search

micromdm / scep

Go SCEP server
MIT License
310 stars 121 forks source link

Enrollment from CISCO Router #211

Open ilke42 opened 1 year ago

ilke42 commented 1 year ago

Has anybody tried to enroll from CISCO router? On the router I get: % Error in receiving Certificate Authority certificate: status = FAIL, cert length = 0 % Failed to authenticate the Certificate Authority

With debug enabled on both sides I don't get nothing more.

ilke42 commented 1 year ago

Test-Router(cs-server)# Dec 1 18:49:51.643: CRYPTO_CS: enter FSM: input state disabled, input signal no shut Dec 1 18:49:51.643: CRYPTO_CS: SCEP server stopped Dec 1 18:49:51.643: CRYPTO_CS: starting enabling checks Dec 1 18:49:51.643: CRYPTO_CS: nvram filesystem Dec 1 18:49:51.661: CRYPTO_CS: file opened: nvram:Test-Router.ser Dec 1 18:49:51.662: CRYPTO_CS: closed ser file Dec 1 18:49:51.662: CRYPTO_CS: found existing serial file. Dec 1 18:49:51.662: CRYPTO_CS: authenticating the CA 'Test-Router' Dec 1 18:49:51.662: All expired database files are deleted. Dec 1 18:49:51.662: CRYPTO_PKI_SCEP: Client sending GetCACert request Dec 1 18:49:51.662: CRYPTO_PKI: Sending CA Certificate Request: GET /scep:8081/pkiclient.exe?operation=GetCACert&message=Test-Router HTTP/1.0 User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI) Host: 10.1.100.100

Dec 1 18:49:51.662: CRYPTO_PKI: locked trustpoint Test-Router, refcount is 1 Dec 1 18:49:51.662: CRYPTO_PKI: http connection opened Dec 1 18:49:51.662: CRYPTO_PKI: Sending HTTP message

Dec 1 18:49:51.662: CRYPTO_PKI: Reply HTTP header: HTTP/1.0 User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI) Host: 10.1.100.100

Dec 1 18:49:51.663: %PKI-3-SOCKETSEND: Failed to send out message to CA server. Dec 1 18:49:51.663: CRYPTO_PKI: unlocked trustpoint Test-Router, refcount is 0 Dec 1 18:49:51.663: CRYPTO_PKI: status = 65535: failed to send out the pki message Dec 1 18:49:51.663: CRYPTO_PKI: ca_req_context already freed Dec 1 18:49:51.663: CRYPTO_PKI: transaction CRYPTO_REQ_CA_CERT completed Dec 1 18:49:51.663: CRYPTO_CS: exit FSM: new state check failed Dec 1 18:49:51.663: CRYPTO_CS: cs config has been locked

klubi commented 1 year ago

GET /scep:8081/pkiclient.exe?operation=GetCACert&message=Test-Router HTTP/1.0

pkiclient.exe part of the URL looks odd... Is this something you have configured on the router? I believe that if you'd be able to change that, so it's /scep:8081/scep?operation=GetCACert&message=Test-Router HTTP/1.0 then it would work

Do you have scep-server logs?

ilke42 commented 1 year ago

On the router I tried different settings, for example: enrollment url http://X.X.X.X:8081/scep/scepoperation=GetCACert=SubCA6

And I still get: Dec 15 12:02:52.811: CRYPTO_PKI: Sending CA Certificate Request: GET /scep/pkiclient.exe?operation=GetCACert&message=SubCA6 HTTP/1.0 User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)

When I browse for http://X.X.X.X:8081/scep I get operation not implemented, which means the web server is accessible.

Obviously the router adds pkiclient.exe? part, per description here: https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/116167-technote-scep-00.html

Does this mean the Debian micromdm/scep server could not be used because I can't change that part?

I cant fine scep server logs, even with -debug enable -log-json command, I don't see any log files.

klubi commented 1 year ago

I'm afraid so. Exe file won't be available for you, so unless that can be changed, I don't have good news.

petarov commented 1 year ago

@ilke42 An option would be to use Nginx or something else to overwrite /scep/pkiclient.exe as /scep and then direct it to the SCEP server.

ilke42 commented 1 year ago

@petarov Yes, that is good idea, thank you. If I start the LAB again I will definitely try it.