Closed ishackigozi closed 2 years ago
ishackigozi
commented
2 years ago sscep: pkistatus: FAILURE sscep: reason: Transaction not permitted or supported sscep: illegal size of payload
Can someone please help me understand why the enrollment process is failing. It was working previously?
gotthardp
commented
2 years ago Hello. Could you please provide more debugging information:
-v or -d to provide more output?ishackigozi
commented
2 years ago root@SRA1501000133:/tmp/corp# cat openssl.cnf [req] prompt = no string_mask=nombstr distinguished_name = req_distinguished_name attributes=req_attributes [req_attributes] challengePassword=217E35D175 [req_distinguished_name] OU=SRA CN=xxxxxxxx [ x509v3_EXT ] subjectAltName=DNS:xxxxxx
sudo sscep enroll -v -u "http://xxxxxxxx/certsrv/mscep/mscep.dll/pkiclient.exe" -c CA.cert-0 -e CA.cert-1 -k local.key -r local.csr -l local.cert sscep: starting sscep, version 0.10.0 sscep: new transaction sscep: transaction id: D41D8CD98F00B204E9800998ECF8427E sscep: hostname: xxxxxxxxx sscep: directory: certsrv/mscep/mscep.dll/pkiclient.exe sscep: port: 80 sscep: SCEP_OPERATION_GETCAPS sscep: connecting to xxxxxxxx:80 sscep: server response status code: 200, MIME header: text/plain POSTPKIOperation Renewal SHA-512 SHA-256 SHA-1 DES3 sscep: Read request with transaction id: A6DE68F0A0A7486F312F06A70D87B234 sscep: generating selfsigned certificate sscep: requesting certificate with serial number 0 and issuer xxxxxxxxxx sscep: SCEP_OPERATION_ENROLL sscep: sending certificate request sscep: request data dump -----BEGIN CERTIFICATE REQUEST----- MIIC7zCCAdcCAQAwRTEMMAoGA1UECxMDU1JBMTUwMwYDVQQDEyxTUkExNTAxMDAw MTMzLm5hLmNvcnAuc2Ftc3VuZ2VsZWN0cm9uaWNzLm5ldDCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBAJ0/ZSaiMvIqop2LeaiksKG2GU2JJjkyb5g+IgIc cPzO9qH9g737bAFrq65N/bW8+w/5boUZTo907jUy6RFFUrliUc2b6/oVr/+jfKvA 6KpjmcykKQpfZk0EN3s4vUtAvjEZuulQ+vBAphJr2OqprCuY4Ws/+t8JbJO7baLe QvrTb0qvcYgaixxZtU4b2LueqGBozsC/qFCvmaBVQDLD4bLiIZgswoHx8CaSZksn 2uwA2HI66Rqh6oJmul9mI4W7w9dtkG0W7lclaSM8Em78tyaMa06WJQj3kX8wVtuq X+QUK9e8FfFJKLCcWULpQWPZKXatvM/lSRRPQhClj9nxwYECAwEAAaBlMBkGCSqG SIb3DQEJBzEMEwoyMTdFMzVEMTc1MEgGCSqGSIb3DQEJDjE7MDkwNwYDVR0RBDAw LoIsU1JBMTUwMTAwMDEzMy5uYS5jb3JwLnNhbXN1bmdlbGVjdHJvbmljcy5uZXQw DQYJKoZIhvcNAQELBQADggEBAHST/6F1C89k4mepM/YnvlpWieqNLAX6liv+91+k aN31eZp8jh2XgmmOaeQIxa1lOYfD8pw3ZXKBDzAfNmz20Leltw8K8G3hywDgi6kf JwNqQadiVmZabBL2tjHoIXhDe3BcsOgk6mUeqJFPjD9oWsptylqIVxgJYe1NSPnK qazi4KPY+QeWOM3PVeQHeiXY8aa2ICkaV1fJ2biH/eSiqbH2HPa0dP02ckacwrrd ixwaV90H/xU+Q9DZuVJu1l7qYwcFYwabvQgmsBCB7SO9QKXNo7E8wMQl214psOaJ lTegNzM2zfaj5wOevD0dvswrLXNxXlQovTrFGhEDmFxgUKQ= -----END CERTIFICATE REQUEST----- sscep: data payload size: 755 bytes sscep: successfully encrypted payload sscep: envelope size: 1262 bytes sscep: creating outer PKCS#7 sscep: PKCS#7 data written successfully sscep: payload size: 2790 bytes sscep: connecting to xxxxxxxxxxxxxxx:80 sscep: server response status code: 200, MIME header: application/x-pki-message sscep: valid response from server sscep: reading outer PKCS#7 sscep: PKCS#7 payload size: 1033 bytes sscep: PKCS#7 contains 1 bytes of enveloped data sscep: verifying signature sscep: signature ok sscep: reply transaction id: A6DE68F0A0A7486F312F06A70D87B234 sscep: reply message type is good sscep: senderNonce in reply: 4D906C1C406DF347BCE2C83C2F1A1592 sscep: recipientNonce in reply: 3F76EB1E00F35F3B8359BDA223C8EF8B sscep: pkistatus: FAILURE sscep: reason: Transaction not permitted or supported sscep: illegal size of payload
ishackigozi
commented
2 years ago Above is the openssl.conf. The only thing that fails is the enrollment portion. sscep enroll -v -u "http://xxxxxxxx/certsrv/mscep/mscep.dll/pkiclient.exe" -c CA.cert-0 -e CA.cert-1 -k local.key -r local.csr -l local.cert
gotthardp
commented
2 years ago And do you have logs from the server, too? This is a server-generated error, so the server may provide more information about what went wrong.
ishackigozi
commented
2 years ago Hello, Thanks for the response, I have reached out to the team that maintains the server and will try and waiting for the logs.
ishackigozi
commented
2 years ago root@1501000133:/tmp/corp# bash -x corpCertCreate.sh
sscep: found certificate with subject: /C=xx/L=xx/O=xx/CN=xx issuer: /DC=xx/DC=xx/DC=xx/CN=xx basic constraints: (not included) usage: Digital Signature SHA512 fingerprint: E5:E5:9A:8D:CB:C3:EE:77:1F:5F:81:28:D4:07:B5:65:61:40:0D:59:8E:88:32:2A:6F:EE:CC:A6:80:84:4A:F6:B:55:A2:09:C5:61:78:2A:2B:7B:8F:76:DB:D9:1C sscep: certificate written as CA.cert-0
sscep: found certificate with subject: /xx/L=xx/O=xx/CN=xx issuer: /DC=xx/DC=xx/DC=xx/CN=xx basic constraints: (not included) usage: Key Encipherment SHA512 fingerprint: D0:42:4C:63:D9:A2:A1:5F:C6:F5:D4:EA:DB:B7:CB:B0:CD:21:EF:07:82:21:C3:5F:63:6D:D7:23:57:3D:91:EE:D:34:84:CF:09:C7:A4:B3:2A:69:3E:02:DC:A1:D5 sscep: certificate written as CA.cert-1
sscep: found certificate with subject: /CN=xxxxxxx issuer: /CN=xxxxxxxxx basic constraints: CA:TRUE usage: Digital Signature, Certificate Sign, CRL Sign SHA512 fingerprint: 50:5A:03:85:5D:C0:74:D9:65:4E:84:87:34:0F:11:07:B0:9D:25:5F:8F:C9:40:EC:92:A0:F5:4F:7A:AC:70:C4:C:DB:55:C8:9C:A8:28:01:C7:10:B4:2B:95:EC:34 sscep: certificate written as CA.cert-2
sscep: found certificate with subject: /DC=xx/DC=xx/DC=xx/CN=xxx issuer: /CN=xxx basic constraints: CA:TRUE usage: Digital Signature, Certificate Sign, CRL Sign SHA512 fingerprint: D4:86:FE:9B:E4:4D:B8:B5:5B:27:5C:43:E8:E5:10:38:E1:1B:EF:33:F6:77:2A:97:1E:10:85:5E:22:2B:A6:F1:7:A9:85:9F:09:BA:8E:85:FB:AF:8E:72:A7:7B:02 sscep: certificate written as CA.cert-3
ishackigozi
commented
2 years ago That is the detailed log from the client. Unfortunately, I have not got anything yet from the server team.
gotthardp
commented
2 years ago Let's wait for the server team then. There is not much we can do without the server logs.
ishackigozi
commented
2 years ago Hello, I have recieved the server logs today.
<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns="http://www.w3.org/TR/REC-html40">
2022-03-28 21:51:28 10.40.87.82 GET /certsrv/mscep/mscep.dll/pkiclient.exe operation=GetCACert&message=CAIdentifier 80 - 105.165.69.22 - - 200 0 0 177 --
Hello, I am having issues enrolling a cerification. I get this error below.
sscep: data payload size: 755 bytes sscep: successfully encrypted payload sscep: envelope size: 1262 bytes sscep: creating outer PKCS#7 sscep: PKCS#7 data written successfully sscep: payload size: 2790 bytes sscep: connecting to xxxxxxx:80 sscep: server response status code: 200, MIME header: application/x-pki-message sscep: valid response from server sscep: reading outer PKCS#7 sscep: PKCS#7 payload size: 1033 bytes sscep: PKCS#7 contains 1 bytes of enveloped data sscep: verifying signature sscep: signature ok sscep: reply transaction id: 5C4E9F9BC67E4BE960D7362E2454A01F sscep: reply message type is good sscep: senderNonce in reply: F41AF4E53EF6AA4D965A3D0899914972 sscep: recipientNonce in reply: D035CAA8DC187607524BBF44FD6350C6 sscep: pkistatus: FAILURE sscep: reason: Transaction not permitted or supported sscep: illegal size of payload
Any ideas why this could be happening. Before it was working now it is not.