Impossible de générer le certificat SCEP , échec de la récupération du certificat CA
2308
Created On 02/08/23 16:30 PM - Last Modified 10/10/25 01:52 AM
Symptom
- En cas d'échec, nous voyons une fenêtre apparaître avec « Impossible de générer le certificat SCEP , échec de la récupération du certificat CA »
- Sous les journaux sslmgr avec le débogage activé, nous voyons « /usr/bin/sscep : type de contenu MIME incorrect (ou manquant) »
Environment
- PAN-OS
- Pare-feu et panorama de Palo Alto Networks
- Gestion des certificats
- SCEP
- Serveur Windows
Cause
- Le problème était dû à la désactivation de l'authentification anonyme sur le gestionnaire IIS
- Below is the flow when sslmgris on debug level
>tail follow yes mp-log sslmgr.log 2023-02-08 10:13:59.404 -0600 debug: cfgagent_opcmd_callback(pan_cfgagent.c:496): sslmgr: cfg agent received op command from server 2023-02-08 10:13:59.404 -0600 debug: cfgagent_doop_callback(pan_cfgagent.c:531): received signal to execute for agent: sslmgr 2023-02-08 10:13:59.413 -0600 debug: pan_scep_get_client_cert(pan_scep.c:401): Trying to create temporary directory /opt/pancfg/certificates/tmpXXXXXX debug: pan_scep_get_challenge(pan_scep.c:163): Sending http get to scep server http://172.16.3.254/CertSrv/mscep_admin/mscep.dll debug: pan_http_curl_get(pan_http_client.c:551): custom_header [Accept-Language: en-US] debug: pan_http_curl_get(pan_http_client.c:556): add last header: [Accept-Language: en-US] debug: pan_http_curl_get(pan_http_client.c:600): setting headers... debug: pan_scep_get_challenge(pan_scep.c:211): Parsed Challenge 511BBA03219A96E1 debug: pan_scep_is_safe_string(pan_scep.c:44): pan_scep_is_safe_string : is_subject is 0, str is 007051000210668 debug: pan_scep_is_safe_string(pan_scep.c:44): pan_scep_is_safe_string : is_subject is 0, str is 1781276205 debug: pan_scep_is_safe_string(pan_scep.c:44): pan_scep_is_safe_string : is_subject is 0, str is RSA debug: pan_scep_is_safe_string(pan_scep.c:44): pan_scep_is_safe_string : is_subject is 0, str is sha256 debug: pan_scep_is_safe_string(pan_scep.c:44): pan_scep_is_safe_string : is_subject is 0, str is 511BBA03219A96E1 debug: pan_scep_is_safe_string(pan_scep.c:44): pan_scep_is_safe_string : is_subject is 0, str is http://172.16.3.254/CertSrv/mscep_admin/mscep.dll debug: pan_scep_is_safe_string(pan_scep.c:44): pan_scep_is_safe_string : is_subject is 0, str is E9026EAFA0212C7020E62085752EC8C7 debug: pan_scep_is_safe_string(pan_scep.c:44): pan_scep_is_safe_string : is_subject is 1, str is CN=$USERNAME debug: pan_scep_is_safe_string(pan_scep.c:58): Token $USERNAME exists in subject and the position is 3 debug: pan_scep_is_safe_string(pan_scep.c:44): pan_scep_is_safe_string : is_subject is 0, str is DC1-MSCEP-RA debug: pan_scep_get_client_cert(pan_scep.c:471): Generating CSR from script.../usr/local/bin/pangenscepcert.sh -s "007051000210668" -h "1781276205" -c "RSA:2048" -i "511BBA03219A96E1" -e "http://172.16.3.254/CertSrv/mscep_admin/mscep.dll" -m "sha256" -y "365" -u "3" -l "" -o "" -q "" -j "/opt/pancfg/certificates/tmpT2xMwB" -b "CN=$USERNAME" -r "172.16.3.1" -d "" -f "E9026EAFA0212C7020E62085752EC8C7" -a "no" -t "DC1-MSCEP-RA"Generating a 2048 bit RSA private key ...............+++ ......................................................................................................+++ writing new private key to '/opt/pancfg/certificates/tmpT2xMwB/dev.key' ----- /usr/bin/sscep: wrong (or missing) MIME content type /usr/bin/sscep: error while sending message Error: pan_scep_get_client_cert(pan_scep.c:473): cmd (/usr/local/bin/pangenscepcert.sh -s "007051000210668" -h "1781276205" -c "RSA:2048" -i "511BBA03219A96E1" -e "http://172.16.3.254/CertSrv/mscep_admin/mscep.dll" -m "sha256" -y "365" -u "3" -l "" -o "" -q "" -j "/opt/pancfg/certificates/tmpT2xMwB" -b "CN=$USERNAME" -r "172.16.3.1" -d "" -f "E9026EAFA0212C7020E62085752EC8C7" -a "no" -t "DC1-MSCEP-RA") failed Error: sslmgr_scep_generate_client_cert(sslmgr_scep.c:521): pan_scep_get_client_cert() failed Error: cfgagent_doop_callback(pan_cfgagent.c:581): Failed to handle op command for agent:
Resolution
- Activez l' authentification anonyme comme indiqué ci-dessous