herbfalkmi commented 7 months ago

The GO SCEP Server complains that it can't decrypt the PKC7 payload.

Here is a decode of the CMS information (minus being decrypted).

ContentInfo SEQUENCE (2 elem) contentType ContentType OBJECT IDENTIFIER 1.2.840.113549.1.7.3 envelopedData (PKCS #7) content [0] (1 elem) EnvelopedData SEQUENCE (3 elem) version CMSVersion INTEGER 0 recipientInfos RecipientInfos SET (1 elem) RecipientInfo SEQUENCE (4 elem) version CMSVersion INTEGER 0 rid RecipientIdentifier SEQUENCE (2 elem) issuer Name SEQUENCE (4 elem) RelativeDistinguishedName SET (1 elem) AttributeTypeAndValue SEQUENCE (2 elem) type AttributeType OBJECT IDENTIFIER 2.5.4.6 countryName (X.520 DN component) value AttributeValue [?] PrintableString US RelativeDistinguishedName SET (1 elem) AttributeTypeAndValue SEQUENCE (2 elem) type AttributeType OBJECT IDENTIFIER 2.5.4.10 organizationName (X.520 DN component) value AttributeValue [?] PrintableString scep-ca RelativeDistinguishedName SET (1 elem) AttributeTypeAndValue SEQUENCE (2 elem) type AttributeType OBJECT IDENTIFIER 2.5.4.11 organizationalUnitName (X.520 DN component) value AttributeValue [?] PrintableString SCEP CA RelativeDistinguishedName SET (1 elem) AttributeTypeAndValue SEQUENCE (2 elem) type AttributeType OBJECT IDENTIFIER 2.5.4.3 commonName (X.520 DN component) value AttributeValue [?] PrintableString MICROMDM SCEP CA serialNumber CertificateSerialNumber INTEGER 1 keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier SEQUENCE (2 elem) algorithm OBJECT IDENTIFIER 1.2.840.113549.1.1.1 rsaEncryption (PKCS #1) parameters ANY NULL encryptedKey EncryptedKey OCTET STRING (256 byte) 3DFA635EF5C92385CBBAEA03366AB54613C7523A814A7C7071DC62FAB1F01B72458A6… encryptedContentInfo EncryptedContentInfo SEQUENCE (3 elem) contentType ContentType OBJECT IDENTIFIER 1.2.840.113549.1.7.6 encryptedData (PKCS #7) contentEncryptionAlgorithm ContentEncryptionAlgorithmIdentifier SEQUENCE (2 elem) algorithm OBJECT IDENTIFIER 2.16.840.1.101.3.4.1.42 aes256-CBC (NIST Algorithm) parameters ANY OCTET STRING (16 byte) 11554D0A8B54B7E9357979080E0701B8 EncryptedContent [?] [0] (752 byte) 091B26A6F56E0546D302610A13EE597C739733F9B4D05DCC1B0E18390D250E09F4540…

Any Ideas?

jessepeterson commented 7 months ago

Which version are you using? Can you try 0.2.1 if you're using the newest 0.2.2? Thanks!

herbfalkmi commented 7 months ago

I tried 0.2.1 (was previously using 0.2.2). It is still complaining.

C:\goscep>scepserver-windows-amd64 -port "5004" -log-json -debug "enable" -allowrenew "0"

{"address":":5004","caller":"scepserver.go:159","level":"info","msg":"listening","transport":"http","ts":"2023-12-04T19:59:41.173741Z"}

{"caller":"service_logging.go:22","component":"scep_service","err":null,"level":"info","method":"GetCACaps","took":"0s","ts":"2023-12-04T19:59:52.5210714Z"}

{"caller":"endpoint.go:186","error":null,"level":"info","op":"GetCACaps","took":"319.7µs","ts":"2023-12-04T19:59:52.5213911Z"}

{"caller":"logutil.go:70","component":"http","host":"127.0.0.1","level":"info","method":"GET","path":"/scep?operation=GetCACaps","proto":"HTTP/1.1","status":200,"ts":"2023-12-04T19:59:52.5213911Z","user_agent":""}

{"caller":"service_logging.go:34","component":"scep_service","err":null,"level":"info","message":"ignored","method":"GetCACert","took":"0s","ts":"2023-12-04T19:59:52.7001524Z"}

{"caller":"endpoint.go:186","error":null,"level":"info","op":"GetCACert","took":"751.3µs","ts":"2023-12-04T19:59:52.7009037Z"}

{"caller":"logutil.go:70","component":"http","host":"127.0.0.1","level":"info","method":"GET","path":"/scep?operation=GetCACert\u0026message=ignored","proto":"HTTP/1.1","status":200,"ts":"2023-12-04T19:59:52.7016148Z","user_agent":""}

{"caller":"service_logging.go:47","component":"scep_service","err":"pkcs7: cannot decrypt data: only RSA, DES, DES-EDE3, AES-256-CBC and AES-128-GCM supported","level":"info","method":"PKIOperation","took":"1.4114ms","ts":"2023-12-04T20:00:01.6054969Z"}

{"caller":"endpoint.go:186","error":null,"level":"info","op":"PKIOperation","took":"1.4968ms","ts":"2023-12-04T20:00:01.6055823Z"}

{"caller":"logutil.go:70","component":"http","host":"127.0.0.1","level":"info","method":"GET","path":"/scep?operation=PKIOperation\u0026message=MIIKOAYJKoZIhvcNAQcCoIIKKTCCCiUCAQExDDAKBggqhkiG9w0CBTCCBMAGCSqGSIb3DQEHAaCCBLEEggStMIIEqQYJKoZIhvcNAQcDoIIEmjCCBJYCAQAxggFtMIIBaQIBADBRMEwxCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdzY2VwLWNhMRAwDgYDVQQLEwdTQ0VQIENBMRkwFwYDVQQDExBNSUNST01ETSBTQ0VQIENBAgEBMA0GCSqGSIb3DQEBAQUABIIBAI8wHEvdKnY%2FwMQvsPak%2Fqi3hYzV1ytCr94vCztVbt%2BnqnrXXs%2Bz0pcZ8oYkDdgWXtetbY7cmHjcnpAITvEpBkZAoAU4jDC7PAZzXDHAyBknEaFtNkn%2FmeRl%2FXLHVfZWmjdZih16yqtJr43R3eBqfHvGuUb5ondaWoSU%2FJbnPi1TTPI4oPNuqlTXtp7DDuK97iGhsw065GoYfxz%2FrjO8B7rI%2FTTn7CWbOXQCK4fRFs4xz4oRznG6IL3z1YYU%2BVtk3DEEwbPaN4fa2YK6c5FrOoKULs9f1Ws25BVD92SEWZrPMDoxVrDO%2FVtjoTayex3UHyPEXGQwjmYEapWjQI%2FyNiMwggMeBgkqhkiG9w0BBwYwHQYJYIZIAWUDBAEqBBApa9%2FCjhYuYqPPZ3fMmFGdgIIC8GaVPim1CCB26OSQjZDiJzrMcnkkBcqjP1qu8L5QuvrnZ0K3SimowBhD7fipjWdIAQVNSUhq4xRx9DaCvlmbUtAtFrc0x3uCTbHViCacckTQKKV8%2F%2Fs3kDkQh0XxMUc5Iq%2BNzqdxmnJDYyStys%2Fj0QWp%2FBqjDtIGh3HSG2MFL3Vnbcc4NvF2USewtpHLNFH%2F7fs%2F8886LsLOf6UmX0UKaViwfE9mPDhClFuXC5NV8qWdq97BFZqliJOle%2F%2BnMNkOr1Ln1hvVbzitlmO3QDIUeBZuCT4QOlHkdalMG%2FjKJICqmDow3RxmpIQuZUq%2F4Tzvf1V8BIbUON8uEwV9WIezvFZM7u5Bo0AcSkAy4dk8ZYuv6zEwgVTry9uOScPUS%2FATnxQdZBe5VmxjWjZRO8miVFK72iy1StOQ5ZeZ8mFCLW55iKAJWG6xRe3YERa5G5hSqO7E5SSu15ZhhWmSTWP963rcQ75an%2FNpL7zNbEAomlYx9OKs8gpuKPqU9DixPpU4RAftc6dPRtmFczShWObyvDl3jUPYYWeIlMsnOC3pyKPBu7sjl0mimsminW8%2FvIukZByX8sXDUIScxS3cfNMMAy8Ff%2Bwv6HWTy88GYida87BFyXObXR8BpVPvLc14Kgct%2FS00aBSkIaENVMChFAWGTyF%2FwqNuaydTAtmgUkQVOkZ0yrxDVd7DedT97sWjumF6cCWbkqk5TqdZgoER9WU1cg82BbXRi9%2BppA8ndMkstEkwBtGWX%2BkN55ybTAtiAq4W5Pas7RrIMD601XDqGFq83xIT6Niv66GnkJdgUdkT8GJvkAkQhhKL7cNMcc0uhycfljvUMG1DWgZa86geVyOPONOqd3R%2FTg%2FnKylOpwoXTasdtvEywmLY8GSwMcQYHWQ8HvZcNLcAUMa%2BAcoFh50kUENdkabAOPF3dqYLVYTUU60lJWFy%2BD1n%2FZ5g2H1MoFdHZ%2BqLQmce9NpeKKlRzIoHL%2BOMxnkQIjkfUT5SsC3m%2FU3moIIDOzCCAzcwggIfoAMCAQICCBr3UPqcAwJ2MA0GCSqGSIb3DQEBCwUAMCkxJzAlBgNVBAMTHkdhcmliYWxkaSBXSU4tOUhFODk2VlNUVTUgZ2RvaTAeFw0yMzEyMDMxNjA1NTBaFw0zMzEyMDExNjA1NTBaMCkxJzAlBgNVBAMTHkdhcmliYWxkaSBXSU4tOUhFODk2VlNUVTUgZ2RvaTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM%2FwlF%2BPJ9Z8MGFFrs26%2FI9MKiUZjrlzaTvl%2Ba4PFaq4%2B8jTpCAk1hQwl62LzL4ScQVoqCevDGPR54ecdbCb0CCCsZ4bBudnFpUovzGRRC%2FrcTgQgnOaKLqkfM0DLFnL6XaIpNWZP4xrvjYWphzwm5F3Kv7ScE2cKRLknfL21LYzjr8f1A%2B1jFfUBg3sQdOLpgmK80cqLb3Vch%2FjgAGrMnzt4hg39H3OZi9VCKYSpZbP4JJw3%2Bw0o7f4Ih0bs5PFC4VxnSYlcGG8nXlNNOb7Q32Bcikw6lBT02Il7JdKcLH%2F2KKI5IP%2FMD%2Bpi0AQAqlrVQw5lETlapttyLhjhQ%2FJzykCAwEAAaNjMGEwCwYDVR0PBAQDAgO4MBMGA1UdJQQMMAoGCCsGAQUFBwMBMD0GA1UdEQQ2MDSHBH8AAAGHEAAAAAAAAAAAAAAAAAAAAAGCCWxvY2FsaG9zdIIPV0lOLTlIRTg5NlZTVFU1MA0GCSqGSIb3DQEBCwUAA4IBAQBbfnDrBQp0j7qZOzvmwMeJwFZsJIYu6wxYOL4sAI1Q16SGRVDjXvxQjX8GS4NsmoeB%2FHKYmc4wncboIz4xad8FB6uIzzYlziwHDhtHkLhyi%2BooXtaE0B58cGySoeNuna9bTGkCfa6B9%2FvCZDzNbwauYSrEhdj51tKHYFkrlNuUbpIjnovadlCT6c3EsYNdtZuGtU%2F2SpOEnx93E9huWeP4l32xYMoBKXd8%2Bi3I4wyJcaCL3PTLgRT%2Bzw13R6%2FmAjCKv1Q%2FW3igJrIl4tBBex2r7mybRd0ZAXc7NSEiISCY8AZFPcBfzjxZ%2Bx1BtyS%2BQsCntUaoIKf5nssA4BD5YVHZMYICDTCCAgkCAQEwNTApMScwJQYDVQQDEx5HYXJpYmFsZGkgV0lOLTlIRTg5NlZTVFU1IGdkb2kCCBr3UPqcAwJ2MAoGCCqGSIb3DQIFoIGvMBIGCmCGSAGG%2BEUBCQIxBBMCMTkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAfBgkqhkiG9w0BCQQxEgQQpbBktx53Eym2%2F%2BcagcyWuTAgBgpghkgBhvhFAQkFMRIEEOVCXExqooHIJ1jLmrdJhvMwPAYKYIZIAYb4RQEJBzEuEyx0alFoNzMzc3B4NC9UNW9ua2QyY1phNDQxTTNzUWh6aURGNkR5VW5wY2JZPTALBgkqhkiG9w0BAQEEggEAwwcwrZq3D9%2BhW9TUS2VGOQGQUUum60yo%2FNpkVjU7V%2Ffa%2Bglaj8DD8n%2BmFQSDNyp1UQnhdlj1iBK%2Badefi%2F1Iqu3abv7%2B7tkYIyUbdBCH5iA%2BRi34RbmqtugcZCPlD1GCXLuUj33SrYgQ1DDBpD5EnuUHa%2BylIuoSXI9u6jMp9vjRQe%2Fzx573zMmyc5duAZ1Vdsu6OAP5uUuj5f6fi1C40iY9qUXuoG9zkpbTMA8JLjuQWFUFrQwhNuwmROCVmUk7OiIhZLDQxb2IwP929W9Z4GMiJ9AXtYeSkbiPzKfnR73iJiWTXADZieuqLHvKauvyX1IpmFb2p2NjVODDBWIrUA%3D%3D","proto":"HTTP/1.1","status":500,"ts":"2023-12-04T20:00:01.6063806Z","user_agent":""}

From: Jesse Peterson @.> Sent: Monday, December 4, 2023 2:38 PM To: micromdm/scep @.> Cc: herbfalkmi @.>; Author @.> Subject: Re: [micromdm/scep] Custom SCEP Client works for NDES, not GO SCEP Server (Issue #224)

Which version are you using? Can you try 0.2.1 if you're using the beer est 0.2.2? Thanks!

— Reply to this email directly, view it on GitHub https://github.com/micromdm/scep/issues/224#issuecomment-1839348571 , or unsubscribe https://github.com/notifications/unsubscribe-auth/AIL4G4L3WHWVEVOJXKZJT73YHYRDHAVCNFSM6AAAAABAGQKGRSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMZZGM2DQNJXGE . You are receiving this because you authored the thread. https://github.com/notifications/beacon/AIL4G4LJPNLM5JCAW6JQP2DYHYRDHA5CNFSM6AAAAABAGQKGRSWGG33NNVSW45C7OR4XAZNMJFZXG5LFINXW23LFNZ2KUY3PNVWWK3TUL5UWJTTNUI5VW.gif Message ID: @. @.> >

hslatman commented 7 months ago

Here's the P7 in a nicer format: https://lapo.it/asn1js/#MIIKOAYJKoZIhvcNAQcCoIIKKTCCCiUCAQExDDAKBggqhkiG9w0CBTCCBMAGCSqGSIb3DQEHAaCCBLEEggStMIIEqQYJKoZIhvcNAQcDoIIEmjCCBJYCAQAxggFtMIIBaQIBADBRMEwxCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdzY2VwLWNhMRAwDgYDVQQLEwdTQ0VQIENBMRkwFwYDVQQDExBNSUNST01ETSBTQ0VQIENBAgEBMA0GCSqGSIb3DQEBAQUABIIBAI8wHEvdKnY_wMQvsPak_qi3hYzV1ytCr94vCztVbt-nqnrXXs-z0pcZ8oYkDdgWXtetbY7cmHjcnpAITvEpBkZAoAU4jDC7PAZzXDHAyBknEaFtNkn_meRl_XLHVfZWmjdZih16yqtJr43R3eBqfHvGuUb5ondaWoSU_JbnPi1TTPI4oPNuqlTXtp7DDuK97iGhsw065GoYfxz_rjO8B7rI_TTn7CWbOXQCK4fRFs4xz4oRznG6IL3z1YYU-Vtk3DEEwbPaN4fa2YK6c5FrOoKULs9f1Ws25BVD92SEWZrPMDoxVrDO_VtjoTayex3UHyPEXGQwjmYEapWjQI_yNiMwggMeBgkqhkiG9w0BBwYwHQYJYIZIAWUDBAEqBBApa9_CjhYuYqPPZ3fMmFGdgIIC8GaVPim1CCB26OSQjZDiJzrMcnkkBcqjP1qu8L5QuvrnZ0K3SimowBhD7fipjWdIAQVNSUhq4xRx9DaCvlmbUtAtFrc0x3uCTbHViCacckTQKKV8__s3kDkQh0XxMUc5Iq-NzqdxmnJDYyStys_j0QWp_BqjDtIGh3HSG2MFL3Vnbcc4NvF2USewtpHLNFH_7fs_8886LsLOf6UmX0UKaViwfE9mPDhClFuXC5NV8qWdq97BFZqliJOle_-nMNkOr1Ln1hvVbzitlmO3QDIUeBZuCT4QOlHkdalMG_jKJICqmDow3RxmpIQuZUq_4Tzvf1V8BIbUON8uEwV9WIezvFZM7u5Bo0AcSkAy4dk8ZYuv6zEwgVTry9uOScPUS_ATnxQdZBe5VmxjWjZRO8miVFK72iy1StOQ5ZeZ8mFCLW55iKAJWG6xRe3YERa5G5hSqO7E5SSu15ZhhWmSTWP963rcQ75an_NpL7zNbEAomlYx9OKs8gpuKPqU9DixPpU4RAftc6dPRtmFczShWObyvDl3jUPYYWeIlMsnOC3pyKPBu7sjl0mimsminW8_vIukZByX8sXDUIScxS3cfNMMAy8Ff-wv6HWTy88GYida87BFyXObXR8BpVPvLc14Kgct_S00aBSkIaENVMChFAWGTyF_wqNuaydTAtmgUkQVOkZ0yrxDVd7DedT97sWjumF6cCWbkqk5TqdZgoER9WU1cg82BbXRi9-ppA8ndMkstEkwBtGWX-kN55ybTAtiAq4W5Pas7RrIMD601XDqGFq83xIT6Niv66GnkJdgUdkT8GJvkAkQhhKL7cNMcc0uhycfljvUMG1DWgZa86geVyOPONOqd3R_Tg_nKylOpwoXTasdtvEywmLY8GSwMcQYHWQ8HvZcNLcAUMa-AcoFh50kUENdkabAOPF3dqYLVYTUU60lJWFy-D1n_Z5g2H1MoFdHZ-qLQmce9NpeKKlRzIoHL-OMxnkQIjkfUT5SsC3m_U3moIIDOzCCAzcwggIfoAMCAQICCBr3UPqcAwJ2MA0GCSqGSIb3DQEBCwUAMCkxJzAlBgNVBAMTHkdhcmliYWxkaSBXSU4tOUhFODk2VlNUVTUgZ2RvaTAeFw0yMzEyMDMxNjA1NTBaFw0zMzEyMDExNjA1NTBaMCkxJzAlBgNVBAMTHkdhcmliYWxkaSBXSU4tOUhFODk2VlNUVTUgZ2RvaTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM_wlF-PJ9Z8MGFFrs26_I9MKiUZjrlzaTvl-a4PFaq4-8jTpCAk1hQwl62LzL4ScQVoqCevDGPR54ecdbCb0CCCsZ4bBudnFpUovzGRRC_rcTgQgnOaKLqkfM0DLFnL6XaIpNWZP4xrvjYWphzwm5F3Kv7ScE2cKRLknfL21LYzjr8f1A-1jFfUBg3sQdOLpgmK80cqLb3Vch_jgAGrMnzt4hg39H3OZi9VCKYSpZbP4JJw3-w0o7f4Ih0bs5PFC4VxnSYlcGG8nXlNNOb7Q32Bcikw6lBT02Il7JdKcLH_2KKI5IP_MD-pi0AQAqlrVQw5lETlapttyLhjhQ_JzykCAwEAAaNjMGEwCwYDVR0PBAQDAgO4MBMGA1UdJQQMMAoGCCsGAQUFBwMBMD0GA1UdEQQ2MDSHBH8AAAGHEAAAAAAAAAAAAAAAAAAAAAGCCWxvY2FsaG9zdIIPV0lOLTlIRTg5NlZTVFU1MA0GCSqGSIb3DQEBCwUAA4IBAQBbfnDrBQp0j7qZOzvmwMeJwFZsJIYu6wxYOL4sAI1Q16SGRVDjXvxQjX8GS4NsmoeB_HKYmc4wncboIz4xad8FB6uIzzYlziwHDhtHkLhyi-ooXtaE0B58cGySoeNuna9bTGkCfa6B9_vCZDzNbwauYSrEhdj51tKHYFkrlNuUbpIjnovadlCT6c3EsYNdtZuGtU_2SpOEnx93E9huWeP4l32xYMoBKXd8-i3I4wyJcaCL3PTLgRT-zw13R6_mAjCKv1Q_W3igJrIl4tBBex2r7mybRd0ZAXc7NSEiISCY8AZFPcBfzjxZ-x1BtyS-QsCntUaoIKf5nssA4BD5YVHZMYICDTCCAgkCAQEwNTApMScwJQYDVQQDEx5HYXJpYmFsZGkgV0lOLTlIRTg5NlZTVFU1IGdkb2kCCBr3UPqcAwJ2MAoGCCqGSIb3DQIFoIGvMBIGCmCGSAGG-EUBCQIxBBMCMTkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAfBgkqhkiG9w0BCQQxEgQQpbBktx53Eym2_-cagcyWuTAgBgpghkgBhvhFAQkFMRIEEOVCXExqooHIJ1jLmrdJhvMwPAYKYIZIAYb4RQEJBzEuEyx0alFoNzMzc3B4NC9UNW9ua2QyY1phNDQxTTNzUWh6aURGNkR5VW5wY2JZPTALBgkqhkiG9w0BAQEEggEAwwcwrZq3D9-hW9TUS2VGOQGQUUum60yo_NpkVjU7V_fa-glaj8DD8n-mFQSDNyp1UQnhdlj1iBK-adefi_1Iqu3abv7-7tkYIyUbdBCH5iA-Ri34RbmqtugcZCPlD1GCXLuUj33SrYgQ1DDBpD5EnuUHa-ylIuoSXI9u6jMp9vjRQe_zx573zMmyc5duAZ1Vdsu6OAP5uUuj5f6fi1C40iY9qUXuoG9zkpbTMA8JLjuQWFUFrQwhNuwmROCVmUk7OiIhZLDQxb2IwP929W9Z4GMiJ9AXtYeSkbiPzKfnR73iJiWTXADZieuqLHvKauvyX1IpmFb2p2NjVODDBWIrUA

Quick reproducer:

# error:
2023/12/04 21:51:55 pkcs7: cannot decrypt data: only RSA, DES, DES-EDE3, AES-256-CBC and AES-128-GCM supported

Some debug statement in getHashForOID, as it's one of the locations where ErrUnsupportedAlgorithm is returned:

1.2.840.113549.2.5

1.2.840.113549.2.5 is the OID for MD5 hashing. That's not supported in the Go package used for PKCS7 operations, and likely won't be supported either, unless we can/want to/will do some very legacy mode.

@herbfalkmi do you have control over the hashing algorithm used by the client? I would suggest upgrading to SHA256.

I'll make ~a note~ an issue to fix his error message in pkcs7. It's not the right error message to return in this case. It seems like MD5 was also not supported before we forked the package, so that's not the issue.

herbfalkmi commented 7 months ago

Progress, changed the signature to SHA-256 and the new error is:

Line 22: {"caller":"service_logging.go:47","component":"scep_service","err":"parse CSR from pkiEnvelope: asn1: structure error: tags don't match (16 vs {class:0 tag:2 length:1 isCompound:false}) {optional:false explicit:false application:false private:false defaultValue:\u003cnil\u003e tag:\u003cnil\u003e stringType:0 timeType:0 set:false omitEmpty:false} tbsCertificateRequest @2","level":"info","method":"PKIOperation","took":"4.7176ms","ts":"2023-12-04T21:59:48.1558002Z"}

The bytes logged:

{"caller":"logutil.go:70","component":"http","host":"127.0.0.1","level":"info","method":"GET","path":"/scep?operation=PKIOperation\u0026message=MIIKSgYJKoZIhvcNAQcCoIIKOzCCCjcCAQExDTALBglghkgBZQMEAgEwggTABgkqhkiG9w0BBwGgggSxBIIErTCCBKkGCSqGSIb3DQEHA6CCBJowggSWAgEAMYIBbTCCAWkCAQAwUTBMMQswCQYDVQQGEwJVUzEQMA4GA1UEChMHc2NlcC1jYTEQMA4GA1UECxMHU0NFUCBDQTEZMBcGA1UEAxMQTUlDUk9NRE0gU0NFUCBDQQIBATANBgkqhkiG9w0BAQEFAASCAQCFvU3RntCsaaJ%2BcSZfdmALEo8e5MWZM%2FFEatHn61Is%2B5YG7do6jEAK7W2JBYrmqm%2BSj2E7lj06dU1MhhsVabPlOKaJ%2Fmim07mJlZD%2FikScdN3HbPOT6ElAMkO9b81S4bbZQ3SkaJJWtDfHF3CSFjjPwVnLesEQpXQ4hnEjO95FDM2ajxQz3excxSd6eNLogfD7zSV0ywZQ0LEoiuoij0zVIR%2Bl0MYgQ%2F7z7Rz%2BWCy9zmfdTtWQ8BEawGY8%2BxuDxUAxPZnc%2BhUBIqcdiMDTeZjYTWC9JoyjFSRhLKCS8%2FjjTSgiNWxn%2BjmGttDMY0UyOp86BIrcUwbFR2EhhGa1EY1KMIIDHgYJKoZIhvcNAQcGMB0GCWCGSAFlAwQBKgQQVRdf4Fqt1VSdHtpfGLIXDICCAvCDbeSj7gHI7y5XyvFpZz7Vj3uORC1bev5QvXpQ9l5sANBeOFpq8qC6%2BTZ77q5e1QQdvUsVC2WO8CKuISp4wi0dgUl6zRLxdEhaAr%2FJwHdfoEnb7l1rEWPgVf7dZrJaIytgHz3D0TOZd93PbVwd4vipidm3vJbyf7kiwZGVI2jovwrmNprdJ4MirqHhTRX1g5hsrw17LRfO9KJdOVuPLTGcDhbHGlXXY2RgYVjaGndhbAGpLdH4g30QlLm9GobNsYJ9s0ZD0GxQdoczyJURYujFfqj9aR7HAWu0sXOgzcIdnoQgKEFkIzw1lRyxODrLnID9fxj3ybDrvUHW8xTT%2FnQljcbOKpmowGHky4%2BrL7GsRxMvItiF8qS9OOYipoyCd8CQF9ZMVZmcmZhoZ%2BhmxJ%2Bo%2FRVNa0RXt1NvHwjSMs8RO%2BFzWmo3%2BcTyIjCQsUl%2B54EnFOYEI7mPmd332HOuB%2F89r7V1%2ByZSUiJDAJqcxR7EZCtCdSbBHHfKevMhoYKLUK5NQj3xUox5PGZzW%2F4ceD0PnrN5rP4wvh%2FPiV%2FEr%2Bw8pD3IAJoDzB96txsz0vvPQVG9b0JRcLjKFK4qaykvNqF%2F9XZGzxK7ueJAMPw235%2FwIsG%2B05uTY6EbuNhNdHyusiliuBWEeWvIW0VFz1gt0hZBbI2usXSIpENC6q5En4V72VtXnHyZucN%2FTB%2FSsuxumWA8yELd94sqaaDy0zz1ETe79FRQX%2B6PaorOX8zB2%2B1OTT%2B9QMkzn%2F%2B1DiM6PMWMJRgoVyMeN8m9ROWmIm3AqBh6L884Pz%2B0986CmnUBzCBEElPMoeuRAZvy6ZE0iOL2c9cQ74YAdcf5kdxdQ9H9oWwKSS8qjRkB0pX5rPNoeCWyP8%2FpuvnZc3GMPnnkYDZk%2BLpyfqA2orS84sgowV0lD33wvkRpp%2FlN7orc7ZfmKoUKSUWT1M5fuX4QQZliz10K6RUQx%2Bo5ldiYg5SKnghPitDNXWzwRvm6QARYNxbdAOgHKqCCAzswggM3MIICH6ADAgECAggnmGnVYUbcJTANBgkqhkiG9w0BAQsFADApMScwJQYDVQQDEx5HYXJpYmFsZGkgV0lOLTlIRTg5NlZTVFU1IGdkb2kwHhcNMjMxMjAzMjExODM5WhcNMzMxMjAxMjExODM5WjApMScwJQYDVQQDEx5HYXJpYmFsZGkgV0lOLTlIRTg5NlZTVFU1IGdkb2kwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD3peyLWkWfNzcsSwH6KSrNnRgXHsZQESvyHgA7NluEq4Z%2FUtdxE1XjeMgDoUb2KLcNuNWPsyQ%2BH3PjqbkEe%2BUqmDWCzK3N%2FZuyKZu%2BpVJDfZvr04gPOHWlbsJFW1gT3bcCrPA3e08coKTtS175G9heM8nYm2s276kFVkwt4oUOHZbxX4Bx702InziLI1qIEddsRPLpK5%2FNbgaV5vHgpYugBG22zjDi%2BLKg2OBjuIPcGHrgcHYQYXFhTAvEArOgq2BXfVOAJW751pMFFf1kT7%2FtmfFq76Vzoc93%2BjGEvcLEV2aMfwI2jAtpwdy8wTDwr5H%2BDHGGrZrsCRYJDx2B%2FvEVAgMBAAGjYzBhMAsGA1UdDwQEAwIDuDATBgNVHSUEDDAKBggrBgEFBQcDATA9BgNVHREENjA0hwR%2FAAABhxAAAAAAAAAAAAAAAAAAAAABgglsb2NhbGhvc3SCD1dJTi05SEU4OTZWU1RVNTANBgkqhkiG9w0BAQsFAAOCAQEAotgjhLNP4ivp4occoNHA%2FrEnfYWE1yfm%2Bb6rBQt8JBYpV3aIe9T%2FaXk0nF6XHb83bShHmTuF4%2BtAWQkhj5eVvxZztP3IMuVJyH%2F%2B6G6055OYAQFs%2F%2BYqPGB5KXQWfSj9l76dtksn7vhX0p58ob0fo3%2F4MrnbRkrctb4j7cxHaS3T1LIPPqFKGbIyVbLPvOIrogvxfQyZLt7wUkAofZCUtiPNIA%2FodDkXd8jW7irBvoa2X91il5zyIH8xJoMRjfkdKWQ5r3sgF3BrPZbyGDzLflB7cmFHU574uE7dfOyJXapWbeTEQThcOhf9WoXrCaGAo5X6w%2FkOgTfhxamVSO%2BZjTGCAh4wggIaAgEBMDUwKTEnMCUGA1UEAxMeR2FyaWJhbGRpIFdJTi05SEU4OTZWU1RVNSBnZG9pAggnmGnVYUbcJTALBglghkgBZQMEAgGggb8wEgYKYIZIAYb4RQEJAjEEEwIxOTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMCAGCmCGSAGG%2BEUBCQUxEgQQmsTA1mBgBxtaK%2BCvtOASYzAvBgkqhkiG9w0BCQQxIgQgj9CcYOWU9xOqS7MORrnIEByEjWvv89UnnLCuhhMcJAwwPAYKYIZIAYb4RQEJBzEuEyx0a0xLVFBWeTJoZmVJWlZ4UE9CWlJwS1ZHTnRRZ2RwUE5RSUtJUTBxSk1ZPTALBgkqhkiG9w0BAQEEggEAhHfvfp2BwR0APpD2wDzZlHaDOvaL5RNJpWa1wwPtPhCj4RnNlXX1qy3%2Fd88vye0K3jVSw98PEzn6amiIrNJEAxTlz6i3mnbsnK%2Bj0mK3vu3UUDzCHyQGt7BITGalu6fpmlTf8qijPI1WSCAly69z3%2B%2FupOKqBPD4Veq9BURLUim2YLS3K9TWSPDK4SyRrktT4Kh4NQ8ij%2FBGuUJUb%2B0Bz8naTNjc0wwdl3gAhlU7FYVqjMwx1is7hJMIqIxBsxSDDXYFVg1oog5GaHvNjWYj2zNG8bMttCJWMBWeTFmxseuXESK6XfQLRYkycPoh2wKyB5GllcVWTMNIigrpI4eNYA%3D%3D","proto":"HTTP/1.1","status":500,"ts":"2023-12-04T21:59:48.1566935Z","user_agent":""}

If you can interpret the error, I should be able to fix it?

From: @. @.> @. @.>
Sent: Monday, December 4, 2023 3:02 PM To: 'micromdm/scep' @. @.> ; 'micromdm/scep' @. @.> Cc: 'Author' @. @.> Subject: RE: [micromdm/scep] Custom SCEP Client works for NDES, not GO SCEP Server (Issue #224)