SCEP証明書を生成できません。証明書CA の取得に失敗しました
2308
Created On 02/08/23 16:30 PM - Last Modified 10/10/25 01:52 AM
Symptom
- 失敗すると、「 SCEP証明書を生成できません。証明書CA の取得に失敗しました」というウィンドウが表示されます。
- デバッグが有効になっているsslmgrログには、 「/usr/bin/sscep: 間違った (または見つからない) MIME コンテンツ タイプ」と表示されます。
Environment
- パンOS
- Palo Alto Networksファイアウォールと Panorama
- 証明書管理
- SCEP
- Windows サーバー
Cause
- 問題は、IIS マネージャーで匿名認証が無効になっていることが原因でした。
- Below is the flow when sslgr さんis on debug level
>tail follow yes mp-log sslmgr.log 2023-02-08 10:13:59.404 -0600 debug: cfgagent_opcmd_callback(pan_cfgagent.c:496): sslmgr: cfg agent received op command from server 2023-02-08 10:13:59.404 -0600 debug: cfgagent_doop_callback(pan_cfgagent.c:531): received signal to execute for agent: sslmgr 2023-02-08 10:13:59.413 -0600 debug: pan_scep_get_client_cert(pan_scep.c:401): Trying to create temporary directory /opt/pancfg/certificates/tmpXXXXXX debug: pan_scep_get_challenge(pan_scep.c:163): Sending http get to scep server http://172.16.3.254/CertSrv/mscep_admin/mscep.dll debug: pan_http_curl_get(pan_http_client.c:551): custom_header [Accept-Language: en-US] debug: pan_http_curl_get(pan_http_client.c:556): add last header: [Accept-Language: en-US] debug: pan_http_curl_get(pan_http_client.c:600): setting headers... debug: pan_scep_get_challenge(pan_scep.c:211): Parsed Challenge 511BBA03219A96E1 debug: pan_scep_is_safe_string(pan_scep.c:44): pan_scep_is_safe_string : is_subject is 0, str is 007051000210668 debug: pan_scep_is_safe_string(pan_scep.c:44): pan_scep_is_safe_string : is_subject is 0, str is 1781276205 debug: pan_scep_is_safe_string(pan_scep.c:44): pan_scep_is_safe_string : is_subject is 0, str is RSA debug: pan_scep_is_safe_string(pan_scep.c:44): pan_scep_is_safe_string : is_subject is 0, str is sha256 debug: pan_scep_is_safe_string(pan_scep.c:44): pan_scep_is_safe_string : is_subject is 0, str is 511BBA03219A96E1 debug: pan_scep_is_safe_string(pan_scep.c:44): pan_scep_is_safe_string : is_subject is 0, str is http://172.16.3.254/CertSrv/mscep_admin/mscep.dll debug: pan_scep_is_safe_string(pan_scep.c:44): pan_scep_is_safe_string : is_subject is 0, str is E9026EAFA0212C7020E62085752EC8C7 debug: pan_scep_is_safe_string(pan_scep.c:44): pan_scep_is_safe_string : is_subject is 1, str is CN=$USERNAME debug: pan_scep_is_safe_string(pan_scep.c:58): Token $USERNAME exists in subject and the position is 3 debug: pan_scep_is_safe_string(pan_scep.c:44): pan_scep_is_safe_string : is_subject is 0, str is DC1-MSCEP-RA debug: pan_scep_get_client_cert(pan_scep.c:471): Generating CSR from script.../usr/local/bin/pangenscepcert.sh -s "007051000210668" -h "1781276205" -c "RSA:2048" -i "511BBA03219A96E1" -e "http://172.16.3.254/CertSrv/mscep_admin/mscep.dll" -m "sha256" -y "365" -u "3" -l "" -o "" -q "" -j "/opt/pancfg/certificates/tmpT2xMwB" -b "CN=$USERNAME" -r "172.16.3.1" -d "" -f "E9026EAFA0212C7020E62085752EC8C7" -a "no" -t "DC1-MSCEP-RA"Generating a 2048 bit RSA private key ...............+++ ......................................................................................................+++ writing new private key to '/opt/pancfg/certificates/tmpT2xMwB/dev.key' ----- /usr/bin/sscep: wrong (or missing) MIME content type /usr/bin/sscep: error while sending message Error: pan_scep_get_client_cert(pan_scep.c:473): cmd (/usr/local/bin/pangenscepcert.sh -s "007051000210668" -h "1781276205" -c "RSA:2048" -i "511BBA03219A96E1" -e "http://172.16.3.254/CertSrv/mscep_admin/mscep.dll" -m "sha256" -y "365" -u "3" -l "" -o "" -q "" -j "/opt/pancfg/certificates/tmpT2xMwB" -b "CN=$USERNAME" -r "172.16.3.1" -d "" -f "E9026EAFA0212C7020E62085752EC8C7" -a "no" -t "DC1-MSCEP-RA") failed Error: sslmgr_scep_generate_client_cert(sslmgr_scep.c:521): pan_scep_get_client_cert() failed Error: cfgagent_doop_callback(pan_cfgagent.c:581): Failed to handle op command for agent:
Resolution
- 以下に示すように匿名認証を有効にします