Re: WS1 Revoking Certs and Sending Bad Requests to...

JamieAndersonJa · ‎11-04-2021

On-prem console version = 21.5.0.9 (2105)

ACC = True

WS1 appears to be revoking a specific cert 16 days after the cert was provisioned. This particular cert is good for 45 days and we have the renewal period set at 21 days. We have two other certs that are provisioned the same way except there validity period is longer. We don't see this issue occurring with the other two certs, at this time. To fix this issue we simply remove and reinstall the profile associated with the 45 day cert. This has been worked every time.

Additionally, we are seeing WS1 send bad PKCS cert requests to the CA. Bad requests do not have the CN= value filled out which should be the user's UPN. The certs are only deployed to iOS devices so I have no way to know if this impacts other platforms. The majority of our iOS devices are now iOS 15.1

Has anyone else encountered a similar problem?

HimanshuMishra · ‎11-04-2021

Not sure if it is related. We are starting to experience a lot of certificate related issues. User based certificates are not auto renewing. Re-pushing the profiles sometimes fixes the issue. We are not able to find a pattern as it is very inconsistent and happening on various iOS versions as well as Androids. We are on-prem 20.11.0.33 (2011).

JamieAndersonJa · ‎11-04-2021

Certainly seems similar. I have an open case with VMWare, I'll post an update if we discover anything.

CK_ONE · ‎11-09-2021

We are experiencing the same exact issue. Certs appear to be getting revoked at random. Mostly seeing this with the tunnel vpn root cert. All impacted devices are on iOS 15.0 and higher. Appears our iOS devices below 15 are not affected. Our Android devices are also not affected.

SaaS - Dedicated console version = 21.5.0.17 (2105)

ACC = True

I have case open with support for 2 weeks. Still awaiting a response

In the case of this users device, we repush the Tunnel profile and ever few days it revokes again

Warning	11/8/2021 7:03	Certificate Management	Certificates	Revoked	sysadmin	Reason Code : Superseded
Warning	11/5/2021 6:35	Certificate Management	Certificates	Revoked	sysadmin	Reason Code : Superseded
Warning	11/1/2021 7:43	Certificate Management	Certificates	Revoked	sysadmin	Reason Code : Superseded
Warning	10/27/2021 6:58	Certificate Management	Certificates	Revoked	sysadmin	Reason Code : Superseded
Warning	10/25/2021 7:42	Certificate Management	Certificates	Revoked	sysadmin	Reason Code : Superseded
Warning	10/19/2021 6:59	Certificate Management	Certificates	Revoked	sysadmin	Reason Code : Superseded
Warning	10/15/2021 7:50	Certificate Management	Certificates	Revoked	sysadmin	Reason Code : Superseded
Warning	10/13/2021 7:43	Certificate Management	Certificates	Revoked	sysadmin	Reason Code : Superseded

JamieAndersonJa · ‎11-09-2021

Thanks for sharing. Here is my SR#, 21270554610 if you would like to link it to yours.

If we start linking our SRs together it should add more urgency to this problem.

CK_ONE · ‎11-09-2021

Will do. Ours is SR# 21270153410

Mario_Giese · ‎12-06-2021

Hi,

any new information about this?
We see similar revocation of VPN certificates (not from a CA but from the WSO UEM itself for VMware Tunnel) on Android devices.
On Prem 21.5.0.22

BR Mario

JamieAndersonJa · ‎12-06-2021

This is VMWare's latest response to me, "It appears the certs are getting revoked due to invalid sampling data coming in from the devices. I am syncing up with our Apple/iOS SME's to develop a corrective action plan so we can get you back up and running."

We disable the cert revocation feature in the cert templates. That's helping right now.

Mario_Giese · ‎12-06-2021

Hi,

thanks.
Sounds like this problem I found an article about:
https://kb.vmware.com/s/article/81818?lang=en_US

JamieAndersonJa · ‎12-06-2021

Interesting, that article is over a year old. We didn't see this issue until we made all of our employees update to iOS 15.x.

M_Fox · ‎12-06-2021

We are seeing the same behavior with our mac environment currently, regardless of OS version.

JamieAndersonJa · ‎12-13-2021

At VMWare's request we opened a case with Apple. For disclosure, we only manage iOS devices with WS1.

Per Apple, "In latest iOS 15.2seed 4 or later (we yesterday shipped the RC), we had a change of certificate handling. Before in iOS 15 there was an issue if a certificate was installed with iOS 14.x and then an update to the certificate pushed while iOS 15.0/15.1 was installed. Then some certificates were no longer valid or deleted. To reenable the certificate it has to be pushed again as workaround.

Using iOS 15.2 should prevent this issue from occurring, but will not repair a not working certificate it a device is in that state. You have to push the certificate again to get the certificate in a valid state on the device again.

If all certificates were first installed in fresh installed iOS 15 the issue should not occur.

The issue is reported not to occur on all devices."

So now we are wafting for 15.2 to drop!

ogushia · ‎12-14-2021

In our environment, a similar issue occurs and only the certificate for iOS 15.x devices remains revoked (the certificate for iOS 14.x and below devices is also revoked, but republished).

I ran the workaround in this KB (https://kb.vmware.com/s/article/81818?lang=en_US) and the issue haven't occured since then.

HimanshuMishra · ‎03-01-2022

Anyone still experiencing this issue ? We are getting reports of devices dropping off the network because of expired certificates. We are redeploying the cert profile to re-establish the connectivity but it has been a lot of manual workaround. Thanks!

JamieAndersonJa · ‎03-01-2022

Yes we are. Our issue is tied to a change Apple made to certificate sampling in iOS 15. Supposedly it's going to be fixed, again, in iOS 15.4

We implemented the workaround in https://kb.vmware.com/s/article/81818. It won't fix certs that have already been revoked but it should help to stop new breakage.

HimanshuMishra · ‎03-14-2022

iOS 15.4 is out now. Hope it fixes the issue.

All

WS1 Revoking Certs and Sending Bad Requests to CA

Workspace ONE UEM