lvdb-gs

Q: IOS8 OTA SCEP enrollment fails on second install

I have a profile and SCEP server that have been working fine for several years now. However on devices running IOS8 or higher the SCEP enrollment fails if it is done a second time (different certificate).  The OTA Certificate enrollment process works on IOS7 devices as many times as needed.

relevant IOS7 log for a second certificate installation based on the same config/ca/signing cert etc.:

 

 

profiled[1397] <Notice>: (Note ) MC: Retrieving profile from OTA Profile service...

     profiled[1397] <Notice>: (Note ) MC: Received final profile: com.myConfig.profile

     profiled[1397] <Notice>: (Note ) MC: Beginning profile installation...

     <Notice>: (Note ) MC: Profile “com.myConfig.profile” is replacing an existing profile having the same identifier.

     securityd[1349] <Error>:  SecDbItemInsertOrReplace INSERT failed: The operation couldn’t be completed. (com.apple.utilities.sqlite3 error 19 - reset: [19] columns ctyp, issr, slnr, agrp, sync are not unique sql: INSERT INTO cert(rowid,cdat,mdat,ctyp,cenc,labl,alis,subj,issr,slnr,skid,pkhh,data,agrp,pdm n,sync,tomb,sha1)VALUES(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?))

     securityd[1349] <Error>:  securityd_xpc_dictionary_handler profiled[1397] add The operation couldn’t be completed. (OSStatus error -25299 - duplicate item O,cert,85233947,L,dku,apple,0,ctyp,cenc,labl,subj,issr,slnr,pkhh,v_Data,2015030 3054909.447036Z,CF75A17F)

     profiled[1397] <Error>:  SecOSStatusWith error:[-25299] The operation couldn’t be completed. (OSStatus error -25299 - Remote error : The operation couldn‚Äôt be completed. (OSStatus error -25299 - duplicate item O,cert,85233947,L,dku,apple,0,ctyp,cenc,labl,subj,issr,slnr,pkhh,v_Data,2015030 3054909.447036Z,CF75A17F))

     profiled[1397] <Notice>: (Note ) MC: Attempting to retrieve issued certificate...

     securityd[1349] <Error>:  CFPropertyListReadFromFile file file:///Users/Library/Developer/CoreSimulator/Devices/9B6A7852-9C11-4FCC-8327-E 1BD33EA7CF5/data/Library/Keychains/accountStatus.plist: The operation couldn’t be completed. (Cocoa error 260.)

     <Notice>: (Note ) MC: Issued certificate received.

     securityd[1349] <Error>:  SecDbItemInsertOrReplace INSERT failed: The operation couldn’t be completed. (com.apple.utilities.sqlite3 error 19 - reset: [19] columns kcls, klbl, atag, crtr, type, bsiz, esiz, sdat, edat, agrp, sync are not unique sql: INSERT INTO keys(rowid,cdat,mdat,kcls,labl,alis,perm,priv,modi,klbl,atag,crtr,type,bsiz,esi z,sdat,edat,sens,asen,extr,next,encr,decr,drve,sign,vrfy,snrc,vyrc,wrap,unwp,dat a,agrp,pdmn,sync,tomb,sha1)VALUES(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?, ?,?,?,?,?,?,?,?,?,?,?,?,?))

     securityd[1349] <Error>:  securityd_xpc_dictionary_handler profiled[1397] add The operation couldn’t be completed. (OSStatus error -25299 - duplicate item O,keys,0CC69ECD,L,dku,apple,0,kcls,labl,perm,priv,modi,klbl,atag,crtr,type,bsiz ,esiz,sdat,edat,sens,asen,extr,next,encr,decr,drve,sign,vrfy,snrc,vyrc,wrap,unwp ,v_Data,20150303054921.112843Z,344A0836)

     <Error>:  SecOSStatusWith error:[-25299] The operation couldn’t be completed. (OSStatus error -25299 - Remote error : The operation couldn‚Äôt be completed. (OSStatus error -25299 - duplicate item O,keys,0CC69ECD,L,dku,apple,0,kcls,labl,perm,priv,modi,klbl,atag,crtr,type,bsiz ,esiz,sdat,edat,sens,asen,extr,next,encr,decr,drve,sign,vrfy,snrc,vyrc,wrap,unwp ,v_Data,20150303054921.112843Z,344A0836))

     profiled[1397] <Notice>: (Note ) MC: Profile “com.myConfig.profile” installed.

     profiled[1397] <Notice>: (Note ) MC: Removing certificate with persistent ID 636572740000000000000005

     securityd[1349] <Error>:  CFPropertyListReadFromFile file file:///Users/Library/Developer/CoreSimulator/Devices/9B6A7852-9C11-4FCC-8327-E 1BD33EA7CF5/data/Library/Keychains/accountStatus.plist: The operation couldn’t be completed. (Cocoa error 260.)

     <Notice>: (Note ) MC: Removing certificate with persistent ID 69646e740000000000000006

     profiled[1397] <Notice>: (Note ) MC: Removing certificate with persistent ID 69646e740000000000000007

     profiled[1397] <Notice>: (Note ) MC: Removing certificate with persistent ID 69646e740000000000000001

     profiled[1397] <Notice>: (Note ) MC: Removing certificate with persistent ID 69646e740000000000000004

 

Under IOS8 the initial enrollment and profile installation works. However on any subsequent enrollments the following error is thrown:

 

 

  profiled[2253]: (Note ) MC: Checking for MDM installation...

    profiled[2253]: (Note ) MC: ...finished checking for MDM installation.

    profiled[2253]: (Note ) MC: Enrolling in OTA Profile service...

    profiled[2253]:  SecTrustEvaluate  [leaf AnchorTrusted]

    securityd[1617]:  securityd_xpc_dictionary_handler profiled[2253] add The operation couldn’t be completed. (OSStatus error -25299 - duplicate item O,cert,688B8CB6,L,dku,com.apple.certificates,0,ctyp,cenc,labl,subj,issr,slnr,pk hh,v_Data,20150303080953.465563Z,6CDCA2CB)

    profiled[2253]:  SecOSStatusWith error:[-25299] The operation couldn’t be completed. (OSStatus error -25299 - Remote error : The operation couldn‚Äôt be completed. (OSStatus error -25299 - duplicate item O,cert,688B8CB6,L,dku,com.apple.certificates,0,ctyp,cenc,labl,subj,issr,slnr,pk hh,v_Data,20150303080953.465563Z,6CDCA2CB))

    profiled[2253]:  SecTrustEvaluate  [leaf AnchorTrusted]

    profiled[2253]: (Note ) MC: Attempting to retrieve issued certificate...

    profiled[2253]:  SecTrustEvaluate  [leaf AnchorTrusted ValidLeaf ValidRoot]

    profiled[2253]: (Note ) MC: Issued certificate received.

    securityd[1617]:  securityd_xpc_dictionary_handler profiled[2253] add The operation couldn’t be completed. (OSStatus error -25299 - duplicate item O,cert,B7CCBFFA,L,dku,com.apple.identities,0,ctyp,cenc,labl,subj,issr,slnr,pkhh ,v_Data,20150303080954.973098Z,0A162218)

    profiled[2253]:  SecOSStatusWith error:[-25299] The operation couldn’t be completed. (OSStatus error -25299 - Remote error : The operation couldn‚Äôt be completed. (OSStatus error -25299 - duplicate item O,cert,B7CCBFFA,L,dku,com.apple.identities,0,ctyp,cenc,labl,subj,issr,slnr,pkhh ,v_Data,20150303080954.973098Z,0A162218))

    profiled[2253]: *** Terminating app due to uncaught exception 'NSInvalidArgumentException', reason: '*** setObjectForKey: key cannot be nil'

    *** First throw call stack:

    (

    0   CoreFoundation                      0x00000001057cff35 __exceptionPreprocess + 165

    1   libobjc.A.dylib                     0x0000000107deebb7 objc_exception_throw + 45

    2   CoreFoundation                      0x00000001056d6998 -[__NSDictionaryM setObject:forKey:] + 968

    3   profiled                            0x0000000105222227 profiled + 209447

    4   profiled                            0x000000010522297a profiled + 211322

    5   libdispatch.dylib                   0x0000000108554af4 _dispatch_client_callout + 8

    6   libdispatch.dylib                   0x000000010853eabb _dispatch_barrier_sync_f_invoke + 76

    7   profiled                            0x00000001052228f7 profiled + 211191

    8   profiled                            0x00000001052360e0 profiled + 291040

    9   profiled                            0x0000000105236a4d profiled + 293453

    10  profiled                            0x000000010523c60b profiled + 316939

    11  profiled                            0x00000001051f29ef profiled + 14831

    12  libdispatch.dylib                   0x000000010853aaf6 _dispatch_call_block_and_release + 12

    13  libdispatch.dylib                   0x0000000108554af4 _dispatch_client_callout + 8

    14  libdispatch.dylib                   0x000000010853f8cf _dispatch_queue_drain + 733

    15  libdispatch.dylib                   0x000000010853f494 _dispatch_queue_invoke + 217

    16  libdispatch.dylib                   0x00000001085413fa _dispatch_root_queue_drain + 479

    17  libdispatch.dylib                   0x00000001085422c9 _dispatch_worker_thread3 + 98

    18  libsystem_pthread.dylib             0x00000001088d4637 _pthread_wqthread + 729

    19  libsystem_pthread.dylib             0x00000001088d240d start_wqthread + 13

    )

 

The error occurs as the SCEP server sends the IOS8 device the response to GetCaCert which is a static ca cert that doesn't change. I also tried deleting the installed profile before installing again but this doesn't change the observed behavior. Only a reset will allow the profile installation to succeed.

 

 

Does anybody have any ideas?

iPhone 6, iOS 8

Posted on Mar 3, 2015 2:06 AM