Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: Olukai
Olukai Author
User level: Level 1
0 points

Cannot Renew Code Signing Certificate

Hello Community.


Looking for some help with a problem of mine.


OSX: Server 4.03 (Yosemite) 10.10.1

Hardware: Mac Mini (late 2012)


Ive been trying to renew my Code Signing Certificate before July 23rd. Clicking on the 'Renew' (via Alerts) button just tells me 'Failed Cannot renew "server name" Code Signing Certificate.

If I double click on the existing Code Signing Cert in the Server Certificate view on Server it will delete itself from the Certificate view there fore deleting itself from 'Sign Configuration Profiles' in Profile Manager.


Ive started to try and create a new Code Signing Cert but I have not found a way to create a new one.

I have followed this article: OS X Server: Renewing Profile Manager's code signing certificate - Apple Support

The error below is a result of me following the Document.

I have exported the Certs and re imported them.


What I just noticed which is obvious now..is I have not updated the OS and Server. Wondering if this is causing the issue.


Im at a loss and running out of time (heading away tomorrow for 10 days) and i really don't want to re enrol the Macs again.


Cheers

a.

---

sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/certadmin --recreate-CA-signed-certificate "xxxx.xxx.local Code Signing Certificate" "IntermediateCA_xxxMAC01.xxx.LOCAL_1" 26ff45e3

2015-07-16 16:11:17.6428 certadmin[5425:main] {BundleManager.m:1727} <Notice> BundleManager(non-plugin calling servermgr_certs): doCommand waiting for reply from servermgr_certs

2015-07-16 16:11:18.6191 certadmin[5425:1203] {BundleManager.m:1718} <Notice> BundleManager(non-plugin calling servermgr_certs): got a reply = {

error = <62706c69 73743030 d4010203 04050618 19582476 65727369 6f6e5824 6f626a65 63747359 24617263 68697665 72542474 6f701200 0186a0a4 07081112 55246e75 6c6cd409 0a0b0c0d 0e0f1056 4e53436f 64655a4e 53557365 72496e66 6f584e53 446f6d61 696e5624 636c6173 7313ffff ffff8001 08208000 80028003 5f10154e 534f5353 74617475 73457272 6f72446f 6d61696e d2131415 165a2463 6c617373 6e616d65 5824636c 61737365 73574e53 4572726f 72a21517 584e534f 626a6563 745f100f 4e534b65 79656441 72636869 766572d1 1a1b5472 6f6f7480 0108111a 232d3237 3c424b52 5d666d76 787a7c94 99a4adb5 b8c1d3d6 db000000 00000001 01000000 00000000 1c000000 00000000 00000000 00000000 dd>;

errorCode = "-2147416032";

errorDescription = "The operation couldn\U2019t be completed. (OSStatus error -2147416032.)";

}

2015-07-16 16:11:18.6198 certadmin[5425:main] {BundleManager.m:1742} <Notice> BundleManager(non-plugin calling servermgr_certs): doCommand finished reply = {

error = <62706c69 73743030 d4010203 04050618 19582476 65727369 6f6e5824 6f626a65 63747359 24617263 68697665 72542474 6f701200 0186a0a4 07081112 55246e75 6c6cd409 0a0b0c0d 0e0f1056 4e53436f 64655a4e 53557365 72496e66 6f584e53 446f6d61 696e5624 636c6173 7313ffff ffff8001 08208000 80028003 5f10154e 534f5353 74617475 73457272 6f72446f 6d61696e d2131415 165a2463 6c617373 6e616d65 5824636c 61737365 73574e53 4572726f 72a21517 584e534f 626a6563 745f100f 4e534b65 79656441 72636869 766572d1 1a1b5472 6f6f7480 0108111a 232d3237 3c424b52 5d666d76 787a7c94 99a4adb5 b8c1d3d6 db000000 00000001 01000000 00000000 1c000000 00000000 00000000 00000000 dd>;

errorCode = "-2147416032";

errorDescription = "The operation couldn\U2019t be completed. (OSStatus error -2147416032.)";

}

/Applications/Server.app/Contents/ServerRoot/usr/sbin/certadmin --recreate-CA-signed-certificate: Unable to renew identity 'xxxmac01.xxx.local Code Signing Certificate': The operation couldn’t be completed. (OSStatus error -2147416032.) (-2147416032)

---

Mac mini, OS X Server

Posted on Jul 16, 2015 5:02 PM

Reply
7 replies
User profile for user: cdhw
cdhw
User level: Level 4
3,588 points

Jul 16, 2015 5:50 PM in response to Olukai

I think that this:


Unable to renew identity 'xxxmac01.xxx.local Code Signing Certificate'


is the clue. I'm fairly sure you'll need a fully qualified domain name for your server before you can get a certificate for it. If you are renewing a previous certificate it needs to match the FQDN that one was issued to. My guess is your DHCP and/or DNS settings are wrong.


C.


Edit: In case it's not obvious, 'foo.bar.local' is a private network name, not a FQDN like 'foo.bar.com'

Reply
User profile for user: Olukai
Olukai Author
User level: Level 1
0 points

Jul 27, 2015 10:30 AM in response to cdhw

Thanks for the reply. Sorry for the delay in replying. Hard to get access to a decent connection while travelling about.

Although you are probably correct, I am wondering why I could create (and renew) a Code Signing Certificate using .local for the previous years. Our entire domain is set up as .local (its changing later this year).

Did something change with Yosemite?

Our Profile manager is not accessible out side our network. Machines only receives payload updates while inside the network.


All my other certs are xxx.local too.


Im sensing i may have to create new Certs for my setup.

Reply
User profile for user: cdhw
cdhw
User level: Level 4
3,588 points

Jul 27, 2015 6:16 PM in response to Olukai

I suspect that although it may have worked in the past it, it shouldn't have.

If you only use the certificates on your own network you might as well set up your own CA and self-sign them. Perhaps that's what you are doing, in which case my guess is Yosemite is being more pedantic than its predecessor.


C.

Reply
User profile for user: Olukai
Olukai Author
User level: Level 1
0 points

Jul 28, 2015 3:33 PM in response to cdhw

My entire OS X/iOS setup is internal only. When I went to rename the hostname to xxx.@xxx.da.au you can still choose .local for internal access only. This is what I set up before. Yet Apple say not to and it really is considered deprecated even though there is an option to call your server .local.😕

Anyway, server name is changed to xxx.de.au and now the recreation of Certs and re-enrollement begins.


Thanks for all the help everyone.

a.

Reply
User profile for user: Olukai
Olukai Author
User level: Level 1
0 points

Aug 12, 2015 9:09 AM in response to Olukai

For those wanting to know the outcome of my cert issue.

In the end I rebuilt the entire server and will start to re-enroll all the Mac's and iOS devices.

I spent a week trying different approaches on a test environment first. Here is a quick and dirty run down.

  • Restore Server to a different OSX device
  • Renamed Server
  • Tried to re do certs - failed on all levels
  • Exported/Imported the Profile Configurator Database - just to confirm this works
  • Renamed the Profile Configurator in Finder/removed Server App/Deleted Trash/Re download Server/Launch/Run through Set up - fail
  • Delete the entire Server contents (in Finder) and did the above steps again - fail.
  • Tried variations of the above - fail.
  • Moved to live server.
  • Reinstalled OS over the current OS, reinstalled Server etc. Trust Profile worked, Enrolment profile did not work.
  • Finally blew everything away - rebuilt Server from scratch, imported Profile Configurator DB. Downloaded Trust and Enrolment Profiles. All worked perfectly.
  • Now to run around and re enrol everything again.
  • The server NOT using .local!!

Almost every step there was an issue with Certs. It was not until i wiped the server and rebuilt from scratch did the Certs work probably.


Any advice on the best way to do this? Deploy Studio isn't working so well. The Trust Profile installs as unverified and the Enrolment Profile didn't install. Manually everything works just peachy!.


Thanks for all the advice.

Reply

Cannot Renew Code Signing Certificate

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up