Yup, you're totally right. It was even spelled correctly in the design docs, but I must have misremembered it when working the logic into scep.c.

The bit about only querying GetCACertChain is a little messy because the scep-submit helper currently expects the daemon to parse everything, so it doesn't have information about whether or not the certificate is self-signed or issued by a trusted issuer. With just the change you're describing, are you still seeing other breakage, or spurious errors being logged, or neither?

Either way, the name of the request should be fixed shortly.

The other odd thing is that I have to URL encode the data passed into the -i value. I think scep-submit should be URL encoding the data for me. If you feel like fixing that too, then that would be great, otherwise I'll just keep URL encoding the value I pass.

That's an oversight alright, but I'm hesitant to add the fix for fear of breaking people who've already worked around it. Anecdotally, how hard would it be for you, for example, to adapt to not working around it?

As long as there was something in the release notes when I upgraded, I think it would be fine. Or just add a new option that turns the urlencoding on

Just noticed that this bug is fixed in HEAD since June 2016. I had detected that bug and jgarland79 had opened the ticket. So building to HEAD fixed my problem. Thanks, Nalin.

This is an issue against the current FreeIPA SCEP server using the latest published EL build (certmonger-0.78.4-3.el7.x86_64).

Are there plans on getting this fixed and released in the near future?

You'd have to file a bug with Red Hat against RHEL 7 asking for a backport.

Fixed with commit 71545541e5064281f913d91a08b7352af7fe6899 in 0.79