Hmm, I do not see a "Trying to authenticate" line for Google-A or a "service 3: state" line in this net.log?

As per my understanding, the chrome extension manages installing certificates to the certificate manager. The extension fails to install corp certificates.
When should you see  "Trying to authenticate" line for Google-A in the log file?
after the certificates and everything loaded or before that? 

snanda@ - could you please help assign an owner to this. Thanks

Andrey, do you have any insights here?

> The extension fails to install corp certificates

Oh, that's a different issue.

I do see some possible attestation-related errors in /var/log/messages.  Did not compare to a known-good system so some of these might be normal:


2017-02-13T23:49:02.152791+00:00 ERR shill[892]: [ERROR:crypto_des_cbc.cc(103)] Unable to load key matter from /var/lib/whitelist/owner.key
2017-02-13T23:49:02.170838+00:00 ERR shill[892]: [ERROR:crypto_des_cbc.cc(103)] Unable to load key matter from /var/lib/whitelist/owner.key
2017-02-13T23:49:02.171243+00:00 ERR shill[892]: [ERROR:crypto_des_cbc.cc(103)] Unable to load key matter from /var/lib/whitelist/owner.key

2017-02-13T23:49:03.671930+00:00 INFO cryptohomed[987]: TPM error 0x2020 (Key not found in persistent storage): LoadKeyByUuid: failed LoadKeyByUUID

2017-02-13T23:49:04.815407+00:00 ERR cryptohomed[987]: stat() of /mnt/stateful_partition/unencrypted/preserve/attestation.epb failed.: No such file or directory
2017-02-13T23:49:04.815465+00:00 ERR cryptohomed[987]: Failed to read db: No such file or directory


2017-02-13T16:10:16.811047-08:00 INFO chapsd[815]: Starting PKCS #11 services.
2017-02-13T16:10:16.812463-08:00 INFO chapsd[815]: Starting D-Bus dispatcher.
2017-02-13T16:10:16.814141-08:00 INFO chapsd[815]: Starting asynchronous initialization.
2017-02-13T16:10:16.839287-08:00 INFO chapsd[815]: Adding slot: 0
2017-02-13T16:10:16.839306-08:00 INFO chapsd[815]: Adding slot: 1
2017-02-13T16:10:16.839480-08:00 WARNING chapsd[815]: SRK does not exist - this is normal when the TPM is not yet owned.
2017-02-13T16:10:16.840019-08:00 INFO kernel: [    2.845791] tpm_tis tpm_tis: command 0x46 (size 14) returned code 0x0
2017-02-13T16:10:16.839567-08:00 WARNING chapsd[815]: SRK does not exist - this is normal when the TPM is not yet owned.


2017-02-13T16:51:11.457775-08:00 INFO cryptohomed[1033]: Key not found: attest-ent-user

2017-02-13T16:51:14.144494-08:00 INFO cryptohomed[1033]: Attestation: Certified key credential received and stored.

Re #5: Hmm, those particular lines are fine assuming TPM was not owned before that boot. The "Key not found: attest-ent-user" + "Attestation: Certified key credential received and stored." actually indicate successful installation of the network certificate.

A few questions: 
1) Is the device corp enrolled?
2) What network certificate is being downloaded? 
3) What does it show if navigating to go/uberproxyz after installing the network certificate?

Note: The problem wasn observed on devices which suffered a delay of ~1 minute at boot time ( Issue 682578 ). This is possibly completely unrelated, but since the fixes for the boot time regression have landed in M57 it might be worth to re-test with the next M57 build just in case.

What I see from the logs so far:

1) First boot after clearing the device. 02/13, 15:48:59 -08:00. TPM is not owned. Ownership is not initiated. Rebooted at 16:10:12.

2) Next boot. 02/13, 16:10:16 -08:00. Sits idle until 16:45:40, after which OOBE starts?

Successfully take ownership of TPM and prepare for attestation soon after that:
2017-02-13T16:46:11.527581-08:00 ERR cryptohomed[1033]: TPM initialization took 2650ms
2017-02-13T16:46:20.242331-08:00 INFO cryptohomed[1033]: Attestation: Prepared successfully (7986ms).

InstallAttributes created:
2017-02-13T16:46:46.740480-08:00 INFO cryptohomed[1033]: InstallAttributes have been finalized.

3) Successfully enrolled:
2017-02-13T16:46:46.942999-08:00 INFO cryptohomed[1033]: Key not found: attest-ent-machine
2017-02-13T16:46:48.996924-08:00 INFO cryptohomed[1033]: Attestation: Enrollment complete.
2017-02-13T16:46:51.657741-08:00 INFO cryptohomed[1033]: Attestation: Certified key credential received and stored.

4) Downloaded network cert for the user 3 times:
2017-02-13T16:49:04.369045-08:00 INFO cryptohomed[1033]: Key not found: attest-ent-user
2017-02-13T16:49:07.194422-08:00 INFO cryptohomed[1033]: Attestation: Certified key credential received and stored.

2017-02-13T16:49:19.761519-08:00 INFO cryptohomed[1033]: Key not found: attest-ent-user
2017-02-13T16:49:22.412334-08:00 INFO cryptohomed[1033]: Attestation: Certified key credential received and stored.

2017-02-13T16:51:11.457775-08:00 INFO cryptohomed[1033]: Key not found: attest-ent-user
2017-02-13T16:51:14.144494-08:00 INFO cryptohomed[1033]: Attestation: Certified key credential received and stored.

No errors after that.

Oh, and question #4, just in case, does the device boot in normal mode? In dev mode, network cert download will be refused, and thus it can't be used for Google-A.
If it was gECC, not GMC downloaded, that will be allowed in dev mode (at least, used to be). But I'm not sure if gECC allows using Google-A.

Oh, wait, just read comment #2. If corp certificate was not installed, then no wonder the device can't connect to Google-A.

Just in case, to clarify what's meant by "The extension fails to install corp certificates.":

Am I right that the user sees the "Obtain network certificate" dialogue, clicks "Get new certificate", sees the "You requested to install a network certificate! Click to install" popup, clicks on the popup, but then it fails?

What is the displayed error? What information does it provide if clicking on "Debug info" in that popup?

Cannot reproduce this issue anymore on Tricky with the same build. Will reopen, If I see it.