You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In macOS Ventura 13.0 (22A380), Munki can't find the client certificate to use for server authentication when the cert is stored in the munki.keychain (created from a certificate file on disk, using Munki preferences UseClientCertificate and ClientCertificatePath).
This shouldn't be a problem if the cert is delivered to devices via an MDM payload (CertificatePKCS12 or SCEP), which stores the cert in the System keychain, rather than the munki.keychain.
The munki.keychain is added to the keychain search list for the User domain, which worked on prior macOS versions, but Ventura isn't allowing Munki to access keychains in this domain.
This problem is only seen in launchd managedoftwareupdate jobs (automatic hourly runs, or triggered by launchd from Managed Software Center). It works when managedoftwareupdate is run from command line in Terminal, since that operates in the User domain context.
This failure appears in the ManagedSoftwareUpdate.log as the inability to retrieve files from the server repo (eg getting a manifest), or as 'Download error -999: cancelled', and with LoggingLevel set to 3, 'Could not list keychain certificates'. Munki may crash after this.
I've created PR #1162 to address this problem by adding munki.keychain to the Common domain keychain search list, rather than the User domain. The Common domain is for all users and the system.
The text was updated successfully, but these errors were encountered:
In macOS Ventura 13.0 (22A380), Munki can't find the client certificate to use for server authentication when the cert is stored in the munki.keychain (created from a certificate file on disk, using Munki preferences UseClientCertificate and ClientCertificatePath).
This shouldn't be a problem if the cert is delivered to devices via an MDM payload (CertificatePKCS12 or SCEP), which stores the cert in the System keychain, rather than the munki.keychain.
The munki.keychain is added to the keychain search list for the User domain, which worked on prior macOS versions, but Ventura isn't allowing Munki to access keychains in this domain.
This problem is only seen in launchd managedoftwareupdate jobs (automatic hourly runs, or triggered by launchd from Managed Software Center). It works when managedoftwareupdate is run from command line in Terminal, since that operates in the User domain context.
This failure appears in the ManagedSoftwareUpdate.log as the inability to retrieve files from the server repo (eg getting a manifest), or as 'Download error -999: cancelled', and with LoggingLevel set to 3, 'Could not list keychain certificates'. Munki may crash after this.
I've created PR #1162 to address this problem by adding munki.keychain to the Common domain keychain search list, rather than the User domain. The Common domain is for all users and the system.
The text was updated successfully, but these errors were encountered: