Custom SCEP proxy certificates intermittently failing to auto-renew

[spalmesano0]

• customer-shackleton: Slack thread.
• Internal Slack thread.

Fleet versions

• Discovered: v4.83.0
• Reproduced:

Web browser and operating system: N/A

---

💥  Actual behavior

customer-shackleton is experiencing an issue where some devices are failing to automatically renew a certificate deployed via a custom SCEP proxy. The cert validity period is set to 30 days, and the devices are online during the 15 days before expiration (when Fleet should be attempting to renew the certs). No errors surface in the Fleet UI.

🛠️ To fix

TODO

🧑‍💻  Steps to reproduce

These steps:

• Have been confirmed to consistently lead to reproduction in multiple Fleet instances.
• Describe the workflow that led to the error, but have not yet been reproduced in multiple Fleet instances.

1. Deploy a certificate profile via Fleet's custom SCEP proxy with a 30 day validity period.
2. Wait for a device to approach the 15-day renewal window.

🕯️ More info (optional)

• A database query against host_mdm_managed_certificates for affected devices showed NULL values for not_valid_after, not_valid_before, and serial.
• Manually re-sending the profile from the UI for individual devices works, and the cert is renewed.

[spalmesano0]

@sharon-fdm Requesting a P1 on this, as it looks like it may become a larger issue for the customer within two weeks.

Here's some data I just pulled via API

    Expired                     11  ( 0.2%)
    Expiring today               0  ( 0.0%)
    Expiring < 5 days            5  ( 0.1%)
    Expiring < 10 days          13  ( 0.2%)
    Expiring < 14 days         155  ( 2.8%)  █

[sharon-fdm]

P1 approved.