Can't enroll devices with Profile Manager - invalid key

Question

Can't enroll devices with Profile Manager - invalid key

n my case I can install profiles on devices from Profile Manager page but I cannot enroll devices.

The certificate I download to enroll is reject by my MacBook Pro Lion: Says Invalid blablabla at the end:

Now I have done log research and I now exactly and understand why it doesn't work:

the scep_helper daemon is supposed to listen to port 1640 TCP (which you should forward to your server by the way, if you want to be able to enroll devices) and provide the requsting client the root CA that signed the certificate. In my case, it can't find the root CAT to provide the client with so it can finalize the cert validation process.

In my case, that's what I see in the log:

Jul 29 02:12:44 teknologism scep_helper[1638]: SCEP_HELPER: /SourceCache/RemoteDeviceManagement/RemoteDeviceManagement-701.70/scep_helper/m ain.m:727 'status = SCEPGetCACert(session, NULL, 0)' = -25300

Jul 29 02:12:44 teknologism scep_helper[1638]: SCEP_HELPER: /SourceCache/RemoteDeviceManagement/RemoteDeviceManagement-701.70/scep_helper/m ain.m:513 'SCEPGetCACert(session, NULL, 0)' = -25300

Jul 29 02:12:44 teknologism scep_helper[1638]: SCEP_HELPER: /SourceCache/RemoteDeviceManagement/RemoteDeviceManagement-701.70/scep_helper/m ain.m:819 'challenge = GetChallengeFromSCEP(password, guid, hostURL)' is NULL

Jul 29 02:12:44 teknologism ProfileManager[516]: Could not retrieve root certificate from open directory server.

No , as for the bad news: I have no idea on how to fix. Have dug into scep_helper, googled etc. Not a single clue on how to check it's configuration or even why it can't find the root CA. By the way everyhting else (I really mean everything, ical,cardav,web,wiki etc.) work great. And profile manager too, it's just the enroll thingy that doesn't work. And the root CA cert is in /etc/certificates. My server a legit Class 1 SSL cert signed by a system trsuted CA (Startfiel to name it)

I have tried with other certs etc... It's a no go.

Can anyone help ??

How can I add that missing CA Cert in opendirectory ?

Mac OS X (10.7)

Posted on Jul 28, 2011 5:18 PM

Reply

Answer 1

applepai

Level 1

0 points

Jul 28, 2011 5:33 PM in response to The Teknologist

I have the same issue. Been looking for a solution also.

Reply

Answer 2

Jul 28, 2011 5:53 PM in response to applepai

Well, what drives me nuts is that I know exactly why it doesn't work but can't fix it because of lack of documentation....

pretty amazing for a system based on opensource stacks/libs/frameworks if you ask me...

If anyone has some pointers for scep_helper docs / config please let me know...

i'll probably try looking in the Mac Developper center @ apple...

Reply

Answer 3

matwyn

Level 1

10 points

Jul 28, 2011 6:09 PM in response to The Teknologist

If you go to the mydevices page under profiles there is the Trust Profile for.... You need to download that, isntall it in the System keychain (in Lion, just install it in iOS) and then you'll be able to enroll your devices/Macs.

It's because for SCEP, and indeed MDM, to work both parties need to trust each other, and with a self-signed certificate like you have here (and indeed everyone does unless they buy one) the only eay to achieve that trust is to download the cert first.

Hope that helps!

Reply

Answer 4

applepai

Level 1

0 points

Jul 28, 2011 6:39 PM in response to matwyn

Matwyn, I've done as you've said with the same failed result. I'm shaking my head as to why.

Reply

Answer 5

Jul 28, 2011 6:52 PM in response to matwyn

Hi matwyn,

I hasn't noticed you replied to this post too. Are you tracking me ? ;-)

Please read m'y post carefully.

I have a legit purchased cert (their root CA is already bundled in 99% of oses and browsers) no need to add CA. I did clearly mention it in the post.

I think that what happens is that the intermediate certificate generated for code signing was generated at the time i used a self signed ( just after the install)

When i switched to my purchased certificate, everything changed except that the code signing certificate is still used to sign profiles and as I deleted the old self signed certificates, it can't find the self signer CA anymore....

I have created a new codesigning cert but my server.app ProfileManager pane is freezed on "loading..." as i posted in another discussion so can't switch the signing to that new cert....

Any way to do the server.app profilemanager in command line ?

I am pretty sure I just need to switch the code signing certificate, but can't find how to do it in command line...

Anyone ?

Reply

Answer 6

matwyn

Level 1

10 points

Jul 28, 2011 7:07 PM in response to The Teknologist

Ok, I'll assume nothing from now on. Have you run ;

serveradmin settings devicemgr

to see what output you get from it? There should be 3 entries in there pertaining to the Code Sigining Cert, Chain and Key

Reply

Answer 7

Jul 28, 2011 7:13 PM in response to matwyn

You just gave me an idea.

I will try editing saving the output to a file settings.txt

Edit it by hand to change it to my new codesigning cert and load it

Do,i load it with redirection ? :

serveradmin settings<settinsgmodified.txt

is there any way to load those changed settings ?

Thx for your help !

Reply

Answer 8

matwyn

Level 1

10 points

Jul 28, 2011 7:17 PM in response to The Teknologist

output it to a file like you said;

serveradmin settings devicemgr >> path_to_file

Modify it in TextWrangler etc and then push it back in doing the opposite

serveradmin settings devicemgr < path_to_file

Matt

Reply

Answer 9

Jul 28, 2011 7:22 PM in response to matwyn

Yep.

I am going to try that tomorrow and i'll update here on the outcome!

Hope it won't break everything. Everytime i change some setting on lion server i prey it won't go crazy.

The lion is very fragile. How much of a nonsense is that ! ;-)

Thanks for giving me the idea Matt!

Reply

Answer 10

matwyn

Level 1

10 points

Jul 28, 2011 7:23 PM in response to The Teknologist

You're welcome, let me how know how you get on.

Matt

Reply

Answer 11

Jul 29, 2011 6:41 AM in response to matwyn

Well it's a no go...

teknologism:root root# serveradmin settings < ./devicemgr.settings

2011-07-29 15:40:01.022 serveradmin[19480:307] Exception in doCommand for module servermgr_devicemgr on thread 0x7fa609416b20: *** -[NSConcreteFileHandle fileDescriptor]: unknown error

2011-07-29 15:40:01.023 serveradmin[19480:307] --request was {

command = writeSettings;

configuration = {

CodeSigningAuthorityChain = "/etc/certificates/teknologism.org Code Signing.9B56B51A18C3E27E01A624E5B53E18065477E641.chain.pem";

CodeSigningCertificate = "/etc/certificates/teknologism.org Code Signing.9B56B51A18C3E27E01A624E5B53E18065477E641.cert.pem";

CodeSigningPrivateKey = "/etc/certificates/teknologism.org Code Signing.9B56B51A18C3E27E01A624E5B53E18065477E641.key.pem";

};

}

Reply

Answer 12

Jul 29, 2011 7:22 AM in response to The Teknologist

Here is some more infos...

teknologism:root root# serveradmin settings devicemgr

devicemgr:SSLAuthorityChain = "/etc/certificates/trinity.teknologism.org.C1D19D55699B48C94A18787E4F53B4C3230E 91FE.chain.pem"

devicemgr:od_active = yes

devicemgr:ssl_active = yes

devicemgr:enableCodeSigning = yes

devicemgr:updated_at = 2011-07-28 16:04:52 +0000

devicemgr:email_delivery_method = ""

devicemgr:CodeSigningPrivateKey = "/etc/certificates/teknologism.org Code Signing Certificate.ED29CE4BD9D2926D64E60EF7A117EFDB2213F0CC.key.pem"

devicemgr:apns_active = yes

devicemgr:CodeSigningAuthorityChain = "/etc/certificates/teknologism.org Code Signing Certificate.ED29CE4BD9D2926D64E60EF7A117EFDB2213F0CC.chain.pem"

devicemgr:default_profile_created_at_least_once = yes

devicemgr:knob_sets_enabled:com.apple.mail.managed = yes

devicemgr:knob_sets_enabled:com.apple.vpn.managed = yes

devicemgr:knob_sets_enabled:com.apple.carddav.account = yes

devicemgr:knob_sets_enabled:com.apple.jabber.account = yes

devicemgr:knob_sets_enabled:com.apple.caldav.account = yes

devicemgr:email_authentication = ""

devicemgr:email_port = 25

devicemgr:email_username = ""

devicemgr:id = 1

devicemgr:last_modified_guid = ""

devicemgr:SSLPrivateKey = "/etc/certificates/trinity.teknologism.org.C1D19D55699B48C94A18787E4F53B4C3230E 91FE.key.pem"

devicemgr:od_master = "127.0.0.1"

devicemgr:apns_topic = ""

devicemgr:email_password = ""

devicemgr:mdm_acl = 2047

devicemgr:user_timeout = 43200

devicemgr:server_organization = ""

devicemgr:SSLCertificate = "/etc/certificates/trinity.teknologism.org.C1D19D55699B48C94A18787E4F53B4C3230E 91FE.cert.pem"

devicemgr:created_at = 2011-07-24 11:47:33 +0000

devicemgr:email_address = ""

devicemgr:email_domain = ""

devicemgr:CodeSigningCertificate = "/etc/certificates/teknologism.org Code Signing Certificate.ED29CE4BD9D2926D64E60EF7A117EFDB2213F0CC.cert.pem"

devicemgr:email_server_address = ""

devicemgr:admin_session = ""

The 3 CodeSigning certs/keys are in /etc/certificates and their permissions are correct.

Also, don't ask me why but my ProfileManager pane in Server.app is working again. It shows all the config...but can't modify anything....as soon as I try to modify it spins the waiting whell forever... I guess it's the same error as command line serveradmin...

Reply

Answer 13

Jul 30, 2011 10:37 AM in response to The Teknologist

Digging a bit further it deosn't seem to be any problem with my OD config. Bothe CA certs are there.

1 for the ssl connections (teknologism.org)

1 for the code signing (IntermediateCA_TEKNOLOGISM...)

Does anyone have a clue ?

Reply

Answer 14

Jul 30, 2011 11:34 AM in response to The Teknologist

I had a similar problem. I deleted any existing profiles then connected the MBP to the same LAN as the server via wired ethernet. I downloaded the Trust Profile via the web interface, then enrolled the rest of the profiles. Worked for me, and I was receiving the exact same error message dialog box.

Reply

Answer 15

Jul 30, 2011 11:48 AM in response to Eric Kaiser1

Yep, already tried all that same problem....

I really think I pinpointed the issue being that scep-helper is unable to figure out the CA certificate and send it back to the client.

The message "Key invalid" in the client can be related to anything in cert/key configuration in server.

For example if you try to enroll from "outside" you LAN and haven't forwarded port 1640, you may get this error too...

Only problem is I don't know how to check why scep_help doesn't get the root CA from OpenDirectory...

Reply