Certificate Error with Munki on Mavericks

Mavericks Stops Talking to Munki

Currently I use a self-signed certificate on the apache server hosting my Munki files. In Mountain Lion and before I could just point the Munki client to a cert from the server and the client worked fine. But once I upgraded to Mavericks, the Munki client stopped being able to access the files on the server and check in.

Mavericks Wants to Handle Certificates Differently

It looks like the command “curl”, which the Munki client uses, is a different version in Mavericks then in Mountain Lion and this version isn’t trusting self signed certs correctly when you tell it to ignore the fact that it is self signed. So, the curl command that the Munki client is using won’t load the webpage and Munki is unable to get its required files.  So to run Munki on Mavericks I did the following.

Put Certificate into System Keychain

The way I’ve found to fix this is to put the certificate for the munki server into the system wide keychain in Mavericks.  Here is a discussion in google groups that lead me to the solution I’m using. I used a single command to take the server cert, which is already on the system (from my imaging process) at the location /usr/local/munki/munki.grivet-tools.cert and add it to the system keychain. The full command is: (NOTE: it does have to run as root)

Tip – Link Fix to Mavericks Update Process

To ensure that I didn’t loose connectivity to the systems upgrading to Mavericks, I put this command into the post-install script area of the Mavericks installer in Munki. Then, when Mavericks is associated with a system, Munki updates the system to Mavericks, then afterwards it issues the command above on that system. It has worked well for the few machines I’ve tested this on so far.




Interested In A Free Installer?

Our custom Wifi On/Off script has been a popular post!
This script automatically turns off the wireless interface on a computer when it is connected to a wired network, and turn the wireless interface back on when it is disconnected from the wired network.
This script has two main benefits:
  1. Network connection failover
  2. Eliminates unnecessary wireless traffic, and Multi-homed computers.
We are now offering a pkg installer for this script to anyone that signs up for our mailing list.