to make connection to backend: 127.0.0.1, referer: https://URL to MDM/profilemanager/

[Fri Oct 24 09:13:53.604515 2014] [proxy:error] [pid 3420] (61)Connection refused: AH00957: HTTP: attempt to connect to 127.0.0.1:3329 (127.0.0.1) failed

[Fri Oct 24 09:13:53.604535 2014] [proxy:error] [pid 3420] AH00959: ap_proxy_connect_backend disabling worker for (127.0.0.1) for 60s

Any idea how to fix that?

Martin

iPad (3rd gen) Wi-Fi + Cellular, iOS 8

Posted on Oct 24, 2014 12:30 AM

Reply

Answer 1

Oct 24, 2014 10:27 PM in response to teufelm

Martin,

Those particular errors are harmless. It appears that the static apache configuration used has a round robin proxy pre-configured to use 10 ports, but the number of actual processes created for those ports varies by the amount of physical RAM installed in the machine. In any case, Apache will skip the ports where there is not any process listening and keep looking until it does find one listening. Since the port range is 3320 to 3329, it would appear that you have 8 (of a maximum of 10) of these processes running. (You can confirm this by looking at /Library/Logs/ProfileManager/dmrunnerd.log, if you like.)

I suspect you can find clues to your problem in the /Library/Logs/ProfileManager/profilemanager.log file, as that is where the logging for the processes that listen on these ports goes to. Errors in this log file are hard to miss—they're usually at least 50 lines long. If you find any errors in that log, paste one here and I'll see if I can help.

Reply

Answer 2

teufelm Author

Level 1

4 points

Oct 27, 2014 2:30 AM in response to mscott_mdm

Thanks for he info. I looked into the /Library/Logs/ProfileManager/dmrunnerd.log File:

It logs the login-process of the ipad to https://. ../Profilemanager and alo to https://. ../mydevies. but if tap to "sign in this ipad" in the page https://.. ./mydevies there are no events logged to the file. ipad says on the display "500 internal server error"

Apache Log says:

[Mon Oct 27 10:20:52.072725 2014] [proxy:error] [pid 2135] (61)Connection refused: AH00957: HTTP: attempt to connect to 127.0.0.1:3328 (127.0.0.1) failed

[Mon Oct 27 10:20:52.072931 2014] [proxy:error] [pid 2135] AH00959: ap_proxy_connect_backend disabling worker for (127.0.0.1) for 60s

[Mon Oct 27 10:20:52.072960 2014] [proxy_http:error] [pid 2135] [client xx.xx.xx.xx:12854] AH01114: HTTP: failed to make connection to backend: 127.0.0.1, referer: https://. ../mydevices/

[Mon Oct 27 10:20:52.073156 2014] [proxy:error] [pid 2135] (61)Connection refused: AH00957: HTTP: attempt to connect to 127.0.0.1:3329 (127.0.0.1) failed

[Mon Oct 27 10:20:52.073175 2014] [proxy:error] [pid 2135] AH00959: ap_proxy_connect_backend disabling worker for (127.0.0.1) for 60s

[Mon Oct 27 10:20:52.073187 2014] [proxy_http:error] [pid 2135] [client xx.xx.xx.xx:12854] AH01114: HTTP: failed to make connection to backend: 127.0.0.1, referer: https://. ../mydevices/

Is there another Logfile i can look into?

Martin

Reply

Answer 3

Oct 27, 2014 7:36 AM in response to teufelm

Martin,

The dmrunnerd.log file doesn't really log much of anything useful (unless there are indications that the ruby processes used by Profile Manager are not launching). The file you need to look in is /Library/Logs/ProfileManager/profilemanager.log. That's the one most likely to indicate why you're getting 500 errors from /profilemanager and /mydevices. (The latest errors you pasted from the apache error_log are essentially the same as you posted originally and are normal—they are not the source of your problem.)

Reply

Answer 4

teufelm Author

Level 1

4 points

Oct 28, 2014 2:36 AM in response to mscott_mdm

Hey!

The problem is, that the profilemanager.log just says nothing, if i do klick the enroll button.

Just tried again to connect an iPadAir (iOS 8.1) and iPad1 (iOS 5.1.1) to connect to the Profilemamanger.

The enrollment process calls the URL https://.../devicemanagement/mdm/mdm_enroll and then ends in Error "500 internal Server Error"

what to do next?

Martin

Reply

Answer 5

Oct 28, 2014 2:43 PM in response to teufelm

Oh, so the /mydevices page *is* loading? You wouldn't have gotten to this other URL without being able to load /mydevices. For this URL, errors would be in either the php.log or php-fpm.log files (in /Library/Logs/ProfileManager/).

Reply

Answer 6

teufelm Author

Level 1

4 points

Oct 29, 2014 5:59 AM in response to mscott_mdm

php.log logs the Following:

1::Oct 29 13:54:21.101 [51328] <172.16.64.66> {LogElapsedTime (common.php:82)} Time since script start: 267us [https://... /devicemanagement/mdm/mdm_enroll]

1::Oct 29 13:54:21.101 [51328] <172.16.64.66> {require_once (mdm_enroll.php:11)} vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv - POST mdm_enroll

1::Oct 29 13:54:21.418 [51328] <172.16.64.66> {GetMDMACLFromUserAgentHeader (mdm_enroll.php:71)} iOS version 8.1

0::Oct 29 13:54:51.508 [51328] <172.16.64.66> {LogException (common.php:470)} EXCEPTION: 500 Internal Server Error - Could not retrieve root certificate from open directory server. at

0::Oct 29 13:54:51.508 [51328] <172.16.64.66> #0 /Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/backend/php/ot a_service_common.php(43): DieInternalError('Could not retri...')

0::Oct 29 13:54:51.508 [51328] <172.16.64.66> #1 /Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/backend/php/md m_enroll.php(77): GenerateMDMBindingProfile(8191, '0F17AC53-094A-4...')

0::Oct 29 13:54:51.508 [51328] <172.16.64.66> #2 {main}

1::Oct 29 13:54:51.508 [51328] <172.16.64.66> {SendFinalOutput (common.php:477)} Sent Final Output (26 bytes)

1::Oct 29 13:54:51.508 [51328] <172.16.64.66> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - /devicemanagement/mdm/mdm_enroll

0::Oct 29 13:54:51.508 [51328] <172.16.64.66> {SendFinalOutput (common.php:477)} Completed in 30407ms | 500 Internal Server Error [https://.. ../devicemanagement/mdm/mdm_enroll]

Which root certificate wants the system to retrieve?

The Server was upadeted from Mavericks to Yosemite Server.

Martin

Reply

Answer 7

Oct 29, 2014 9:42 AM in response to teufelm

Martin,

It looks like the system identity preferences for the OD CA certs are either broken or gone. You might be able to fix this using Keychain Access. Look in your System keychain for the items named "OPENDIRECTORY_INT_CA_IDENTITY" and "OPENDIRECTORY_ROOT_CA_IDENTITY". If they exist, double-click on each one to inspect the "Preferred Certificate" for each. They should be set to "IntermediateCA_<HOSTNAME>_1" and "<OrgName> Open Directory Certificate Authority" respectively. If the preferences are missing but the certificates are there, select each certificate (one at a time), select File -> New Certificate Preference... and enter the corresponding preference names I listed above. These will probably get created in the "login" keychain, so if you don't see the identity preferences you created, switch to the login keychain, find them there, and drag them to the System keychain to install them there.

Reply

Answer 8

teufelm Author

Level 1

4 points

Oct 29, 2014 10:28 AM in response to mscott_mdm

Hey!

I found both correct:

OPENDIRECTORY_INT_CA_IDENTITY with prefered "IntermediateCA_..._1"

OPENDIRECTORY_ROOT_CA_IDENTITY with prefered ".. Open Directory Certificate Authority"

There is also a third called OPENDIRECTORY_SSL_IDENTITY?

What i also found, is that the push notifcations to the server is set to "on" (Server -> Settings -> "Enable Push notifications"). But when i click edit to read the used Apple ID, it shows only: blank infos.

AppleID: blank

Expires: blank

Change Button and Renew Button is also possible.

I don't know if that is something important?

Can i login again with the correct used creditentials i used during server setup, although there is warning when i change the Apple ID?

martin

Reply

Answer 9

teufelm Author

Level 1

4 points

Nov 2, 2014 11:55 PM in response to teufelm

Hello!

I renewed now the certifcate for the push service (with same creditentials).

php.log says sill the same:

1::Nov 03 08:51:22.156 [662] <172.16.64.66> {LogElapsedTime (common.php:82)} Time since script start: 46711us [https://xxx/devicemanagement/mdm/mdm_enroll]

1::Nov 03 08:51:22.171 [662] <172.16.64.66> {require_once (mdm_enroll.php:11)} vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv - POST mdm_enroll

1::Nov 03 08:51:23.166 [662] <172.16.64.66> {GetMDMACLFromUserAgentHeader (mdm_enroll.php:71)} iOS version 8.1

0::Nov 03 08:51:53.973 [662] <172.16.64.66> {LogException (common.php:470)} EXCEPTION: 500 Internal Server Error - Could not retrieve root certificate from open directory server. at

0::Nov 03 08:51:53.973 [662] <172.16.64.66> #0 /Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/backend/php/ot a_service_common.php(43): DieInternalError('Could not retri...')

0::Nov 03 08:51:53.973 [662] <172.16.64.66> #1 /Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/backend/php/md m_enroll.php(77): GenerateMDMBindingProfile(8191, '6E80929D-B7A4-4...')

0::Nov 03 08:51:53.973 [662] <172.16.64.66> #2 {main}

1::Nov 03 08:51:53.973 [662] <172.16.64.66> {SendFinalOutput (common.php:477)} Sent Final Output (26 bytes)

1::Nov 03 08:51:53.973 [662] <172.16.64.66> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - /devicemanagement/mdm/mdm_enroll

0::Nov 03 08:51:53.973 [662] <172.16.64.66> {SendFinalOutput (common.php:477)} Completed in 31864ms | 500 Internal Server Error [https://xxx /devicemanagement/mdm/mdm_enroll]

Do you have any more suggestions to fix this problem?
Martin

Reply

Answer 10

Nov 3, 2014 8:09 AM in response to teufelm

Martin,

Open up Keychain Access, click on the System keychain, and check that both the "Intermediate CA..." and "... Open Directory Certificate Authority" private keys have Access Control set to "Allow all applications to access this item". You do this by double-clicking on the private key entry (not the certificate), then clicking on the Access Control tab. If these are not set to "Allow all applications to access this item" that would explain the problem, and switching back to this should fix it.

Reply

Answer 11

teufelm Author

Level 1

4 points

Nov 3, 2014 11:35 PM in response to mscott_mdm

Hi!

Thanks for the Info, but i didn't solve again the problem.

Both private Certifactes had under Acces-Control only Acces to a few applications. I changed it to be allowed for all applications. I restarted the Server.

Error Massage ist still the same:

1::Nov 04 08:18:33.612 [984] <172.16.64.66> {SendFinalOutput (common.php:477)} Sent Final Output (26 bytes)

1::Nov 04 08:18:33.612 [984] <172.16.64.66> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - /devicemanagement/mdm/mdm_enroll

0::Nov 04 08:18:33.612 [984] <172.16.64.66> {SendFinalOutput (common.php:477)} Completed in 30454ms | 500 Internal Server Error [https://xxx/devicemanagement/mdm/mdm_enroll]

The /Library/Logs/Profilemanager/scep_helper.log shows the following - maybe this helps you?:

0:: [983] [2014/11/04 08:18:03.541] getSCEPURL: hostname = '127.0.0.1', urlString = 'http://127.0.0.1:1640/scep/'

1:: [983] [2014/11/04 08:18:33.610] EXCEPTION: Error <kern_return_t SCEPHELPERS_GetSCEPRootCertificate(mach_port_t, vm_offset_t *, mach_msg_type_number_t *, vm_offset_t *, mach_msg_type_number_t *, audit_token_t) (/SourceCache/RemoteDeviceManagement/RemoteDeviceManagement-883.16/Compiled/sce p_helper/main.m:1088): "'((status = SCEPGetCACert(session, ((void*)0), 0)))' error -603">

USERINFO: {

NSLocalizedDescription = "Carbon error -603";

}

Any other idea?

Martin

Reply

Answer 12

Nov 4, 2014 7:47 AM in response to teufelm

Can you look back in the scep_helper.log to see if the error has always been -603 (and has it always occurred at "scep_helper/main.m:1088", or if it changed when you changed the permissions on the private keys? Also, can you go back into Keychain Access and double-check that the access is still "all applications"? I've seen it sometimes revert back.

If the error changed, then we probably fixed one problem and now have a different one. Thanks.

Reply

Answer 13

teufelm Author

Level 1

4 points

Nov 4, 2014 10:05 AM in response to mscott_mdm

Hi!

It's still the same error in scep_helper.log. E.g. 2014/10/31

0:: [665] [2014/10/31 10:17:59.569] getSCEPURL: hostname = '127.0.0.1', urlString = 'http://127.0.0.1:1640/scep/'

1:: [665] [2014/10/31 10:18:29.606] EXCEPTION: Error <kern_return_t SCEPHELPERS_GetSCEPRootCertificate(mach_port_t, vm_offset_t *, mach_msg_type_number_t *, vm_offset_t *, mach_msg_type_number_t *, audit_token_t) (/SourceCache/RemoteDeviceManagement/RemoteDeviceManagement-883.16/Compiled/sce p_helper/main.m:1088): "'((status = SCEPGetCACert(session, ((void*)0), 0)))' error -603">

USERINFO: {

NSLocalizedDescription = "Carbon error -603";

}

The private keys of "Intermediate CA..." and "... Open Directory Certificate Authority" are still accesible for all applications "access to this item is not restircted".

Martin

Reply

Answer 14

Jun 18, 2015 7:24 AM in response to teufelm

Did you ever resolve this issue? I'm experiencing the same problems.

Reply

Answer 15

Sep 4, 2015 10:50 AM in response to Lonewaffle

SOLVED

The problem is in apache config files "0000_any_443_.conf" and "0000_any_80_.conf" located in "/Library/Server/Web/Config/apache2/sites/"

If you open them with a text editor you can see the ProxyPassReverse on line 31, followed by BalacerMember tags:

BalancerMember balancer://balancer-group-webapp-com.apple.webapp.devicemgr--devicemanagement-w ebapi http://127.0.0.1:3320

BalancerMember balancer://balancer-group-webapp-com.apple.webapp.devicemgr--devicemanagement-w ebapi http://127.0.0.1:3321

BalancerMember balancer://balancer-group-webapp-com.apple.webapp.devicemgr--devicemanagement-w ebapi http://127.0.0.1:3322

BalancerMember balancer://balancer-group-webapp-com.apple.webapp.devicemgr--devicemanagement-w ebapi http://127.0.0.1:3323

BalancerMember balancer://balancer-group-webapp-com.apple.webapp.devicemgr--devicemanagement-w ebapi http://127.0.0.1:3324

BalancerMember balancer://balancer-group-webapp-com.apple.webapp.devicemgr--devicemanagement-w ebapi http://127.0.0.1:3325

BalancerMember balancer://balancer-group-webapp-com.apple.webapp.devicemgr--devicemanagement-w ebapi http://127.0.0.1:3326

BalancerMember balancer://balancer-group-webapp-com.apple.webapp.devicemgr--devicemanagement-w ebapi http://127.0.0.1:3327

BalancerMember balancer://balancer-group-webapp-com.apple.webapp.devicemgr--devicemanagement-w ebapi http://127.0.0.1:3328

BalancerMember balancer://balancer-group-webapp-com.apple.webapp.devicemgr--devicemanagement-w ebapihttp://127.0.0.1:3329

I don't know why but some of those ports are not opened

if you try to open links (locally on the server) from lower ports like http://127.0.0.1:3320/ you can see a response (on browser): a feedback page from a service.

if you use higher ports like http://127.0.0.1:3329/ and http://127.0.0.1:3328service seems to be not working (you can't see any response on the browser).

SOLUTION:

For my case I deleted lines that use ports 3328 and 3329, saved the file and restarted apache (#sudo apachectl restart)

Reply