jlittle3369

Q: Profile Manager Enrollment Profile - SCEP Challenge failed

Greetings,

 

Need help.  All requisites are in order for Profile Manager and can install a profile and restrictions are applied. 

 

The problem is we are unable to install an Enrollment Profile via email or https://x.x.x/mydevices login for managing profiles.   I've researched for 2 days and failed to resolve.  Can anyone please help/comment/point in right direction/answer how to resolve the SCEP challenge failure? 

 

 

iOS and MAC client devices: 

Login to:  https://x.x.x/mydevices

Select Install for Enrollment Profile

Signed Profile is downloaded, select Install Now

fails:  'Profile Installation Failed A connection to the server could not be established'

 

Server side OS X 10.10, Server 4.0:

apsn.log:  no errors

profilemanager.log:  no errors

 

php.log: 

1::Mar 06 14:12:52.775 [1147] <x.x.x.x> {LogElapsedTime (common.php:82)} Time since script start: 62185us [https://x.x.x/devicemanagement/api/device/auto_join_ota_service]

1::Mar 06 14:12:52.800 [1147] <x.x.x.x> {require_once (auto_join_ota_service.php:11)} vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv - POST auto_join_ota_service

0::Mar 06 14:12:53.411 [1147] <x.x.x.x> {LogException (common.php:470)} EXCEPTION: 500 Internal Server Error - Could not retrieve SCEP challenge. at

0::Mar 06 14:12:53.411 [1147] <x.x.x.x> #0 /Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/backend/php/ot a_service_common.php(198): DieInternalError('Could not retri...')

0::Mar 06 14:12:53.411 [1147] <x.x.x.x> #1 /Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/backend/php/ot a_service_common.php(314): _generate_scep_profile(Array)

0::Mar 06 14:12:53.411 [1147] <x.x.x.x> #2 /Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/backend/php/au to_join_ota_service.php(15): OTAServiceCommon()

0::Mar 06 14:12:53.411 [1147] <x.x.x.x> #3 {main}

1::Mar 06 14:12:53.411 [1147] <x.x.x.x> {SendFinalOutput (common.php:477)} Sent Final Output (26 bytes)

1::Mar 06 14:12:53.411 [1147] <x.x.x.x> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - /devicemanagement/api/device/auto_join_ota_service

0::Mar 06 14:12:53.411 [1147] <x.x.x.x> {SendFinalOutput (common.php:477)} Completed in 698ms | 500 Internal Server Error  [https://x.x.x/devicemanagement/api/device/auto_join_ota_service]

 

scep_helper.log:

0:: [1111] [2015/03/06 14:28:28.407] getSCEPURL: hostname = '127.0.0.1', urlString = 'http://127.0.0.1:1640/scep/'

1:: [1111] [2015/03/06 14:28:28.426] EXCEPTION:  Error <NSString *GetChallengeFromSCEP(NSString *__strong, NSString *__strong, NSString *__strong) (/SourceCache/RemoteDeviceManagement/RemoteDeviceManagement-883.16/Compiled/sce p_helper/main.m:438): "'((SCEPGetCACert(session, ((void*)0), 0)))' error -18">

    USERINFO: {

        NSLocalizedDescription = "Carbon error -18";

    }

0:: [1111] [2015/03/06 14:28:28.460] SCEPHELPERS_GetSCEPChallenge: Caught exception NSString *GetChallengeFromSCEP(NSString *__strong, NSString *__strong, NSString *__strong) (/SourceCache/RemoteDeviceManagement/RemoteDeviceManagement-883.16/Compiled/sce p_helper/main.m:438): "'((SCEPGetCACert(session, ((void*)0), 0)))' error -18"

 

Thanks

Mac mini, OS X Yosemite (10.10), clean 10.10 install then Server 4.0

Posted on Mar 6, 2015 11:47 AM

Close

Q: Profile Manager Enrollment Profile - SCEP Challenge failed

  • All replies
  • Helpful answers

  • by theFerret,

    theFerret theFerret Mar 7, 2015 11:29 AM in response to jlittle3369
    Level 1 (15 points)
    Mar 7, 2015 11:29 AM in response to jlittle3369

    A few guesses

     

    Are certificates in order on the server, none that has expired?

    At least older versions of Mac OS (e g 10.8) do not automatically renew their enrolment identity certificate which means they will keep most kind of settings but not accept changes to profiles or new profiles. Are those certificates in order on the clients?

    Have you tried restarting the services (Profile Manager and Open Directory (handels certificates))

    Have you tried reboot the whole server. It feels like a thing you shouldn't have to do but it's an easy way to be sure every process is actually restarted. I have had some profile problems that I haven't been able to track down but that has been solved by restarting services or the whole server (e g after upgrade from MOS 10.9.5 + Server 3.2.2 to MOS 10.10.x + Server 4.0.3).

  • by jlittle3369,Helpful

    jlittle3369 jlittle3369 Mar 10, 2015 11:03 AM in response to theFerret
    Level 1 (5 points)
    Mar 10, 2015 11:03 AM in response to theFerret

    Thanks theFerret, turned out all certs were in order.

     

    My problem resulted from changing the host name after Open Directory installed.  Relatively lucky in that this is a new install without many users so i was able to destroy without consequence.  This solved the problem after identifying it:

     

    Destroy Open Directory

    sudo slapconfig -destroyldapserver

    sudo slapconfig -setstandalone


    Reboot


    Stop Profile Manager

    sudo serveradmin stop devicemgr

    sudo killall -9 -u _devicemgr

    sudo serverctl disable service=com.apple.DeviceManagement.devicemgrd

    sudo serverctl disable service=com.apple.DeviceManagement.postgres

    sudo mv /Library/Server/ProfileManager/Config/ServiceData/Data/PostgreSQL ~/.Trash/PostgreSQL_$RANDOM

    sudo mv /Library/Server/ProfileManager/Config/ServiceData/Data/backup ~/.Trash/backup_$RANDOM

    sudo /Applications/Server.app/Contents/ServerRoot/usr/libexec/deviceManagerCommon.sh


    Reconfigure Device Management, enable Profile Manager

  • by Cerniuk,

    Cerniuk Cerniuk May 3, 2016 3:07 PM in response to jlittle3369
    Level 1 (27 points)
    Servers Enterprise
    May 3, 2016 3:07 PM in response to jlittle3369

    This did it for me.  It would be terrible if I had the serve in use with all manner of account to have to do this though as it flushes all the accounts.  Never the less, now have a usable Profile Manager.  Thanks!