n my case I can install profiles on devices from Profile Manager page but I cannot enroll devices.
The certificate I download to enroll is reject by my MacBook Pro Lion: Says Invalid blablabla at the end:
Now I have done log research and I now exactly and understand why it doesn't work:
the scep_helper daemon is supposed to listen to port 1640 TCP (which you should forward to your server by the way, if you want to be able to enroll devices) and provide the requsting client the root CA that signed the certificate. In my case, it can't find the root CAT to provide the client with so it can finalize the cert validation process.
In my case, that's what I see in the log:
Jul 29 02:12:44 teknologism scep_helper: SCEP_HELPER: /SourceCache/RemoteDeviceManagement/RemoteDeviceManagement-701.70/scep_helper/m ain.m:727 'status = SCEPGetCACert(session, NULL, 0)' = -25300
Jul 29 02:12:44 teknologism scep_helper: SCEP_HELPER: /SourceCache/RemoteDeviceManagement/RemoteDeviceManagement-701.70/scep_helper/m ain.m:513 'SCEPGetCACert(session, NULL, 0)' = -25300
Jul 29 02:12:44 teknologism scep_helper: SCEP_HELPER: /SourceCache/RemoteDeviceManagement/RemoteDeviceManagement-701.70/scep_helper/m ain.m:819 'challenge = GetChallengeFromSCEP(password, guid, hostURL)' is NULL
Jul 29 02:12:44 teknologism ProfileManager: Could not retrieve root certificate from open directory server.
No , as for the bad news: I have no idea on how to fix. Have dug into scep_helper, googled etc. Not a single clue on how to check it's configuration or even why it can't find the root CA. By the way everyhting else (I really mean everything, ical,cardav,web,wiki etc.) work great. And profile manager too, it's just the enroll thingy that doesn't work. And the root CA cert is in /etc/certificates. My server a legit Class 1 SSL cert signed by a system trsuted CA (Startfiel to name it)
I have tried with other certs etc... It's a no go.
Can anyone help ??
How can I add that missing CA Cert in opendirectory ?