SCEP 인증 생성할 수 없습니다. 인증서 CA 검색에 실패했습니다.
2308
Created On 02/08/23 16:30 PM - Last Modified 10/10/25 01:52 AM
Symptom
- 실패하면 " SCEP 인증 생성할 수 없음, 인증서 CA 검색 실패" 라는 창이 나타납니다.
- 디버그가 활성화된 sslmgr 로그에서 "/usr/bin/sscep: 잘못된(또는 누락된) MIME 콘텐츠 유형"이 표시됩니다.
Environment
- 팬-오스
- Palo Alto Networks 방화벽 및 파노라마
- 인증서 관리
- SCEP)
- 윈도우 서버
Cause
- 문제는 IIS 관리자에서 익명 인증이 비활성화되어 발생했습니다.
- Below is the flow when sslmgris on debug level
>tail follow yes mp-log sslmgr.log 2023-02-08 10:13:59.404 -0600 debug: cfgagent_opcmd_callback(pan_cfgagent.c:496): sslmgr: cfg agent received op command from server 2023-02-08 10:13:59.404 -0600 debug: cfgagent_doop_callback(pan_cfgagent.c:531): received signal to execute for agent: sslmgr 2023-02-08 10:13:59.413 -0600 debug: pan_scep_get_client_cert(pan_scep.c:401): Trying to create temporary directory /opt/pancfg/certificates/tmpXXXXXX debug: pan_scep_get_challenge(pan_scep.c:163): Sending http get to scep server http://172.16.3.254/CertSrv/mscep_admin/mscep.dll debug: pan_http_curl_get(pan_http_client.c:551): custom_header [Accept-Language: en-US] debug: pan_http_curl_get(pan_http_client.c:556): add last header: [Accept-Language: en-US] debug: pan_http_curl_get(pan_http_client.c:600): setting headers... debug: pan_scep_get_challenge(pan_scep.c:211): Parsed Challenge 511BBA03219A96E1 debug: pan_scep_is_safe_string(pan_scep.c:44): pan_scep_is_safe_string : is_subject is 0, str is 007051000210668 debug: pan_scep_is_safe_string(pan_scep.c:44): pan_scep_is_safe_string : is_subject is 0, str is 1781276205 debug: pan_scep_is_safe_string(pan_scep.c:44): pan_scep_is_safe_string : is_subject is 0, str is RSA debug: pan_scep_is_safe_string(pan_scep.c:44): pan_scep_is_safe_string : is_subject is 0, str is sha256 debug: pan_scep_is_safe_string(pan_scep.c:44): pan_scep_is_safe_string : is_subject is 0, str is 511BBA03219A96E1 debug: pan_scep_is_safe_string(pan_scep.c:44): pan_scep_is_safe_string : is_subject is 0, str is http://172.16.3.254/CertSrv/mscep_admin/mscep.dll debug: pan_scep_is_safe_string(pan_scep.c:44): pan_scep_is_safe_string : is_subject is 0, str is E9026EAFA0212C7020E62085752EC8C7 debug: pan_scep_is_safe_string(pan_scep.c:44): pan_scep_is_safe_string : is_subject is 1, str is CN=$USERNAME debug: pan_scep_is_safe_string(pan_scep.c:58): Token $USERNAME exists in subject and the position is 3 debug: pan_scep_is_safe_string(pan_scep.c:44): pan_scep_is_safe_string : is_subject is 0, str is DC1-MSCEP-RA debug: pan_scep_get_client_cert(pan_scep.c:471): Generating CSR from script.../usr/local/bin/pangenscepcert.sh -s "007051000210668" -h "1781276205" -c "RSA:2048" -i "511BBA03219A96E1" -e "http://172.16.3.254/CertSrv/mscep_admin/mscep.dll" -m "sha256" -y "365" -u "3" -l "" -o "" -q "" -j "/opt/pancfg/certificates/tmpT2xMwB" -b "CN=$USERNAME" -r "172.16.3.1" -d "" -f "E9026EAFA0212C7020E62085752EC8C7" -a "no" -t "DC1-MSCEP-RA"Generating a 2048 bit RSA private key ...............+++ ......................................................................................................+++ writing new private key to '/opt/pancfg/certificates/tmpT2xMwB/dev.key' ----- /usr/bin/sscep: wrong (or missing) MIME content type /usr/bin/sscep: error while sending message Error: pan_scep_get_client_cert(pan_scep.c:473): cmd (/usr/local/bin/pangenscepcert.sh -s "007051000210668" -h "1781276205" -c "RSA:2048" -i "511BBA03219A96E1" -e "http://172.16.3.254/CertSrv/mscep_admin/mscep.dll" -m "sha256" -y "365" -u "3" -l "" -o "" -q "" -j "/opt/pancfg/certificates/tmpT2xMwB" -b "CN=$USERNAME" -r "172.16.3.1" -d "" -f "E9026EAFA0212C7020E62085752EC8C7" -a "no" -t "DC1-MSCEP-RA") failed Error: sslmgr_scep_generate_client_cert(sslmgr_scep.c:521): pan_scep_get_client_cert() failed Error: cfgagent_doop_callback(pan_cfgagent.c:581): Failed to handle op command for agent:
Resolution
- 아래와 같이 익명 인증을 활성화합니다.