Debugging the scep webhook process

[Roiskia]

I am trying to setup a step-ca with the scep endpoint and a webhook to verify the requests. I got to the point where i can use the scep endpoint with a static secret. Now i want to add a custom webhook to verify the request. So far with out success. Are there debug logs i could enable to get more details about what went wrong? I tried setting STEPDEBUG=1 but got no more information out of the error.

Here is what i have tried so far:

I read through https://smallstep.com/docs/step-ca/webhooks/ to implement a webhook server myself. For now, the webhook server always responses with { "allow": true }.

I generated a certificate and installed it on the webhook server:

step ca certificate cert-challenge certs/cert-challenge secrets/cert-challenge.key

I can verify the ssl certificate successfully and curl that endpoint from the scep server without ssl errors:

>step certificate verify certs/cert-challenge.crt
>openssl s_client -showcerts -servername cert-challenge -connect cert-challenge:443 <<< "Q" | openssl x509 -text | grep -iA2 "Validity"
Connecting to x.x.x.x
depth=2 O=Smallstep, CN=Smallstep Root CA
verify return:1
depth=1 O=Smallstep, CN=Smallstep Intermediate CA
verify return:1
depth=0 CN=cert-challenge
verify return:1
DONE
        Validity
            Not Before: May 27 07:49:49 2025 GMT
            Not After : May 28 07:50:49 2025 GMT
>curl -X POST -H "Content-Type: application/json" -d '{"foo":"bar"}' cert-challenge/scep
{"allow":true}

Afterwards i added the webhook to my provisioner like so:

step ca provisioner webhook add scep scepchallenge --url 'https://cert-challenge/scep' --kind SCEPCHALLENGE

When i now try to request a certificate with the scep provisioner i recieve the error 2 - Failure; 2 - Bad Request; failed validating challenge password on the scep client. My webhook endpoint has not been called as far as i can see. The step server produces a corresponding log message on the step server:

INFO[0950] duration=18.374332ms duration-ns=18374332 error="failed validating challenge password" fields.time="2025-05-27T08:38:35Z" method=POST name=ca path="/scep/scep/pkiclient.exe?operation=PKIOperation" protocol=HTTP/1.1 referer= remote-address=x.x.x.x request-id=6a9e4285-b397-48a7-961e-9666471496ff size=1507 status=200 user-agent= user-id=

[Roiskia]

I tried looking through the source code to find out whats happening. I'm sorry if i misunderstood anything here, but i am not familiar with go.

As far as i can see the only place this error is produced is directly inside the api call to PKIOperation.
This only happens if the ValidateChallenge call gets an error from the Validate call thats not an ErrSCEPChallengeInvalid error.
So either failed creating new webhook request or failed executing webhook request, both of which do net seem to be logged.

[Roiskia]

In the meantime i went ahead and edited the PKIOperation to pass the error of ValidateChallenge to createFailureResponse.

This then logged the actual error and enabled me to figure out what went wrong. As it turns out the new scepErr thats currently used also obfuscates sever side errors like typos in the template used to generate a certificate.