500 Internal Server Error When enrolling device to Profile Manager

The path of trying to work this out has led me to this:

Resolve issues with Profile Manager in macOS Server - Apple Support

Under the heading 'If you can't push profiles or apps to clients'

After putting in the commands, it tells me that I can find the log file at:

/Library/Logs/apsd.log

But it is not there? I want to see if there is any issue with reaching the APNS servers.

Anyone know where I can find this file.

Thanks.

Hello,

How do start while keeping all enrolled devices? Is it possible.

As I mentioned though, existing enrolled devices can still get settings and apps from the server. If devices can still trust the server, why can't new devices? Even with the trust profile installed.

All push notification certs and certs listed in PM are all valid and haven't expired.

Here is the error again with verbose logging enabled.

2:: [67936] [2017/02/28 11:30:26.090] <IP-OF-DEVICE> {GetAppPreference (common.php:64)} GetAppPreference: Pref for 'debugOutput' = 4

2:: [67936] [2017/02/28 11:30:26.383] <IP-OF-DEVICE> {GetAppPreference (common.php:66)} GetAppPreference: Pref for 'DBLogSQL' =

2:: [67936] [2017/02/28 11:30:26.383] <IP-OF-DEVICE> {GetAppPreference (common.php:66)} GetAppPreference: Pref for 'DBDebug' = 1

1:: [67936] [2017/02/28 11:30:26.641] <\033[0;32mIP-OF-DEVICE\033[0m> {require_once (auto_join_ota_service.php:11)} >>> Processing POST \033[0;36mauto_join_ota_service\033[0m

1:: [67936] [2017/02/28 11:30:26.802] signerIndex = 0, signStatus = 1

2:: [67936] [2017/02/28 11:30:26.894] <\033[0;32mIP-OF-DEVICE\033[0m> {OTAServiceCommon (auto_join_ota_service.php:16)} OTAServiceCommon: incoming_request = {

'CHALLENGE'=>'4cfff5f0-a068-0133-2810-685b359db61b',

'COMPROMISED'=>'',

'DEVICE_NAME'=>'Name-of-device',

'DeviceID'=>'',

'IMEI'=>'',

'MEID'=>'',

'NotOnConsole'=>'',

'PRODUCT'=>'Macmini6,2',

'SERIAL'=>'C07LP04KDWYN',

'UDID'=>'2c1b90233730588e80fe815aa15265c6',

'UserID'=>'C61B756D-1C25-4A09-9038-5D59140AB64F',

'UserLongName'=>'IPAD new',

'UserShortName'=>'ipad_new',

'VERSION'=>'16B2555'

}

3:: [67936] <\033[0;32mIP-OF-DEVICE\033[0m> {PerformInTransaction (ota_service_common.php:312)} PerformInTransaction: connID=P:67936, txnID=_ota_service_transaction_challenge

4:: [67936] Created singleton <PGTransactionScheduler: 0x7f9141bbe340>

4:: [67936] [0x7f91405061f0/<PGTransactionScheduler:0x7f9141bbe340>] -[PGTransactionScheduler connection:willBeginTransaction:priority:]: ENTER

4:: [67936] -[PGTransactionScheduler _helper]: __helper = 0x0, gQuit = NO, retry = 0.000000

4:: [67936] dmpgHelper noOpWithHandler callback

2:: [67936] [2017/02/28 11:30:26.895] dmpgHelper is alive!

0:: [67936] [2017/02/28 11:30:26.918] <\033[0;32mIP-OF-DEVICE\033[0m> {LogSQL (db.php:830)} SQL: BEGIN ISOLATION LEVEL SERIALIZABLE;

0:: [67936] [2017/02/28 11:30:26.919] <\033[0;32mIP-OF-DEVICE\033[0m> {LogSQL (db.php:820)} SQL: SELECT * FROM auto_join_profiles WHERE "reg_challenge" = '4cfff5f0-a068-0133-2810-685b359db61b' LIMIT 1 ;

0:: [67936] [2017/02/28 11:30:26.971] <\033[0;32mIP-OF-DEVICE\033[0m> {LogSQL (db.php:820)} SQL: SELECT * FROM devices WHERE "SerialNumber" = 'C07LP04KDWYN' OR "udid" = '2c1b90233730588e80fe815aa15265c6' ;

0:: [67936] [2017/02/28 11:30:26.999] <\033[0;32mIP-OF-DEVICE\033[0m> {LogSQL (db.php:820)} SQL: UPDATE "devices" SET ("updated_at","pending_checkin_token","checkin_token_valid_at","pending_user_id ") = (:updated_at,'F8B442AC-5304-415E-AF0A-11111A0DD4E0',:checkin_token_valid_at,NUL L) WHERE id = 3685;

3:: [67936] <\033[0;32mIP-OF-DEVICE\033[0m> {ExecuteSQLFunction (target.php:137)} ExecuteSQLFunction: SELECT dm_merge_duplicate_device_rows_and_update(:d_id,:d_udid,:d_sn,:d_imei,:d_meid,: d_devid)

Params = {

'd_udid'=>'2c1b90233730588e80fe815aa15265c6',

'd_sn'=>'C07LP04KDWYN',

'd_imei'=>'',

'd_meid'=>'',

'd_devid'=>'',

'd_id'=>3685

}

0:: [67936] [2017/02/28 11:30:27.172] <\033[0;32mIP-OF-DEVICE\033[0m> {LogSQL (db.php:820)} dm_merge_duplicate_device_rows_and_update: SELECT dm_merge_duplicate_device_rows_and_update(3685,'2c1b90233730588e80fe815aa15265c 6','C07LP04KDWYN',NULL,NULL,NULL);

0:: [67936] [2017/02/28 11:30:27.730] <\033[0;32mIP-OF-DEVICE\033[0m> {LogSQL (db.php:820)} SQL: SELECT * FROM devices WHERE "id" = 3685 LIMIT 1 ;

0:: [67936] [2017/02/28 11:30:27.730] <\033[0;32mIP-OF-DEVICE\033[0m> {LogSQL (db.php:820)} SQL: SELECT * FROM library_item_metadata WHERE "id" = 3685 LIMIT 1 ;

0:: [67936] [2017/02/28 11:30:27.731] <\033[0;32mIP-OF-DEVICE\033[0m> {LogSQL (db.php:820)} SQL: UPDATE "library_item_metadata" SET ("dynamic_attributes") = ('{"BuildVersion":"16B2555"}') WHERE id = 3685;

0:: [67936] [2017/02/28 11:30:27.772] <\033[0;32mIP-OF-DEVICE\033[0m> {LogSQL (db.php:820)} SQL: SELECT * FROM library_item_metadata WHERE "id" = 3685 LIMIT 1 ;

0:: [67936] [2017/02/28 11:30:27.773] <\033[0;32mIP-OF-DEVICE\033[0m> {LogSQL (db.php:820)} SQL: UPDATE "devices" SET ("updated_at","mdm_target_type","DeviceName","ProductName") = (:updated_at,'mac','Name-of-device','Macmini6,2') WHERE id = 3685;

0:: [67936] [2017/02/28 11:30:27.776] <\033[0;32mIP-OF-DEVICE\033[0m> {LogSQL (db.php:820)} SQL: INSERT INTO "auto_join_profile_usage" ("auto_join_profile_id","device_id","checkin_token") VALUES(1,3685,'F8B442AC-5304-415E-AF0A-11111A0DD4E0') RETURNING id;

0:: [67936] [2017/02/28 11:30:27.876] <\033[0;32mIP-OF-DEVICE\033[0m> {LogSQL (db.php:830)} SQL: COMMIT;

4:: [67936] [0x7f91405061f0/<PGTransactionScheduler:0x7f9141bbe340>] -[PGTransactionScheduler connectionDidCompleteTransaction:succeeded:willRetry:]: ENTER

4:: [67936] -[PGTransactionScheduler _helper]: __helper = 0x7f9141bc1500, gQuit = NO, retry = 0.000000

4:: [67936] Created singleton <SCEPHelper: 0x7f9141900290>

1:: [67936] [2017/02/28 11:30:30.038] \033[1;7;31mEXCEPTION:\033[0;31m Error <-[SCEPHelper getSCEPChallengeForHost:] (/Library/Caches/com.apple.xbs/Sources/RemoteDeviceManagement/RemoteDeviceManag ement-904.29/Compiled/Framework-Base/Support/SCEPHelper.m:89): "'((SCEPHELPER_GetSCEPChallenge(self.connection, hostname, hostnameCnt, &challenge, &challengeCnt)))' error 1">

USERINFO: {

NSLocalizedDescription = "Operation not permitted";

}

\033[4;31mBACKTRACE:\033[0m

\033[0;31m? | ? | 10332b753

? | ? | 1032def4e

? | ? | 1032de066

? | ? | 1029419be

? | ? | 1028ff414

? | ? | 1028d7fbf

? | ? | 102882fea

? | ? | 102968840

? | ? | 7fffb86f7255

\033[0;37m-[LogFormatter toString] generation time: \033[1;37m0.001622s\033[0m\033[0m\033[0m

0:: [67936] [2017/02/28 11:30:30.054] do_dmx_get_scep_challenge_for_host: caught exception -[SCEPHelper getSCEPChallengeForHost:] (/Library/Caches/com.apple.xbs/Sources/RemoteDeviceManagement/RemoteDeviceManag ement-904.29/Compiled/Framework-Base/Support/SCEPHelper.m:89): "'((SCEPHELPER_GetSCEPChallenge(self.connection, hostname, hostnameCnt, &challenge, &challengeCnt)))' error 1"

0:: [67936] [2017/02/28 11:30:30.055] <\033[0;32mIP-OF-DEVICE\033[0m> {LogException (common.php:574)} \033[0;31mEXCEPTION: 500 Internal Server Error - Could not retrieve SCEP challenge. at

#0 /Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/backend/php/ot a_service_common.php(196): DieInternalError('Could not retri...')

#1 /Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/backend/php/ot a_service_common.php(313): _generate_scep_profile(Array)

#2 /Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/backend/php/au to_join_ota_service.php(16): OTAServiceCommon()

#3 {main}\033[0m

1:: [67936] [2017/02/28 11:30:30.055] <\033[0;32mIP-OF-DEVICE\033[0m> {SendFinalOutput (common.php:582)} <<< Sent Final Output (26 bytes) - POST \033[0;36mauto_join_ota_service\033[0m

0:: [67936] [2017/02/28 11:30:30.055] <\033[0;32mIP-OF-DEVICE\033[0m> {SendFinalOutput (common.php:582)} Completed in 4164ms | 500 Internal Server Error [https:MAC-SERVER/devicemanagement/api/device/auto_join_ota_service]

Feb 28 11:31:15 Name-of-device com.apple.xpc.launchd[1] (com.apple.PasswordService[68255]): Service exited with abnormal code: 1

Feb 28 11:31:15 Name-of-device com.apple.xpc.launchd[1] (com.apple.PasswordService): Service only ran for 0 seconds. Pushing respawn out by 10 seconds.

Got this running the scep_helper.log

Trying to enroll the Mac I am currently on to our Profile Manger.

No active ProcTxns, we're eligible for termination.

2:: [34630] [2017/02/28 12:16:27.823] Starting ProcTxn 'scep_helper:0x000013'.

[1;32m——————————————————————+————————————————————————— [0m

scep_helper:0x000013 : 2017-02-28 01:16:27 +0000

[1;32m——————————————————————+————————————————————————— [0m

[0;37m-[LogFormatter toString] generation time: [1;37m0.000414s [0m

2:: [34630] [2017/02/28 12:16:27.823] Received request SCEPHELPERS_GetSCEPChallenge

2:: [34630] [2017/02/28 12:16:27.828] getSCEPURL: hostname = '127.0.0.1', urlString = 'http://127.0.0.1:1640/scep/'

1:: [34630] [2017/02/28 12:16:28.014] [1;7;31mEXCEPTION: [0;31m Error <NSString *GetChallengeFromSCEP(NSString *__strong, NSString *__strong, NSString *__strong) (/Library/Caches/com.apple.xbs/Sources/RemoteDeviceManagement/RemoteDeviceManag ement-904.29/Compiled/scep_helper/main.m:445): "'((SCEPRequestChallengePassword(session, (__bridge CFStringRef)userName, (__bridge CFStringRef)password, (__bridge CFDictionaryRef)requestDict, &challenge)))' error -50">

USERINFO: {

NSLocalizedDescription = "Carbon error -50";

}

[4;31mBACKTRACE: [0m

[0;31m? | ? | 103743e6b

? | ? | 103749a4e

? | ? | 10374abd9

? | ? | 1037494cd

? | ? | 7fffb881e187

? | ? | 1037420c8

? | ? | 7fffb86f7255

? | ? | 1

[0;37m-[LogFormatter toString] generation time: [1;37m0.001319s [0m [0m [0m

0:: [34630] [2017/02/28 12:16:28.014] SCEPHELPERS_GetSCEPChallenge: Caught exception NSString *GetChallengeFromSCEP(NSString *__strong, NSString *__strong, NSString *__strong) (/Library/Caches/com.apple.xbs/Sources/RemoteDeviceManagement/RemoteDeviceManag ement-904.29/Compiled/scep_helper/main.m:445): "'((SCEPRequestChallengePassword(session, (__bridge CFStringRef)userName, (__bridge CFStringRef)password, (__bridge CFDictionaryRef)requestDict, &challenge)))' error -50"

2:: [34630] [2017/02/28 12:16:28.014] Completed ProcTxn 'scep_helper:0x000013' (0.193 seconds).

No active ProcTxns, we're eligible for termination.

Here is the issue from the PHP.log

0:: [5622] [2017/03/27 14:04:27.105] <10.139.135.32> EXCEPTION: 500 Internal Server Error - Could not retrieve SCEP challenge. at

#0 /Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/backend/php/ot a_service_common.php(47): DieInternalError('Could not retri...')

#1 /Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/backend/php/md m_enroll.php(78): GenerateMDMBindingProfile(8191, '56E4659E-07AD-4...')

I believe this is my issue, below is a line from

/Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/backend/php/ota _service_common.php

LINE 47 + more, from ota_service_common.php below:

$raw_root_cert = _getScepRootCert($od_master);

if (empty($raw_root_cert)) DieInternalError('Could not retrieve root certificate from open directory server.');

The error is above. 'Could not retrieve root certificate from open directory server.' But why is anyones guess.

Back from the brink!!

Devices will enroll again, Woo!!🙂😁

No wiping PM, no re-installing OD,

Just don't ask me how I did it... 😟

There was a lot of moving server.app to the trash, re-installing. A lot of making sure certificates were trusted in keychain. Deleting entries in proxy etc.

I eventually emailed the three main certs to an iPad, and installing them that way on an iPad, I then installed the enrolment profile, and it installed.

So I thought, installing the certs manually may have fixed it, but then I installed the enrolment profile (the original I might add) on another iPad and that worked. Then did via AC2, worked. Tried enrolling a Mac, worked.

I believe there may have just been a simple trust issue or a problem with the DNS, but as I mentioned in an earlier post, there were no problems with certs etc, I had renewed them on time.

The lesson to all... don't just wipe and re-install when nothing has gone wrong. Stick it out and try to resolve it.

If you have mucked around with host names after installing PM's you're asking for trouble, that didn't happen this time, that is why I stuck it out.

Just tried that

tail -f /Library/Logs/apsd.log: No such file or directory

How do I make blank log file in MacOS?

I think the most recent sever.app update fixed this issue.

Having issues? And you never touched your Certs? Try updating server.app.