macOS hosts fail to renew Smallstep certificates despite successful SCEP responses

[Patagonia121]

Fleet version: 4.76 RC

Web browser and operating system: macOS (unsure of which version or browser)

---

💥  Actual behavior

MDM-SCEP (15002): Unable to obtain certificate from SCEP server at "testpostpleaseignore.cloud.fleetdm.com"

Despite multiple refetches of the host, the certificate renewal does not complete successfully. The Fleet UI continues to show the certificate needs renewal, even though:
- SCEP proxy logs show successful 200 status responses for PKIOperation requests
- The `host_mdm_managed_certificates` table shows `challenge_retrieved_at` is updating (indicating renewal attempts are occurring)
- Certificate validity fields (`not_valid_after`, `serial`, `not_valid_before`) remain NULL

One 400 error was observed in logs at 19:45:06 EDT with message:

profile status (null) is not 'pending' for host:REDACTED

🛠️ To fix

Investigate why the macOS client is rejecting the certificate despite Fleet and Smallstep SCEP server reporting successful responses. The disconnect appears to be between Fleet/SCEP thinking the renewal succeeded (200 responses) and the macOS client failing to accept/install the certificate (error 15002)

🧑‍💻  Steps to reproduce

1. Configure Fleet with Smallstep integration for certificate management

2. Enroll a macOS host with a certificate that needs renewal

3. Wait for or trigger automatic certificate renewal attempts

4. Observe that SCEP proxy logs show 200 responses for renewal attempts

5. Check host - it displays MDM-SCEP error 15002 and cert is not renewed

6. Refetch host multiple times - issue persists

7. 🕯️ More info (optional)

Database state (host_mdm_managed_certificates):

Host UUID: Can provide upon request, not included due to sensitivity
Profile UUID: Can provide upon request, not included due to sensitivity
challenge_retrieved_at: 2025-10-23 22:43:20 (updates with renewal attempts)
not_valid_after, serial, not_valid_before: all NULL

SCEP proxy logs show successful requests:

Multiple successful (200) GetCACert, GetCACaps, and PKIOperation requests
Most recent successful PKIOperation: 2025-10-23T23:27:00Z

Context:

• Gabe tested this workflow synthetically (by manipulating DB dates) and it worked correctly
• The occasional 400 "profile status (null)" error is apparently expected per code comments
• Similar error 15002 has been reported in other MDM contexts. See here: https://www.reddit.com/r/Intune/comments/1ch7uff/issue_scep_certs_for_macs_wifi/

[Patagonia121]

@lukeheath @noahtalerman I have added a "P1" label to this bug report because it's blocking a normal/expected workflow for customer-reedtimmerand is the last remaining barrier to clear for them to feel confident about migrating to Fleet for MDM

[lukeheath]

@Patagonia121 Thanks for the tag, agreed.

@georgekarrv FYI incoming P1 re: Smallstep.

[georgekarrv]

Sounds good we will prioritize!