Hi Nick, Michal created a ticket https://github.com/openxpki/openxpki-config/issues/14 saying that SCEP on Apple expects the proper keyUsage bits set which we did not on older sample configs, so might this be the problem in your setup, too?
Oliver Am 18.06.21 um 18:54 schrieb Nick Dawson: > Thanks gents! > I'm finding some interesting things on different platforms. > > Summary: MacOS 11 reports a security error after it retrieves the SCEP > and CA certs. iOS 14 simply fails. iOS 15 a little more descriptive > "The Registration Authority’s response is invalid" and MacOS 12 fails > with the same error as MacOS11. > > OpenXPKI SCEP log: > 2021/06/18 10:51:04 DEB Config for service scep loaded [pid=30304] > 2021/06/18 10:51:04 INF SCEP handler initialized [pid=30304] > 2021/06/18 10:51:04 INF Incoming request from 10.15.1.153 with > GetCACaps [pid=30304] > 2021/06/18 10:51:04 DEB Response send [pid=30304] > 2021/06/18 10:51:05 DEB Config for service scep loaded [pid=30306] > 2021/06/18 10:51:05 INF SCEP handler initialized [pid=30306] > 2021/06/18 10:51:05 INF Incoming request from 10.15.1.153 with > GetCACert [pid=30306] > 2021/06/18 10:51:05 DEB Response send [pid=30306] > > > MacOS: > default 10:37:47.912045-0600 CertificateService > [1366478549:Cert_PI:HTTPUtil:<0x66d303>] >>>>> Sending HTTP request > (GET) [SCEP:GetCACert] >>>>> > default 10:37:48.661191-0600 CertificateService > [1366478549:Cert_PI:HTTPUtil:<0x66d303>] <<<<< Received HTTP response > (200) [SCEP:GetCACert] <<<<< > default 10:37:48.661886-0600 CertificateService > ProcessGetCACertResponse: Content-Type: 'application/x-x509-ca-ra-cert' > default 10:37:48.661978-0600 CertificateService > ProcessGetCACertResponse: application/x-x509-ca-ra-cert; err = > errSecCertificateCannotOperate > default 10:37:48.662168-0600 CertificateService > ProcessGetCACertResponse: CFArrayGetCount(returnedCerts) > 1 > default 10:37:48.662254-0600 CertificateService > SortAndSetCACertificates: (CFArrayGetCount(returnedCerts) = 3 > default 10:37:48.662409-0600 CertificateService > SortAndSetCACertificates: use heuristics to determine which is which, > namely find the encryption and signature certificates > default 10:37:48.662482-0600 CertificateService > SortAndSetCACertificates: certs[0] > default 10:37:48.666002-0600 CertificateService > SortAndSetCACertificates: certs[1] > default 10:37:48.666450-0600 CertificateService > SortAndSetCACertificates: certs[2] > error 10:37:48.666852-0600 CertificateService > ProcessGetCACertResponse: session->caCert == NULL > error 10:37:48.667010-0600 CertificateService [ERROR] <: > [MDM_SCEP_Enroll] Calling SCEPGetCACert. CA Ident: CA One --> > <NSOSStatusErrorDomain:-67817> > error 10:37:48.820130-0600 > com.apple.preferences.configurationprofiles.remoteservice > <http://com.apple.preferences.configurationprofiles.remoteservice/> > [ERROR] Profile installation (scep test > (andesite.6BF88F76-C55C-4560-BEEE-11E8DF8EA9F2:361796F2-11EC-41D8-8F2C-E9648FE4EF1E)) > ( <NSOSStatusErrorDomain:-67817>) > default 10:37:49.443017-0600 AssetCache Notification user info: { > ProfileAction = Remove; > ProfileTypes = ( > "com.apple.security.scep <http://com.apple.security.scep/>" > ); > ProfileUUID = "361796F2-11EC-41D8-8F2C-E9648FE4EF1E"; > ProfileUserUID = 1366478549; > ProfileUsername = ndawson; > } > default 10:49:53.207134-0600 Finder Trying to issue sandbox extension > for /Users/ndawson/Library/Mobile > Documents/iCloud~com~apple~configurator~ui/Documents/scep > test.mobileconfig > default 10:49:53.207235-0600 Finder Successfully issued sandbox > extension for /Users/ndawson/Library/Mobile > Documents/iCloud~com~apple~configurator~ui/Documents/scep > test.mobileconfig > > > > iOS: > > error 10:31:21.622518-0600 profiled Cannot retrieve SCEP identity: > NSError: > Desc : The Registration Authority’s response is invalid. > US Desc: The Registration Authority’s response is invalid. > Domain : MCSCEPErrorDomain > Code : 22003 > Type : MCFatalError > error 10:31:21.622745-0600 profiled Installation of profile > “andesite.6BF88F76-C55C-4560-BEEE-11E8DF8EA9F2” failed with error: > NSError: > Desc : The profile “scep test” could not be installed. > Sugg : The Registration Authority’s response is invalid. > US Desc: The profile “scep test” could not be installed. > US Sugg: The Registration Authority’s response is invalid. > Domain : MCProfileErrorDomain > Code : 1009 > Type : MCFatalError > Params : ( > "scep test" > ) > ...Underlying error: > NSError: > Desc : The Registration Authority’s response is invalid. > US Desc: The Registration Authority’s response is invalid. > Domain : MCSCEPErrorDomain > Code : 22003 > Type : MCFatalError > Extra info: > { > isPrimary = 1; > } > error 10:31:21.623296-0600 profiled Profile > “andesite.6BF88F76-C55C-4560-BEEE-11E8DF8EA9F2” failed to install with > error: NSError: > Desc : Profile Failed to Install > Sugg : The Registration Authority’s response is invalid. > US Desc: Profile Failed to Install > US Sugg: The Registration Authority’s response is invalid. > Domain : MCInstallationErrorDomain > Code : 4001 > Type : MCFatalError > ...Underlying error: > NSError: > Desc : The profile “scep test” could not be installed. > Sugg : The Registration Authority’s response is invalid. > US Desc: The profile “scep test” could not be installed. > US Sugg: The Registration Authority’s response is invalid. > Domain : MCProfileErrorDomain > Code : 1009 > Type : MCFatalError > Params : ( > "scep test" > ) > ...Underlying error: > NSError: > Desc : The Registration Authority’s response is invalid. > US Desc: The Registration Authority’s response is invalid. > Domain : MCSCEPErrorDomain > Code : 22003 > Type : MCFatalError > Extra info: > { > isPrimary = 1; > } > error 10:31:21.667570-0600 profiled Installation failed. Error: NSError: > Desc : Profile Installation Failed > Sugg : The Registration Authority’s response is invalid. > US Desc: Profile Installation Failed > US Sugg: The Registration Authority’s response is invalid. > Domain : MCInstallationErrorDomain > Code : 4001 > Type : MCFatalError > ...Underlying error: > NSError: > Desc : Profile Failed to Install > Sugg : The Registration Authority’s response is invalid. > US Desc: Profile Failed to Install > US Sugg: The Registration Authority’s response is invalid. > Domain : MCInstallationErrorDomain > Code : 4001 > Type : MCFatalError > ...Underlying error: > NSError: > Desc : The profile “scep test” could not be installed. > Sugg : The Registration Authority’s response is invalid. > US Desc: The profile “scep test” could not be installed. > US Sugg: The Registration Authority’s response is invalid. > Domain : MCProfileErrorDomain > Code : 1009 > Type : MCFatalError > Params : ( > "scep test" > ) > ...Underlying error: > NSError: > Desc : The Registration Authority’s response > > > > > On Fri, Jun 18, 2021 at 12:46 AM, Michal Moravec > <[email protected] <mailto:[email protected]>> > wrote: > > Hey Nick, > > do you have this problem with iOS or macOS? > > I spent a lot of time this year trying use SCEP directly between > Apple systems and OpenXPKI. > > There are bugs in macOS 11 and earlier preventing this. > Apple fixed all of the bugs I reported in macOS 12. I’ve tested > with first beta and can confirm. > > I was unable to persuade iOS SCEP client to accept CA certificates > from OpenXPKI. > SCEP client bailed out before even trying to request the certificate. > Apple also stated they fixed this problem but currently I don’t > have a iOS device to run beta iOS so I can’t test. > > Michal Moravec > Sent from my iPhone > >> On 17. 6. 2021, at 23:50, Nick Dawson <[email protected] >> <mailto:[email protected]>> wrote: >> >> >> hey OpenXPKI friends, >> I've been struggling with SCEP and could use some help. I have >> SCEP set up using the default config. When I use sscep I can get >> the capabilities and get the CA certs. sscep downloads 3 certs >> (the scep cert, the CA cert, and the root cert). I have >> fullchain set in the config so that seems correct. >> >> On Apple devices, I'm attempting to install a profile. On >> OpenXPKI, the logs show the apple devices trying to get the CA. >> The server sends the certs. And then the apple devices fail. >> >> Specifically, apple devices >> return: errSecCertificateCannotOperate (which is error: -67817). >> >> I've tried capturing the exact url queries from the webserver's >> access logs. When I paste them into a browser, it downloads a >> file called "untitled". When I examine untitled with OpenSSL, I >> can see that it is a pkcs7 bundle of the three certs. >> >> Could it be as simple as needed a better filename like untiled.p7 >> ? And, if so, where would I set that in OpenXPKI's config files? >> I didnt see anything in scep or enrollment files. >> >> Or, might this be a different issue? Does anyone have experience >> with Apple devices and OpenXPKI's SCEP implementation? Any tips >> or tricks? >> >> thanks! >> >> >> >> >> >> _______________________________________________ >> OpenXPKI-users mailing list >> [email protected] >> <mailto:[email protected]> >> https://lists.sourceforge.net/lists/listinfo/openxpki-users >> <https://lists.sourceforge.net/lists/listinfo/openxpki-users> > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > <mailto:[email protected]> > https://lists.sourceforge.net/lists/listinfo/openxpki-users > <https://lists.sourceforge.net/lists/listinfo/openxpki-users> > > > > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openxpki-users -- Protect your environment - close windows and adopt a penguin!
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
