MacOS Server 5.7.1: I have a problem with a lot of devices with Mdm identity device certificate expired (for a bug of macOS Server before than 5.7.1 that didn't renew them)
At the moment the remote devices are not able to connect to server because the TLS 1.2 protocol check expiry date of client certificate. But to send a new certificate the connection should be completed, otherwise we have to reinitialize every iPad that should be remote controlled.
Do you know if there is a way to make OS X Apache to accept it?
<Location "/devicemanagement/mdm/mdm_connect">
SSLRequireSSL
SSLVerifyClient require
SSLVerifyDepth 2
SSLOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate +LegacyCertChainVerify
SSLRenegBufferSize 2097152
RequestHeader set X-PM-REMOTE_ADDR "%{REMOTE_ADDR}s"
RequestHeader set X-PM-SSL_CLIENT_V_REMAIN "%{SSL_CLIENT_V_REMAIN}s"
RequestHeader set X-PM-SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s"
RequestHeader set X-PM-SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s"
ProxyPass unix:/Library/Server/ProfileManager/Config/var/dmhttpd.sock|http://dmhttpd/devicemanagement/secure/mdm_connect
</Location>
You have configured device checkin url to mandatory very certificate. If device certificates are expired you can configure it as
SSLVerifyClient optional
And perform all the validation tasks in your servlets .