On Mountain lion Server, renewing profile manager's code signing certificate

Similar Messages

• Profile Manager - no code signing certificate?

  I'm starting with a clean install of Lion Server. DNS is on an Xserve running Leopard Server.
  - CA signed certificates in place
  - DNS working fine
  - I create an OD Master (I've done this through Server.app, Server Admin and from hitting the "configure" button in Profile Manger, which triggers building an OD Master), and when the OD Master is built, an OD-based CA is created along with an OD-based intermediate certificate, but (and this is my problem), the OD-based code signing certificate is never produced, thus I don't have a code signing certificate to select when trying to enable "sign configuration profiles"?
  This is driving me insane. Anyone know why the code signing certificate isn't being generated?
  Thanks,
  Kristin.

  I'm starting with a clean install of Lion Server. DNS is on an Xserve running Leopard Server.
  - CA signed certificates in place
  - DNS working fine
  - I create an OD Master (I've done this through Server.app, Server Admin and from hitting the "configure" button in Profile Manger, which triggers building an OD Master), and when the OD Master is built, an OD-based CA is created along with an OD-based intermediate certificate, but (and this is my problem), the OD-based code signing certificate is never produced, thus I don't have a code signing certificate to select when trying to enable "sign configuration profiles"?
  This is driving me insane. Anyone know why the code signing certificate isn't being generated?
  Thanks,
  Kristin.

• How To Install A (Almost) Working Lion Server With Profile Management/SSL/OD/Mail/iCal/Address Book/VNC/Web/etc.

  I recently installed a fresh version of Lion Server after attempting to fix a broken upgrade. With some help from others, I've managed to get all the new features working and have kept notes, having found that many or most of the necessary installation steps for both the OS and its services are almost entirely undocumented. When you get them working, they work great, but the entire process is very fragile, with simple setup steps causing breaks or even malicious behaviors. In case this is useful to others, here are my notes.
  Start with an erased, virgin, single guid partitioned drive. Not an upgrade. Not simply a repartitioned drive. Erased. Clean. Anything else can and probably will break the Lion Server install, as I discovered myself more than once. Before erasing my drive, I already had Lion and made a Lion install DVD from instructions widely available on the web. I suppose you could also boot into the Lion recovery partition and use disk utility to erase the OS X partition then install a new partition, but I cut a DVD. The bottom line is to erase any old OS partitions. And of course to have multiple, independent backups: I use both Time Machine with a modified StdExclusions.plist and Carbon Copy Cloner.
  Also, if you will be running your own personal cloud, you will want to know your domain name ahead of time, as this will be propagated everywhere throughout server, and changing anything related to SSL on Lion Server is a nightmare that I haven't figured out. If you don't yet have a domain name, go drop ten dollars at namecheap.com or wherever and reserve one before you start. Soemday someone will document how to change this stuff without breaking Lion Server, but we're not there yet. I'll assume the top-level domain name "domain.com" here.
  Given good backups, a Lion Install DVD (or Recovery Partition), and a domain name, here are the steps, apparently all of which must be more-or-less strictly followed in this order.
  DVD>Disk Utility>Erase Disk  [or Recovery Partition>Disk Utility>Erase Partition]
  DVD>Install Lion
  Reboot, hopefully Lion install kicks in
  Update, update, update Lion (NOT Lion Server yet) until no more updates
  System Preferences>Network>Static IP on the LAN (say 10.0.1.2) and Computer name ("server" is a good standbye)
  Terminal>$ sudo scutil --set HostName server.domain.com
  App Store>Install Lion Server and run through the Setup
  Download install Server Admin Tools, then update, update, update until no more updates
  Server Admin>DNS>Zones [IF THIS WASN'T AUTOMAGICALLY CREATED (mine wasn't): Add zone domain.com with Nameserver "server.domain.com." (that's a FQDN terminated with a period) and a Mail Exchanger (MX record) "server.domain.com." with priority 10. Add Record>Add Machine (A record) server.domain.com pointing to the server's static IP. You can add fancier DNS aliases and a simpler MX record below after you get through the crucial steps.]
  System Prefs>Network>Advanced>Set your DNS server to 127.0.0.1
  A few DNS set-up steps and these most important steps:
  A. Check that the Unix command "hostname" returns the correct hostname and you can see this hostname in Server.app>Hardware>Network
  B. Check that DNS works: the unix commands "host server.domain.com" and "host 10.0.1.2" (assuming that that's your static IP) should point to each other. Do not proceed until DNS works.
  C. Get Apple Push Notification Services CA via Server.app>Hardware>Settings><Click toggle, Edit... get a new cert ...>
  D. Server.app>Profile Manager>Configure... [Magic script should create OD Master, signed SSL cert]
  E. Server.app>Hardware>Settings>SSL Certificate> [Check to make sure it's set to the one just created]
  F. Using Server.app, turn on the web, then Server.app>Profile Manager> [Click on hyperlink to get to web page, e.g. server.domain.com/profilemanager] Upper RHS pull-down, install Trust Profile
  G. Keychain Access>System>Certificates [Find the automatically generated cert "Domain", the one that is a "Root certificate authority", Highlight and Export as .cer, email to all iOS devices, and click on the authority on the device. It should be entered as a trusted CA on all iOS devices. While you're at it, highlight and Export... as a .cer the certificate "IntermediateCA_SERVER.DOMAIN.COM_1", which is listed an an "Intermediate CA" -- you will use this to establish secure SSL connections with remote browsers hitting your server.]
  H. iOS on LAN: browse to server.domain.com/mydevices> [click on LHS Install trust cert, then RHS Enroll device.
  I. Test from web browser server.domain.com/mydevices: Lock Device to test
  J. ??? Profit
  12. Server Admin>DNS>Zones> Add convenient DNS alias records if necessary, e.g., mail.domain.com, smtp.domain.com, www.domain.com. If you want to refer to your box using the convenient shorthand "domain.com", you must enter the A record (NOT alias) "domain.com." FQDN pointing to the server's fixed IP. You can also enter the convenient short MX record "domain.com." with priority 11. This will all work on the LAN -- all these settings must be mirrored on the outside internet using the service from which you registered domain.com.
  You are now ready to begin turning on your services. Here are a few important details and gotchas setting up cloud services.
  Firewall
  Server Admin>Firewall>Services> Open up all ports needed by whichever services you want to run and set up your router (assuming that your server sits behind a router) to port forward these ports to your router's LAN IP. This is most a straightforward exercise in grepping for the correct ports on this page, but there are several jaw-droppingly undocumented omissions of crucial ports for Push Services and Device Enrollment. If you want to enroll your iOS devices, make sure port 1640 is open. If you want Push Notifications to work (you do), then ports 2195, 2196, 5218, and 5223 must be open. The Unix commands "lsof -i :5218" and "nmap -p 5218 server.domain.com" (nmap available from Macports after installing Xcode from the App Store) help show which ports are open.
  SSH
  Do this with strong security. Server.app to turn on remote logins (open port 22), but edit /etc/sshd_config to turn off root and password logins.
  PermitRootLogin no
  PasswordAuthentication no
  ChallengeResponseAuthentication no
  I'm note sure if toggling the Allow remote logins will load this config file or, run "sudo launchctl unload -w /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist ; sudo launchctl load -w /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist" to restart the server's ssh daemon.
  Then use ssh-keygen on remote client to generate public/private keys that can be used to remotely login to the server.
  client$ ssh-keygen -t rsa -b 2048 -C client_name
  [Securely copy ~/.ssh/id_rsa.pub from client to server.]
  server$ cat id_rsa.pub > ~/.ssh/known_hosts
  I also like DenyHosts, which emails detected ssh attacks to [email protected]. It's amazing how many ssh attacks there are on any open port 22. Not really an added security feature if you've turned off password logins, but good to monitor. Here's a Lion Server diff for the config file /usr/share/denyhosts:
  $ diff denyhosts.cfg-dist denyhosts.cfg
  12c12
  < SECURE_LOG = /var/log/secure
  > #SECURE_LOG = /var/log/secure
  22a23
  > SECURE_LOG = /var/log/secure.log
  34c35
  < HOSTS_DENY = /etc/hosts.deny
  > #HOSTS_DENY = /etc/hosts.deny
  40a42,44
  > #
  > # Mac OS X Lion Server
  > HOSTS_DENY = /private/etc/hosts.deny
  195c199
  < LOCK_FILE = /var/lock/subsys/denyhosts
  > #LOCK_FILE = /var/lock/subsys/denyhosts
  202a207,208
  > LOCK_FILE = /var/denyhosts/denyhosts.pid
  > #
  219c225
  < ADMIN_EMAIL =
  > ADMIN_EMAIL = [email protected]
  286c292
  < #SYSLOG_REPORT=YES
  > SYSLOG_REPORT=YES
  Network Accounts
  User Server.app to create your network accounts; do not use Workgroup Manager. If you use Workgroup Manager, as I did, then your accounts will not have email addresses specified and iCal Server WILL NOT COMPLETELY WORK. Well, at least collaboration through network accounts will be handled clunkily through email, not automatically as they should. If you create a network account using Workgroup Manager, then edit that account using Server.app to specify the email to which iCal invitations may be sent. Server.app doesn't say anything about this, but that's one thing that email address entry is used for. This still isn't quite solid on Lion Server, as my Open Directory logs on a freshly installed Lion Server are filled with errors that read:
  2011-12-12 15:05:52.425 EST - Module: SystemCache - Misconfiguration detected in hash 'Kerberos':
       User 'uname' (/LDAPv3/127.0.0.1) - ID 1031 - UUID 98B4DF30-09CF-42F1-6C31-9D55FE4A0812 - SID S-0-8-83-8930552043-0845248631-7065481045-9092
  Oh well.
  Email
  Email aliases are handled with the file /private/etc/postfix/aliases. Do something like this
  root:           myname
  admin:          myname
  sysadmin:       myname
  certadmin:      myname
  webmaster:      myname
  my_alternate:   myname
  Then run "sudo newaliases". If your ISP is Comcast or some other large provider, you probably must proxy your outgoing mail through their SMTP servers to avoid being blocked as a spammer (a lot of SMTP servers will block email from Comcast/whatever IP addresses that isn't sent by Comcast). Use Server.app>Mail to enter your account information. Even then, the Lion Server default setup may fail using this proxy. I had to do this with the file /private/etc/postfix/main.cf:
  cd /etc/postfix
  sudo cp ./main.cf ./main.cf.no_smtp_sasl_security_options
  sudo echo 'smtp_sasl_security_options = noanonymous' >> ./main.cf
  sudo serveradmin stop mail
  sudo serveradmin start mail
  Finally, make sure that you're running a blacklisting srevice yourself! Server Admin>Mail>Filter> Use spamhaus.org as a blacklister. Finally, set up mail to use strong Kerberos/MD5 settings under on Server Admin>Mail>Advanced. Turn off password and clear logins. The settings should be set to "Use" your SSL cert, NOT "Require". "Require" consistently breaks things for me.
  If you already installed the server's Trust Certificate as described above (and opened up the correct ports), email to your account should be pushed out to all clients.
  iCal Server
  Server.app>Calendar>Turn ON and Allow Email Invitations, Edit... . Whatever you do, do NOT enter your own email account information in this GUI. You must enter the account information for local user com.apple.calendarserver, and the password for this account, which is stored in the System keychain: Keychain Access>System> Item com.apple.servermgr_calendar. Double-click and Show Password, copy and paste into Server.app dialog. This is all described in depth here. If you enter your own account information here (DO NOT!), the iCal Server will delete all Emails in your Inbox just as soon as it reads them, exactly like it works for user com.apple.calendarserver. Believe me, you don't want to discover this "feature", which I expect will be more tightly controlled in some future update.
  Web
  The functionality of Server.app's Web management is pretty limited and awful, but a few changes to the file /etc/apache2/httpd.conf will give you a pretty capable and flexible web server, just one that you must manage by hand. Here's a diff for httpd.conf:
  $ diff httpd.conf.default httpd.conf
  95c95
  < #LoadModule ssl_module libexec/apache2/mod_ssl.so
  > LoadModule ssl_module libexec/apache2/mod_ssl.so
  111c111
  < #LoadModule php5_module libexec/apache2/libphp5.so
  > LoadModule php5_module libexec/apache2/libphp5.so
  139,140c139,140
  < #LoadModule auth_digest_apple_module libexec/apache2/mod_auth_digest_apple.so
  < #LoadModule encoding_module libexec/apache2/mod_encoding.so
  > LoadModule auth_digest_apple_module libexec/apache2/mod_auth_digest_apple.so
  > LoadModule encoding_module libexec/apache2/mod_encoding.so
  146c146
  < #LoadModule xsendfile_module libexec/apache2/mod_xsendfile.so
  > LoadModule xsendfile_module libexec/apache2/mod_xsendfile.so
  177c177
  < ServerAdmin [email protected]
  > ServerAdmin [email protected]
  186c186
  < #ServerName www.example.com:80
  > ServerName domain.com:443
  677a678,680
  > # Server-specific configuration
  > # sudo apachectl -D WEBSERVICE_ON -D MACOSXSERVER -k restart
  > Include /etc/apache2/mydomain/*.conf
  I did "sudo mkdir /etc/apache2/mydomain" and add specific config files for various web pages to host. For example, here's a config file that will host the entire contents of an EyeTV DVR, all password controlled with htdigest ("htdigest ~uname/.htdigest EyeTV uname"). Browsing to https://server.domain.com/eyetv points to /Users/uname/Sites/EyeTV, in which there's an index.php script that can read and display the EyeTV archive at https://server.domain.com/eyetv_archive. If you want Apache username accounts with twiddles as in https://server.domain.com/~uname, specify "UserDir Sites" in the configuration file.
  Alias /eyetv /Users/uname/Sites/EyeTV
  <Directory "/Users/uname/Sites/EyeTV">
      AuthType Digest
      AuthName "EyeTV"
      AuthUserFile /Users/uname/.htdigest
      AuthGroupFile /dev/null
      Require user uname
      Options Indexes MultiViews
      AllowOverride All
      Order allow,deny
      Allow from all
  </Directory>
  Alias /eyetv_archive "/Volumes/Macintosh HD2/Documents/EyeTV Archive"
  <Directory "/Volumes/Macintosh HD2/Documents/EyeTV Archive">
      AuthType Digest
      AuthName "EyeTV"
      AuthUserFile /Users/uname/.htdigest
      AuthGroupFile /dev/null
      Require user uname
      Options Indexes MultiViews
      AllowOverride All
      Order allow,deny
      Allow from all
  </Directory>
  I think you can turn Web off/on in Server.app to relaunch apached, or simply "sudo apachectl -D WEBSERVICE_ON -D MACOSXSERVER -k restart".
  Securely copy to all desired remote clients the file IntermediateCA_SERVER.DOMAIN.COM_1.cer, which you exported from System Keychain above. Add this certificate to your remote keychain and trust it, allowing secure connections between remote clients and your server. Also on remote clients: Firefox>Advanced>Encryption>View Certificates>Authorities>Import...> Import this certificate into your browser. Now there should be a secure connection to https://server.domain.com without any SSL warnings.
  One caveat is that there should be a nice way to establish secure SSL to https://domain.com and https://www.domain.com, but the automagically created SSL certificate only knows about server.domain.com. I attempted to follow this advice when I originally created the cert and add these additional domains (under "Subject Alternate Name Extension"), but the cert creation UI failed when I did this, so I just gave up. I hope that by the time these certs expire, someone posts some documentation on how to manage and change Lion Server SSL scripts AFTER the server has been promoted to an Open Directory Master. In the meantime, it would be much appreciated if anyone can post either how to add these additional domain names to the existing cert, or generate and/or sign a cert with a self-created Keychain Access root certificate authority. In my experience, any attempt to mess with the SSL certs automatically generated just breaks Lion Server.
  Finally, if you don't want a little Apple logo as your web page icon, create your own 16×16 PNG and copy it to the file /Library/Server/Web/Data/Sites/Default/favicon.ico. And request that all web-crawling robots go away with the file /Library/Server/Web/Data/Sites/Default/robots.txt:
  User-agent: *
  Disallow: /
  Misc
  VNC easily works with iOS devices -- use a good passphrase. Edit /System/Library/LaunchDaemons/org.postgresql.postgres.plist and set "listen_addresses=127.0.0.1" to allow PostgreSQL connections over localhost. I've also downloaded snort/base/swatch to build an intrusion detection system, and used Macports's squid+privoxy to build a privacy-enhanced ad-blocking proxy server.

  Privacy Enhancing Filtering Proxy and SSH Tunnel
  Lion Server comes with its own web proxy, but chaining Squid and Privoxy together provides a capable and effective web proxy that can block ads and malicious scripts, and conceal information used to track you around the web. I've posted a simple way to build and use a privacy enhancing web proxy here. While you're at it, configure your OS and browsers to block Adobe Flash cookies and block Flash access to your camera, microphone, and peer networks. Read this WSJ article series to understand how this impacts your privacy. If you configure it to allow use for anyone on your LAN, be sure to open up ports 3128, 8118, and 8123 on your firewall.
  If you've set up ssh and/or VPN as above, you can securely tunnel in to your proxy from anywhere. The syntax for ssh tunnels is a little obscure, so I wrote a little ssh tunnel script with a simpler flexible syntax. This script also allows secure tunnels to other services like VNC (port 5900). If you save this to a file ./ssht (and chmod a+x ./ssht), example syntax to establish an ssh tunnel through localhost:8080 (or, e.g., localhost:5901 for secure VNC Screen Sharing connects) looks like:
  $ ./ssht 8080:[email protected]:3128
  $ ./ssht 8080:alice@:
  $ ./ssht 8080:
  $ ./ssht 8018::8123
  $ ./ssht 5901::5900  [Use the address localhost:5901 for secure VNC connects using OS X's Screen Sharing or Chicken of the VNC (sudo port install cotvnc)]
  $ vi ./ssht
  #!/bin/sh
  # SSH tunnel to squid/whatever proxy: ssht [-p ssh_port] [localhost_port:][user_name@][ip_address][:remotehost][:remote_port]
  USERNAME_DEFAULT=username
  HOSTNAME_DEFAULT=domain.com
  SSHPORT_DEFAULT=22
  # SSH port forwarding specs, e.g. 8080:localhost:3128
  LOCALHOSTPORT_DEFAULT=8080      # Default is http proxy 8080
  REMOTEHOST_DEFAULT=localhost    # Default is localhost
  REMOTEPORT_DEFAULT=3128         # Default is Squid port
  # Parse ssh port and tunnel details if specified
  SSHPORT=$SSHPORT_DEFAULT
  TUNNEL_DETAILS=$LOCALHOSTPORT_DEFAULT:$USERNAME_DEFAULT@$HOSTNAME_DEFAULT:$REMOT EHOST_DEFAULT:$REMOTEPORT_DEFAULT
  while [ "$1" != "" ]
  do
    case $1
    in
      -p) shift;                  # -p option
          SSHPORT=$1;
          shift;;
       *) TUNNEL_DETAILS=$1;      # 1st argument option
          shift;;
    esac
  done
  # Get local and remote ports, username, and hostname from the command line argument: localhost_port:user_name@ip_address:remote_host:remote_port
  shopt -s extglob                        # needed for +(pattern) syntax; man sh
  LOCALHOSTPORT=$LOCALHOSTPORT_DEFAULT
  USERNAME=$USERNAME_DEFAULT
  HOSTNAME=$HOSTNAME_DEFAULT
  REMOTEHOST=$REMOTEHOST_DEFAULT
  REMOTEPORT=$REMOTEPORT_DEFAULT
  # LOCALHOSTPORT
  CDR=${TUNNEL_DETAILS#+([0-9]):}         # delete shortest leading +([0-9]):
  CAR=${TUNNEL_DETAILS%%$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR%:}                            # delete :
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      LOCALHOSTPORT=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # REMOTEPORT
  CDR=${TUNNEL_DETAILS%:+([0-9])}         # delete shortest trailing :+([0-9])
  CAR=${TUNNEL_DETAILS##$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR#:}                            # delete :
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      REMOTEPORT=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # REMOTEHOST
  CDR=${TUNNEL_DETAILS%:*}                # delete shortest trailing :*
  CAR=${TUNNEL_DETAILS##$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR#:}                            # delete :
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      REMOTEHOST=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # USERNAME
  CDR=${TUNNEL_DETAILS#*@}                # delete shortest leading +([0-9]):
  CAR=${TUNNEL_DETAILS%%$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR%@}                            # delete @
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      USERNAME=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # HOSTNAME
  HOSTNAME=$TUNNEL_DETAILS
  if [ "$HOSTNAME" == "" ]                # no hostname given
  then
      HOSTNAME=$HOSTNAME_DEFAULT
  fi
  ssh -p $SSHPORT -L $LOCALHOSTPORT:$REMOTEHOST:$REMOTEPORT -l $USERNAME $HOSTNAME -f -C -q -N \
      && echo "SSH tunnel established via $LOCALHOSTPORT:$REMOTEHOST:$REMOTEPORT\n\tto $USERNAME@$HOSTNAME:$SSHPORT." \
      || echo "SSH tunnel FAIL."

• Argh! Profile Manager and Code-Signing of profiles

  I am setting up Profile Manager in Mavericks with Server.app 3.0.1.
  I have DNS correctly setup, I have created an OD Master for Profile Manager, Profile Manager is running and network users can login and I can setup profiles. I also have the https site working properly for clients although that needed some help.
  We have a self-signed root CA and off that we have two intermediate CAs, one for signing server SSL certificates, and one for signing codesigning certificates. On my server I have installed the rootCA, and the intermediate CAs and of course the server SSL certificate itself. As mentioned initially I had a problem with the https site on the server and what was happening was that the server was not sending the intermediate certificate along with the server certificate to clients. (The clients already have our rootCA certificate installed and trusted.)
  As a result the chain was incomplete and clients did not trust the http site. I tracked this down to the files in /etc/certificates it turned out that of the four files for the server certificate i.e. .key.pem, .chain.pem, .concat.pem and .cert.pem that the .chain.pem did not contain the intermediate CA. I replaced it with the intermediate CA pem file and restarted Apache and clients now get the full chain and can therefore trust the https site.
  My problem now is with the codesigning certificate, this also has been selfsigned this time by the intermediate codesigningCA. It is accepted by Profile Manager and it does sign the profiles. However when I download the Trust profile and try installing it, it comes back unverified. (If it was unsigned it would say unsigned instead.) This trust profile contains a copy of the server certificate and the rootCA certificate but does not contain the intermediate codesigningCA certificate.
  I tried the same trick of swapping out the codesigning .chain.pem file in /etc/certificates but this did not help. I am currently stuck, any suggestions from any one?
  Thanks.

  I would really appreciate being walked through these steps. I just upgraded to Yosemite and Server.app 4 and am dealing with all the brokenness.
  Profile Manager does not show a code signing certificate when I ask it to sign configuration profiles.
  I DO NOT have the Code Signing Certificate in my keychain created when OD was created.
  I DO have the four code signing certificate files:
  /etc/certificates/host.domain.tld.Code Signing Certificate.<UUID hash>.cert.pem
  /etc/certificates/host.domain.tld.Code Signing Certificate.<UUID hash>.chain.pem
  /etc/certificates/host.domain.tld.Code Signing Certificate.<UUID hash>.concat.pem
  /etc/certificates/host.domain.tld.Code Signing Certificate.<UUID hash>.key.pem
  Furthermore, when I search my System keychain passwords, for <UUID hash>, I see that have the password that decrypts these pem's, e.g. via the openssl command
  openssl rsa -outform der -in 'host.domain.tld.Code Signing Certificate.<UUID hash>.key.pem' -out 'host.domain.tld.Code Signing Certificate.<UUID hash>.key'
  What's the specific step-by-step to convert these four files into something that Profile Manager can use to sign configuration profiles?
  I am stuck.

• Renew my code sign certificate?

  I run a Mavericks server that serves profile manager, file, and time machine services. My code sign cert expires in a couple weeks. When you go into Server.app > Certificates and double click on it, there isn't a "Renew" button like there is for other certs I've renewed.
  How would I renew this? And what impact would it have on my running services (ie. would I have to re-enroll everyone in profile manager)? Thank you.

  Does OS X Server: Renewing Profile Manager's code signing certificate - Apple Support help?

• Mountain Lion Server Profile Manager not accessible externally

  What do I need to be checking if I can't access our Mountain Lion server's Profile Manager externally.  From a test iPad on a carrier's 3G network, I get a "server not found" error when using http://fqdn/.  I can bring up the server page if I use https://publicipaddress. but not https://publicipaddress/profilemanager.  Apple tried accessing the server with the same findings.  We're a state agency behind tight firewall and security and we're told that all Profile manager needed ports are open...  Thanks.

  Nelson -
  Pretty much everything boiled down to DNS, firewalls and ports.  Unfortunately, I was never able to acertain which of the three items were causing this problem because we have a separate group who manages the network and firewall (plus a separate security team).  If I recall, once they focused on what it was I was trying to accomplish, most of the problems "magically" went away. 
  Is your reverse DNS working the way it's supposed to?  Ex:
  yourserver:~ login$ hostname
  yourserver.yourdomainname
  yourserver:~ login$ host yourserver.yourdomainname
  yourserver.yourdomainname has address 10.x.x.x
  yourserver:~ login$ host 10.x.x.x
  3.34.2.10.in-addr.arpa domain name pointer yourserver.yourdomainname
  yourserver:~ login$
  Also be sure to follow "burton11234's" posts.  https://discussions.apple.com/people/burton11234?view=overview

• Mountain Lion Server Profile Manager error

  I recently setup a Mountain Lion server (10.8.2) to manage multiple ipads and Macs with Profile Manager in a PC oriented Active Directory environment.
  I setup an SSL certificate and bound to the organization's active directory (with Directory Utility) and that all works fine.
  We are now simply trying to assign the rights to individual users to use Profile Manager and running into trouble.
  Using the Server app, we click on a user (or group) and then go to assign rights (with the gear menu).
  The list of items to assign is supposed to come up.
  Instead the list never comes up.
  Can anyone shed any light on what we have to do?

  What are you trying to do
  Assign what users can use the profile managers web interface
  or restrict what users can and can't have devices registered to their name in profile manager

• Mountain Lion Server: Wiki and Profile Manager return 'Error Reading Settings'

  Hi,
    Have recently installed Mountain Lion Server (clean install) when I open the Server App I am constantly receiving the following error messages on various services inc. Wiki and the Profile Manager Service
  After clicking on various other services that error message evolves into
  Any help would be greatly appreciated.

  Nvm, I managed to resolve this issue to a degree. The errors seem to occur if I copied and installed the Server.app from a windows network location where I had it stored. However if I downloaded and installed the Server.app from the App store the errors dod not occur.

• Renew code signing certificate mountain lion server

  Hello to all
  Can you please let me know if there is a way to renew the self code signing certificate for server WITHOUT re enroll all devices?
  We have 500 iPads enrolled and the code signing certificate expires in 2 weeks...
  So it's really critical not to re enroll all devices .
  Is there any way to do this?
  Thank you for you help.

  When I put this in I am just getting the following response
  Usage: certadmin
      --get-private-key-passphrase [path]    
        Retrieve the passphrase for the private key at [path] from the keychain
      --default-certificate-path
        Retrieve the full path for the default certificate
      --default-certificate-authority-chain-path
        Retrieve the full path for the default certificate authority chain
      --default-private-key-path
        Retrieve the full path for the default private key
      --default-concatenation-path
        Retrieve the full path for the default certificate + private key concatenation
      --create-default-self-signed-identity
        Creates a default self signed identity (certificate + private key) using the hostname
      --recreate-self-signed-certificate subject serial_number
        Recreate an existing self signed certificate
      --recreate-CA-signed-certificate subject issuer serial_number
        Recreate an existing certificate signed by an OpenDirectory CA
  where you have "192173c1c is this meant to be the serial number?

• How do I properly change the server name in mountain lion server?

  I need to change my server name to a FQDN, but tried this with Lion server in the past without success. I know in lion you'd use server app, but that's no longer avaiable in mountain lion server and I want to make sure I get this right the first time.
  Thanks!

  I was able to get everything working with some assistance from Apple's enterprise support. After changing the host name, the DNS was still not resolving properly and I couldn't turn on open directory so that I'd be able to start profile manager. The DNS interface is considerably different than that in previous versions of server. The network was set to manual ip with dhcp, which was pulling back an external IP. Overriding the DNS info coming in via the dhcp, setting it to localhost, resolved the issue.
  Thanks!

• Sharing a Calendar from Mountain Lion server with Snow Leopard users on local network

  Hello.
  I have a new Mac Mini Server running Mountain Lion Server and I want to create a shared calender for a mix of Lion, Mountain Lion and Snow Leopard users on our local network. Does anyone have any info on how to do this? I have tried using the Server App and Calender Help within the applications, but the content isn't available. I have managed to create a Shared Calender  from the Mini's Calendar App where I've  added users and I can see a 'wireless' transmit icon to the right of the Calendar name - but I cant get any of the users' iCal or Calendar apps to recognise the Calendar on the local network. I've also created a Location in the Server App under Calendar and still can't see anything on the local network. Am I missing something really obvious?
  Thanks in advance!

  Sorry, I hadn't explained everything fully. I don't want to open up my VPN to friends and family. I do have the router assigning the NAS a fixed IP, so that when I connect over the VPN I can use the local IP address to connect, as you have mentioned.
  What I would like is for my friends or family to connect to my server over AFP or SMB using the public IP of my network, which my router then forwards onto my server, and display the available sharepoints configured using Mountain Lion server. However, the NAS drive is not an available option this way as it has a separate IP to the server.
  As the NAS alllows guest access, I also don't want to configure the router to forward a specific port to it, as this way it will be open to the internet. I wanted to try and use my server as an authentication point, with profiles set using Mountain Lion server, and limited to file sharing services only.
  Hope this makes sense.

• Smooth transition from Mountain Lion Server to Mavericks Server 3.0!!

  After an new OS release that are always complaints about installation and configuration problems. First comers to using any new software tool provide valuable feedback we generally hope will help improve the new product. It's how things have worked since the first 6503 Apple II's and 8086 IBM PC's.
  I've been using and upgrading PC's since THOSE DINOSAURS! And I can't remember EVER having an OS upgrade go as smoothly as my recent upgrade from Mountain Lion Server (OS X 10.8.5 w. Server 2.2.2) to Mavericks Server 3.0.
  I chose to do a clean Mavericks install on a clean partition created on a 1 TB disk that was upgraded into my trusty MacBook. I used the DiskmakerX app to create a Mavericks installation USB drive. When the screen came up with the option to import users, programs & files (took a pass on email) from the Mountain Lion Server partition, I let it run overnight to transpose everything of value into the clean Mavericks installation.
  The next morning the only program that wasn't PERFECTLY installed and configured on Mavericks was Server 2.2.2. I deleted it and bought/installed Server 3.0. After Server 3.0's setup ran that only thing I had to do manually was start Postgres! My domain setting, DNS, all my web applications that were set up on Mountain Lion Server were all GOOD TO GO again on Mavericks Server!
  I'm disclosing this here, publicly because it was a BIG PAIN to install and deploy all my websites using Mountain Lion's server app. To say the easy transposition into Server 3.0 was an unexpected and pleasant surprise amounts to massive understatement.
  Now I'm going to describe two small anomolies I've noticed in either Mavericks or Server 3.0 that other users might want to be on the lookout for. They're not fatal. But they might be "habringers" suggesting underlying problems in either the new OS or the new Server's internals.
  The toolbar icon for TimeMachine doesn't "spin" when it backs up. It's not a big deal. But it's convenient to see the circle around the clock whirling so we know when TIme Machine is backing up.
  Mavericks Server isn't reporting newly upgraded apps as available under the Updates Tab of the Server's Software Updates subsystem. It might be inconsequential. But with a new OS version it never hurts to let the developers know about the "little things" that don't apparently work.
  Kudos to the Maverick's developers for releasing an OS X version that's THIS CLEAN. And hugs to Apple's management for making it a free download upgrade for developers!!!
  Full disclosue: I don't now and never have worked for Apple. but I do own a few shares of Apple stock that we purchased many years ago at $14.00 / share. I'm not a big shareholder. But based on my recent seamless upgrades to Mavericks and iIOS 7, I'm a happy one who's not likely to sell any time soon.
  If Apple can do for ALL THEIR HARDWARE AND SOFTWARE PRODUCTS what they seem to have done for OS X and iOS, they've got at least a fighting chance to recover from their losses after their stock peaked at about $700.00 /share.
  Keep up the good work!
  Dr. Bob Blomeyer

  After an new OS release that are always complaints about installation and configuration problems. First comers to using any new software tool provide valuable feedback we generally hope will help improve the new product. It's how things have worked since the first 6503 Apple II's and 8086 IBM PC's.
  I've been using and upgrading PC's since THOSE DINOSAURS! And I can't remember EVER having an OS upgrade go as smoothly as my recent upgrade from Mountain Lion Server (OS X 10.8.5 w. Server 2.2.2) to Mavericks Server 3.0.
  I chose to do a clean Mavericks install on a clean partition created on a 1 TB disk that was upgraded into my trusty MacBook. I used the DiskmakerX app to create a Mavericks installation USB drive. When the screen came up with the option to import users, programs & files (took a pass on email) from the Mountain Lion Server partition, I let it run overnight to transpose everything of value into the clean Mavericks installation.
  The next morning the only program that wasn't PERFECTLY installed and configured on Mavericks was Server 2.2.2. I deleted it and bought/installed Server 3.0. After Server 3.0's setup ran that only thing I had to do manually was start Postgres! My domain setting, DNS, all my web applications that were set up on Mountain Lion Server were all GOOD TO GO again on Mavericks Server!
  I'm disclosing this here, publicly because it was a BIG PAIN to install and deploy all my websites using Mountain Lion's server app. To say the easy transposition into Server 3.0 was an unexpected and pleasant surprise amounts to massive understatement.
  Now I'm going to describe two small anomolies I've noticed in either Mavericks or Server 3.0 that other users might want to be on the lookout for. They're not fatal. But they might be "habringers" suggesting underlying problems in either the new OS or the new Server's internals.
  The toolbar icon for TimeMachine doesn't "spin" when it backs up. It's not a big deal. But it's convenient to see the circle around the clock whirling so we know when TIme Machine is backing up.
  Mavericks Server isn't reporting newly upgraded apps as available under the Updates Tab of the Server's Software Updates subsystem. It might be inconsequential. But with a new OS version it never hurts to let the developers know about the "little things" that don't apparently work.
  Kudos to the Maverick's developers for releasing an OS X version that's THIS CLEAN. And hugs to Apple's management for making it a free download upgrade for developers!!!
  Full disclosue: I don't now and never have worked for Apple. but I do own a few shares of Apple stock that we purchased many years ago at $14.00 / share. I'm not a big shareholder. But based on my recent seamless upgrades to Mavericks and iIOS 7, I'm a happy one who's not likely to sell any time soon.
  If Apple can do for ALL THEIR HARDWARE AND SOFTWARE PRODUCTS what they seem to have done for OS X and iOS, they've got at least a fighting chance to recover from their losses after their stock peaked at about $700.00 /share.
  Keep up the good work!
  Dr. Bob Blomeyer

• Complications migrating from Snow Leopard Server to Mountain Lion Server.

  I'm migrating from Snow Leopard Server to Mountain Lion Server. The article "OS X Server: Upgrade and migration" (http://support.apple.com/kb/HT5381) says
  "Make sure that any DNS or DHCP servers on which your server depends remain running during the upgrade"
  This advice is reinforced by the details of the article "OS X Server: Steps to take before upgrading or migrating the Open Directory database" (http://support.apple.com/kb/HT5300).
  As the server I'm migrating from provides these services it will need to be running during the migration process. This would seem to limit my options to doing the migration from a Time Machine backup (or, making a seperate clone of the server's drive and connecting it externally to the new box)
  My main concern is the seemingly inevitable clash that is going to occur on the network as the new server takes on the roles of the old one - while it is still running.
  What are my options here ?
  This is my second attempt as on my first try I did the migration from the TM backup with the network down - and none of my local network users or their home directories were migrated, although the settings for the mount points were, but there were no actual directories where they pointed to!
  Clear directions on how to procede would be VERY MUCH appreciated
  Thank you.

  Moving from Snow Leopard to Mountain Lion means first installing the client (non-Server) version of Mountain Lion and then install Server.app this means that for at least part of the process you will not be running DNS, DHCP or Open Directory.
  If you are going to end up using the same DNS name and IP address after the change then an approach you could follow would be as follows.
  Destroy any Open Directory replicas
  Archive your Open Directory Master (to make a backup)
  Note down your DNS records in case they get messed up
  Export via Workgroup Manager your users, and groups (you might not need this but better safe than sorry), make sure you do not include the diradmin account
  Keep a full back of the server (you should always have backups)
  Note down your DHCP server settings in case they get messed up
  Note down any other service settings
  Install Mountain Lion
  Install Server.app
  Install Workgroup Manager (extra free download)
  Run Server.app
  Make sure settings for services are as much as possible the same as before
  If your lucky that may be all you need to do, otherwise...
  Restore Open Directory archive, if your lucky that will be all you need to do, otherwise...
  Make new Open Directory Master
  Run Workgroup Manager
  Import users and groups you previously exported
  You will then have to set passwords for each user as these are not preserved via Workgroup Manager export
  When I did this, I was also being forced to change all my IP addresses so I had no choice but to use Workgroup Manager to export and import accounts.

• Additional email address for user in mountain lion server

  I have a new installation of OS X Mountain Lion server (10.8.2) that I am wanting to deploy.  The problem that I am running into now is that there is no way that I have found to add a second email address. 
  I have multiple domains so, i need to have "[email protected]" and "[email protected]" for the same user.
  Has anyone seen a way around this?

  matneyc wrote:
  Wow - just after I answer back, I found a download for the Workgroup Manager at http://support.apple.com/kb/DL1567.  I probably need more sleep.
  Yes, it is just Server Admin that is no more, Workgroup Manager is still at the moment available.
  For your information another less pleasant means would be to directly modify the Open Directory record using either the command line or the Directory Editor launched from Open Directory Utility which in turn is launched from the Login Options "Join..." button.

• Where's the Mountain Lion Server Documentation?

  Been waiting all day for Mountain Lion Server Documentation the be posted to no avail. What gives? Especially need the Mountain Lion Server Upgrading & Migrating manual. I help run a small educational cmoputer center in Santa Cruz CA and we need to transition from 10.5 Leopard Server on an old G5 Power Mac to 10.8 Mountain Lion Server on a new 2012 Mac mini as soon as it goes on sale. We particularly need the Workgroup Manager migration app documentation ASAP. Can any Apple employees explain why the Mountain Lion server documentation is not posted even though you can download the Mountain Lion Server since this morning?

  Good Luck in Migrating from 10.5 Server to 10.8 Server... There's soo  many  changes..  Each time I've upgraded since 10.2.X server, I've always had to manual migrate things. Forget the automated upgraded process since it always hangs for me.
  As for 10.6.8 Server, Apple changed the imap/pop server software from cyrus to dovecot. There's a script if I recall somewhere in 10.6.8 Server convert the imap mail of all the users.  However before you run that script I recommend that you rebuild the imap structure in cyrus before you do...
  http://support.apple.com/kb/HT3120
  as for mirgrating OD user.... archive the users...
  and import it...