Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cron to renew SCEP certificates might fail to enqueue commands if device has more than one SCEP certificate #19311

Closed
roperzh opened this issue May 28, 2024 · 2 comments
Closed

cron to renew SCEP certificates might fail to enqueue commands if device has more than one SCEP certificate #19311

roperzh opened this issue May 28, 2024 · 2 comments
Assignees
@roperzh
Labels
bug Something isn't working as documented bug-mac-enrollment Defect in Mac enrollment. customer-eponym #g-mdm MDM product group :incoming New issue in triage process. ~mac An issue related to Mac hosts. :release Ready to write code. Scheduled in a release. See "Making changes" in handbook. ~released bug This bug was found in a stable release.
Milestone
4.50.1

Comments

@roperzh
Copy link
Member

roperzh commented May 28, 2024
edited
Loading

Fleet version: 4.50.0

πŸ’₯ Β Actual behavior

Cron to renew SCEP certificates might fail to enqueue commands if device has more than one SCEP certificate

πŸ§‘β€πŸ’» Β Steps to reproduce

  1. Turn on MDM features for a host
  2. Turn off MDM features for a host
  3. Change the threshold for certificates to a time in the past*
    4.Trigger the cleanups_then_aggregation job, which should enqueue a cert renewal. Observe how the cron fails

* For 3:

  • Configure a value > 30 days for mdm.apple_scep_signer_validity_days when you start your server.
  • As long as mdm.apple_scep_signer_validity_days is > 30, we'll renew the cert on each cron run. To stop this process, restart the server without the setting set (defaults to 1 year), run the cron again, and verify that the cert issued is for 1 year.
@roperzh roperzh added bug Something isn't working as documented ~released bug This bug was found in a stable release. #g-mdm MDM product group ~mac An issue related to Mac hosts. bug-mac-enrollment Defect in Mac enrollment. :incoming New issue in triage process. labels May 28, 2024
@georgekarrv georgekarrv added this to the 4.50.1 milestone May 28, 2024
roperzh added a commit that referenced this issue May 28, 2024
@roperzh
prevent a bug causing SCEP renewals to fail
6872543 
for #19311
@roperzh roperzh mentioned this issue May 28, 2024
Merged
3 tasks
@roperzh roperzh self-assigned this May 28, 2024
roperzh added a commit that referenced this issue May 28, 2024
@roperzh
prevent a bug causing SCEP renewals to fail (#19313)
9ec92a6 
for #19311

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

<!-- Note that API documentation changes are now addressed by the
product design team. -->

- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [x] Added/updated tests
- [x] Manual QA for all new/changed functionality
@georgekarrv georgekarrv added :release Ready to write code. Scheduled in a release. See "Making changes" in handbook. labels May 28, 2024
sharon-fdm pushed a commit that referenced this issue May 29, 2024
@roperzh @sharon-fdm
prevent a bug causing SCEP renewals to fail (#19313)
7898a4c 
for #19311

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

<!-- Note that API documentation changes are now addressed by the
product design team. -->

- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [x] Added/updated tests
- [x] Manual QA for all new/changed functionality
@xpkoala
Copy link
Contributor

xpkoala commented May 29, 2024

Tested and confirmed with @roperzh on a call together.

@fleet-release
Copy link
Contributor

One cert or two more,
In Fleet's nurturing embrace,
No fear of expiry's door.

@georgekarrv georgekarrv added :demo and removed :demo labels May 31, 2024
@roperzh roperzh mentioned this issue Jun 4, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@roperzh roperzh

Labels
bug Something isn't working as documented bug-mac-enrollment Defect in Mac enrollment. customer-eponym #g-mdm MDM product group :incoming New issue in triage process. ~mac An issue related to Mac hosts. :release Ready to write code. Scheduled in a release. See "Making changes" in handbook. ~released bug This bug was found in a stable release.
Projects
None yet
Milestone
4.50.1
Development

No branches or pull requests
5 participants
@georgekarrv @roperzh @xpkoala @fleet-release @sharon-fdm