-
Notifications
You must be signed in to change notification settings - Fork 433
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug]: Get a certificate via SCEP fails with: scep post request failed: crypto/rsa: verification error #1723
Comments
@birdie1 what SCEP client are you using? I see it reports as We generally advise to use Seeing |
Currently we are using the scepclient from https://github.com/micromdm/scep for testing purposes. We can access the SCEP endpoint via http and https, but both having the same error. I removed Yes, the whole step ca config is under
|
👍
Looks OK too.
I would advise to use a different SCEP client for testing to reduce the number of moving parts. I've used the one you're using for testing too, and I've observed some non-compatible behavior with it (might be on the CA side; could also be client side), I think especially with renewals. Also see e.g. micromdm/scep#217, which is another case of something I observed while testing with Note that we've forked the MicroMDM repository to maintain the core |
I tried sscep and the first time I got a certificate (Like with the micromdm as well). After that I receive again an error 500, but with a different error message.
sscep output:
Any ideas what is wrong there? |
@birdie1 I believe I've seen that same behavior as well, although I don't find that specific error message in my notes. I think Based on the two different errors for the two SCEP clients, it seems it might be related to the SCEP client maybe using a wrong recipient public key. What is the actual SCEP client you're using / integrating with? Currently our CA is in use mostly with iOS, macOS and Windows clients, and for those the current (default) configuration options work well. It has to be noted that these generally request a fully new certificate, not using SCEP renewal, so maybe your problem is related to that? I may be able to try testing it with a client that's closer to your environment to see what's off. We'll be working on logging improvements in the coming weeks across our stack, so improvements in this area can be expected. |
After creating a completely new key and csr (with other CN as well) the error persist.
What do you mean with this? What can I change to use a valid recipient public key?
We want to use it for our certifcate based 802.1x network authentication. We use ansible for linux, baramundi for windows and Vmware Airwatch for our mobile devices. The SCEP we need for Vmware Airwatch. For the others we can use scripts to provide the certificate with step cli over ssh. |
I found at least one thing:
|
Sounds plausible. The decrypter certificate is the one used to encrypt the message against, and thus used as the recipient. Some clients may need explicit configuration of the recipient, or else might pick the wrong certificate to encrypt against. One of the reasons we added support for the decrypter configuration was to be able to (continue to) use EC keys for signing, but still support SCEP easily. Before we added support, one was required to configure an RSA intermediate (at least) or an RSA chain. In SCEP jargon the decrypter is also known as the registration authority, but we abstained from calling it like that in |
Steps to Reproduce
We set up our step ca a few days ago. After setting it up it was possible to get certificates via scep. Today I tried it again and it is not possible anymore.
After I found this message at startup:2024/02/19 13:06:36 failed validating SCEP authority: SCEP provisioner "802.1x" does not have a decrypter certificate
I added a decrpyter certificate to my config (Thanks to this bug request #1560). This message is gone, but the scep error is still there.
I tried setting the enviroment variable STEPDEBUG=1, but the output of step-ca still only show the error without any debug information.
Your Environment
step-ca
Version - 0.25.2 and 0.25.3-rc5-36-gbb296c9dExpected Behavior
Get a certificate via SCEP.
Actual Behavior
Error: scep post request failed: crypto/rsa: verification error
Additional Context
Config:
Log Output:
Contributing
Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
The text was updated successfully, but these errors were encountered: