[Pki-users] Mac OS SCEP request failure: "Could not decode the request"
Ryan Trinder
ryan.trinder at warbyparker.com
Thu Aug 31 14:36:41 UTC 2017
Hello PKI users!
I am looking to use Dogtag for my org as the full PKI solution. Initially,
Ill be using it for certificate issuance for an EAP-TLS rollout.
In the beginning to get certificates issued throughout the org, I would
like utilize the SCEP server across multiple devices including Mac OS, iOS,
Linux, Windows, Chromebooks.
So far, I have tested with the *sscep* utility on linux and with Mac OS
through the mobileconfig xml configuration. Using *sscep *works great on
linux, however any testing from Mac OS resides in a 500 from the server
declaring that the request could not be decoded. I initially thought the
requests were using the wrong CA, however intentionally using a wrong CA
with the *sscep *utility shows a completely different response in the logs.
Here is an excerpt from the *ca/debug* log for a failed request:
==> ca/debug <==
[31/Aug/2017:14:20:38][http-bio-8080-exec-5]: operation=GetCACert
[31/Aug/2017:14:20:38][http-bio-8080-exec-5]: message=CAIdentifier
[31/Aug/2017:14:20:38][http-bio-8080-exec-5]: handleGetCACert
message=CAIdentifier
[31/Aug/2017:14:20:38][http-bio-8080-exec-5]: handleGetCACert selected
chain=0
[31/Aug/2017:14:20:38][http-bio-8080-exec-5]: Output certificate chain:
30 82 03 a9 30 82 02 91 a0 03 02 01 02 02 01 01
30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30
44 31 21 30 1f 06 03 55 04 0a 0c 18 77 61 72 62
79 2e 69 6f 20 53 65 63 75 72 69 74 79 20 44 6f
6d 61 69 6e 31 1f 30 1d 06 03 55 04 03 0c 16 43
41 20 53 69 67 6e 69 6e 67 20 43 65 72 74 69 66
69 63 61 74 65 30 1e 17 0d 31 37 30 38 32 39 31
35 32 38 30 36 5a 17 0d 33 37 30 38 32 39 31 35
32 38 30 36 5a 30 44 31 21 30 1f 06 03 55 04 0a
0c 18 77 61 72 62 79 2e 69 6f 20 53 65 63 75 72
69 74 79 20 44 6f 6d 61 69 6e 31 1f 30 1d 06 03
55 04 03 0c 16 43 41 20 53 69 67 6e 69 6e 67 20
43 65 72 74 69 66 69 63 61 74 65 30 82 01 22 30
0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82
01 0f 00 30 82 01 0a 02 82 01 01 00 a6 07 b9 27
e5 fd a9 47 e6 d9 f3 01 6f 28 62 9b 4d 9c 8c 21
40 bf 4e 0c 99 ca c7 9d e7 88 ae c9 30 13 f9 1c
34 b4 6e 9d 0b 7a 78 d5 0c ae 10 be 4a cd 1d 33
d1 3d e7 c2 a9 22 ee d0 03 35 b9 8d c8 c8 17 4d
6a 4d 79 65 5b 7a 5b 82 7c d1 51 d5 45 be 7c d9
a7 70 98 fe 80 55 a7 5e 98 2b 7f a3 f3 02 67 9c
43 97 7d 8f fa dc 37 83 bc 6a 08 fc 70 7b f4 c9
bd 8c 41 e8 bd 4a ee 75 1e aa 45 41 2f 10 87 57
08 e8 16 e3 b2 4c 1f 43 58 d9 ad 52 8b 4f fe 72
4f 87 87 08 de 37 a1 c2 6e 9a e4 a8 49 a6 74 46
0b 3b 68 1d 06 f5 ed 09 6a dd 9a 49 6a b5 92 3a
e6 24 26 25 73 ac ff 8b 72 46 e6 1a 0e dd 0b 41
d3 5d 09 df 55 b5 46 99 73 9f 6c 0f de 91 4f fc
58 3e dd 11 2d 76 73 e2 fa 1a ed b7 cd b3 17 66
7a 0e c3 3d be b1 f2 b5 61 47 f3 32 68 00 c1 2f
92 86 b5 0d 4c e2 c6 b0 57 35 42 2b 02 03 01 00
01 a3 81 a5 30 81 a2 30 1f 06 03 55 1d 23 04 18
30 16 80 14 14 ea b1 73 42 97 87 7a a2 ef 2f 1e
04 c3 18 14 32 82 5b a1 30 0f 06 03 55 1d 13 01
01 ff 04 05 30 03 01 01 ff 30 0e 06 03 55 1d 0f
01 01 ff 04 04 03 02 01 c6 30 1d 06 03 55 1d 0e
04 16 04 14 14 ea b1 73 42 97 87 7a a2 ef 2f 1e
04 c3 18 14 32 82 5b a1 30 3f 06 08 2b 06 01 05
05 07 01 01 04 33 30 31 30 2f 06 08 2b 06 01 05
05 07 30 01 86 23 68 74 74 70 3a 2f 2f 64 6f 67
74 61 67 2e 77 61 72 62 79 2e 69 6f 3a 38 30 38
30 2f 63 61 2f 6f 63 73 70 30 0d 06 09 2a 86 48
86 f7 0d 01 01 0b 05 00 03 82 01 01 00 37 fb 44
f8 0f 63 ab a6 7f 17 c5 0e 15 1f 0a 78 fa 58 72
c2 63 6f de cb 4f 5a ce b7 95 1b 65 9f e4 fe 61
d3 0b e6 51 92 cb f8 f1 8f 9c 9c ab 0c 7c 3e 9f
cd 80 c5 52 f2 d1 36 09 2c e3 cc a5 45 f3 47 71
62 0d 46 b5 df 3f a2 0e f8 35 7d 13 5a b3 ca a6
60 d1 4a 07 14 41 dd 8c b2 0b c8 c4 aa ab 50 6c
69 78 70 59 a6 00 7c 2f ce a0 d6 be 66 58 36 cf
81 18 92 db af 75 a9 63 8b 8a 84 db a5 8d d3 77
e0 78 bb 80 b4 a6 94 93 89 f0 95 00 18 d7 bf 2b
f6 a5 92 d1 d3 f1 83 cb f3 7f fb 31 f1 d0 1c 96
16 11 71 c4 07 16 f8 d1 19 af bd e3 6f a9 e4 06
ba 1d 8f 29 75 57 3f c5 c9 e4 b6 3b 08 4c 19 07
99 b3 50 e1 e0 d1 1a e6 d1 94 ab 27 00 82 c7 4a
c2 11 31 dd 83 48 23 c1 7e fa f9 b9 61 7e fb 3c
b0 26 45 fd ff e8 bb b6 c1 fc 9a fb 9f dd 24 e2
b3 9f 6a 64 25 62 c3 b2 bb 8b 47 98 95
[31/Aug/2017:14:20:39][http-bio-8080-exec-6]: operation=PKIOperation
[31/Aug/2017:14:20:39][http-bio-8080-exec-6]:
message=MIIIfgYJKoZIhvcNAQcCoIIIbzCCCGsCAQExCzAJBgUrDgMCGgUAMIIDTwYJKoZIhvcNAQcBoIIDQASCAzwwggM4BgkqhkiG9w0BBwOgggMpMIIDJQIBADGCAWUwggFhAgEAMEkwRDEhMB8GA1UECgwYd2FyYnkuaW8gU2VjdXJpdHkgRG9tYWluMR8wHQYDVQQDDBZDQSBTaWduaW5nIENlcnRpZmljYXRlAgEBMA0GCSqGSIb3DQEBAQUABIIBAJajcdeb6TpsXF4gDJwVVwOyHROBXT0TcbBUSKbqIYXaRRH2koYfIkqCubQBRgHYOY4axGeMiNAXl1uO/LkUf0nTArx4JSLCmm3efFVznb8rJOEI/9gbdLVpGLlRDcCLsjK//mJxO/nsDwmnrsGcQ/zR434MYM9RVPs1QSSiFGqvWHiqkJ1iY
ayN8HdLHvYHJkHW3F0d5/NF9BD6fY7UjGwqjD3PrmP91rrBWk/QpTdnRg/IRUshxRm4TeWQWQOOtrlRU7XUTm/ALZlr9DXN3r/YoWMdrasD8AXsyzQpcyU
Y2OPpFIwpFaXXV/kxf9sc7OG
BVzAvX41OjFjfWVBwwggG1BgkqhkiG9w0BBwEwFAYIKoZIhvcNAwcECJpHqEsbh10rgIIBkDKejpodVxi3v5VA0AR0kDlkJKzuozbXzVE6f/ECa7B0y/ahhtmGPvfP9QbQ/lOybhca83jg6dUOmfXmEZn/HTI2hWqUpLn0G1GkyFKtDYM79mIOlHkTMA2rWGyMkqSxgwH0RRfdxxXjSPTLwZPX3eP1zr05xkIRYuZWkohI56D02eo4DZK
Zfg6sY8ATd7EpmHnNLXLACc7ejwYsAqLi4rAwF5Hrv4KSo/qq3VN
cAh2E95SgRE5ae1dje/490cmZY5aYniFr/ZfFVHHyyOODc
fY4q6EAQ6eygvhrHyZQXAwfioo0BVWYToJSRFKiZ2/p6OeuiNP8YtN65suiavlFDkCINt2
GyXVow9IG7/ol
GzHo5Q36Xu6Hhk6oAv2ui7RXJ0YcPZCnHRHe/gPF5SNn3y5Stdtchrm4UBC1fCZCk4vJvZZtB6DIzKUkwHZBM2I0GlLxxaA7gpe6t3U5VR7T68VHwlCEXzd5oxQLEQjSERXC2
QfVITkfpkarKw9buDo/B
1f2cbZ5HZZWK226gggLdMIIC2TCCAcGgAwIBAgIBATANBgkqhkiG9w0BAQsFADAaMRgwFgYDVQQDDA9NRE0gU0NFUCBTSUdORVIwHhcNMTcwODMxMTQyMDM5WhcNMTgwODMxMTQyMDM5WjAaMRgwFgYDVQQDDA9NRE0gU0NFUCBTSUdORVIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCgyEO4EhA
H9 7uUXCTXi1KHRSZ O5bmjnG82vKnUfYJH2vDYdK8ySgGadgXpdYDevLgQq
IpOdkr8TmsQygFqpfB6
gzaLsfwIUftHMEqRYcTrvkpJvUL6a8rgJ9Qk2QLlXW9VgDCSJuQEb7Djg8ztmEzrkxW0jrBgZUB2RuNz8/GtYpwiqOn0H2Y8XpQnVX
gLfYCrWic ydDUPcpvNJGxYHT3VlcavVYCJ0fCXtlq8LYSHLmjIZBuZ3GskYpcpSFcVt
wdGReDq2J9qrW3MrUCofwnJm2EM975Z6L8oESFGgi75
AZcxv31igjbGowObi1JdmaiBP7s4IIqjzOBAgMBAAGjKjAoMA4GA1UdDwEB/wQEAwIHgDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAWNNND6b/g7k1mGH2bbYNguNAHbE2d2nbi3dA4y7eIqK
KG1iPGfznBRO0SQ36ISYhV7zCgZnGWpqdfqpPoNZFA06ffHxnoeEy8CBJgABb3/WKTkHrzk5
WiKY3xMHng76sUMlo9ZmoAPv4TefG m4IHqS4PLOiOnlB3tnh
FNCW6kZpvQ67w3Qzq74DQ5vsxkj tCK254tFPHmCtzCf4IA/tnVhx
a4ZdrYhQdfSzeTV0OH29wcsZkkj7eYdElJRBgSLshnUNgHLYGat0yL
qFyHwtniTDhstYkDzohRZqdRm1PLKhx1fydjPIJCgqlfizNaLKliPVqw1Kg/3EOszGCAiMwggIfAgEBMB8wGjEYMBYGA1UEAwwPTURNIFNDRVAgU0lHTkVSAgEBMAkGBSsOAwIaBQCggdowEgYKYIZIAYb4RQEJAjEEEwIxOTATBgkqhkiG9w0BCQcxBhMEd2hhdDAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBgGCmCGSAGG
EUBCQUxCgQIUjA1J7asfb0wHAYJKoZIhvcNAQkFMQ8XDTE3MDgzMTE0MjAzOVowIwYJKoZIhvcNAQkEMRYEFOwjJDjdDs6SCjnPNHsc29ZsI05MMDgGCmCGSAGG
EUBCQcxKhMoOEIzNzhBODE1RjZDQjEyODJBMzU1NkIwRkFDNjJDNkM2MTQ4OTBDMjANBgkqhkiG9w0BAQEFAASCAQAEzTvWktV9S
8w0 EiqsakAO1
LfyToBz8atr/FXxJ45cKAOcPMk/sArtQlbrrg3fhStDTZGiPqFD1oqaq6r1IlkGG/m2mYoDxZXXTtvwODKMdYjjNCsFKmverk0IOAxUu5XX32oWB2ROgEOKGCSV1oPSB4KlsQRm5QQk5VFuJbkIG5idd3fg/86TwetIlu6NEi2qWQDXeZUtdbn7n4Zi8pw2AtxLdjOgTutqT7FQqVc/KTRXdcqxUpHrZSLHCTDR0Pzyky0pFhW/3K41/QpDFy6H7vwoEVVibK7QXGgZI6xFY0T
dL43QQW 3fHji7wjaAbRtGPvBSd8Bc6d3wHis
java.io.EOFException
at org.mozilla.jss.asn1.ASN1Util.readFully(ASN1Util.java:114)
at org.mozilla.jss.asn1.ANY$Template.decode(ANY.java:274)
at org.mozilla.jss.asn1.EXPLICIT$Template.decode(EXPLICIT.java:157)
at org.mozilla.jss.asn1.EXPLICIT$Template.decode(EXPLICIT.java:146)
at org.mozilla.jss.asn1.SEQUENCE$Template.decode(SEQUENCE.java:400)
at
org.mozilla.jss.pkcs7.ContentInfo$Template.decode(ContentInfo.java:254)
at
org.mozilla.jss.pkcs7.ContentInfo$Template.decode(ContentInfo.java:247)
at
com.netscape.cmsutil.scep.CRSPKIMessage.decodeCRSPKIMessage(CRSPKIMessage.java:701)
at
com.netscape.cmsutil.scep.CRSPKIMessage.<init>(CRSPKIMessage.java:723)
at
com.netscape.cms.servlet.cert.scep.CRSEnrollment.handlePKIOperation(CRSEnrollment.java:832)
at
com.netscape.cms.servlet.cert.scep.CRSEnrollment.service(CRSEnrollment.java:370)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:221)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:436)
at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1078)
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625)
at
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
[31/Aug/2017:14:20:39][http-bio-8080-exec-6]: ServletException
javax.servlet.ServletException: Could not decode the request.
And the failure from localhost.log
==> localhost.2017-08-31.log <==
Aug 31, 2017 2:20:39 PM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet [caSCEP] in context with path [/ca]
threw exception [Could not decode the request.] with root cause
javax.servlet.ServletException: Could not decode the request.
at
com.netscape.cms.servlet.cert.scep.CRSEnrollment.service(CRSEnrollment.java:381)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:221)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:436)
at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1078)
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625)
at
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
This seems like a MacOS specific difference in the requests, but I cannot
determine exactly what it is. Would anyone have any experience with this?
For reference, this is dogtag-pki 10.2.6+git20160317-1 installed via apt on
Ubuntu 16.04.
--
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20170831/5e68d8ba/attachment.htm>
More information about the Pki-users
mailing list