[Freeipa-users] how to overcome same serial number in cert issue on different master servers?

Simo Sorce simo at redhat.com
Tue Nov 11 19:27:49 UTC 2014


On Tue, 11 Nov 2014 14:19:02 -0500
Simo Sorce <simo at redhat.com> wrote:

> On Tue, 11 Nov 2014 04:17:37 +0000
> Les Stott <Less at imagine-sw.com> wrote:
> 
> > > -----Original Message-----
> > > From: Fraser Tweedale [mailto:ftweedal at redhat.com]
> > > Sent: Tuesday, 11 November 2014 1:59 PM
> > > To: Les Stott
> > > Cc: freeipa-users at redhat.com
> > > Subject: Re: [Freeipa-users] how to overcome same serial number in
> > > cert issue on different master servers?
> > > 
> > > On Tue, Nov 11, 2014 at 02:11:55AM +0000, Les Stott wrote:
> > > > > -----Original Message-----
> > > > > From: Fraser Tweedale [mailto:ftweedal at redhat.com]
> > > > > Sent: Tuesday, 11 November 2014 12:51 PM
> > > > > To: Les Stott
> > > > > Cc: freeipa-users at redhat.com
> > > > > Subject: Re: [Freeipa-users] how to overcome same serial
> > > > > number in cert issue on different master servers?
> > > > >
> > > > > On Tue, Nov 11, 2014 at 01:40:50AM +0000, Les Stott wrote:
> > > > > > Hi,
> > > > > >
> > > > > > I have a standard rhel6 deployment for FreeIPA in two
> > > > > > environments.
> > > > > >
> > > > > > One environment is in our Production Data Center, The Other
> > > > > > in our DR
> > > > > Data Center.
> > > > > >
> > > > > > Both environments are setup with the same domain
> > > > > > (mydomain.com) for
> > > > > FreeIPA. This is to support dr/failover etc.
> > > > > >
> > > > > > In each environment, there is a master. In Prod its
> > > > > > serverA.mydomain.com,
> > > > > In DR its serverB.mydomain.com.
> > > > > >
> > > > > > The master in each environment gets a generated certificate
> > > > > > by IPA. This
> > > > > certificate shows a Serial Number of "0A"
> > > > > >
> > > > > > My problem is that because the certificates have the same
> > > > > > Organization,
> > > > > OU and Serial Number, I can only browse to one of them (using
> > > > > Firefox).
> > > > > >
> > > > > > If I browse to https://serverA.mydomain.com/ipa/ui/ and
> > > > > > accept the
> > > > > certificate it works fine.
> > > > > > If I then try to browse to
> > > > > > https://serverB.mydomain.com/ipa/ui/ it comes
> > > > > up with the following error:
> > > > > >
> > > > > > "Your certificate contains the same serial number as another
> > > > > > certificate
> > > > > issued by the certificate authority. Please get a new
> > > > > certificate containing a unique serial number. (Error code:
> > > sec_error_reused_issuer_and_serial)"
> > > > > >
> > > > > > If I remove the stored browser certificate for serverA, then
> > > > > > browse to
> > > > > serverB, and accept the certificate, it works, but then the
> > > > > "same serial number" error pops up for browsing serverA.
> > > > > >
> > > > > > Note: both environments were built separately and are not
> > > > > > linked in
> > > > > anyway (no replication between prod/dr).
> > > > > >
> > > > > > Is there a way to generate unique serial numbers for the
> > > > > > masters?
> > > > > >
> > > > > > Thanks in advance,
> > > > > >
> > > > > > Les
> > > > > >
> > > > > >
> > > > > >
> > > > > Hi Les,
> > > > >
> > > > > Ideally, you should prevent this situation by using different
> > > > > common names
> > > > > (CN) for your CAs and server certifications across the
> > > > > different environments.  If this is not possible, you can
> > > > > configure the Dogtag CA to use random serial numbers:
> > > > >
> > > > >
> > > http://dogtagpki.org/wiki/Random_Certificate_Serial_Numbers#How_to_U
> > > > > se_Random_Certificate_Serial_Numbers
> > > > >
> > > > > This does not guarantee that you will not get serial number
> > > > > collisions, but reduces the likelihood.
> > > > >
> > > >
> > > > Thanks for the quick reply.
> > > >
> > > > In this case the common name is different between both
> > > > environments. In prod the master was serverA, in DR the master
> > > > was serverB. It just happened that way. So having a different
> > > > CommonName doesn't help.
> > > >
> > > Do the CA certificates bear the same commonName?  This is probably
> > > what Firefox uses to determine if there are serial number
> > > collisions.
> > > 
> > 
> > It appears so.
> > 
> > The certificate for the CA on the master serverA shows:
> > 
> > Issued To
> > Common Name (CN) serverA.mydomain.com
> > Organization (O) mydomain.com
> > Organizational Unit (OU) <Not part of certificate>
> > Serial Number 0A
> > Issued By:
> > Common Name (CN) Certificate Authority
> > Organization (O) mydomain.com
> > Organizational Unit (OU) <Not part of certificate>
> > 
> > The certificate for the CA on the master serverB shows:
> > 
> > Issued To
> > Common Name (CN) serverB.mydomain.com
> > Organization (O) mydomain.com
> > Organizational Unit (OU) <Not part of certificate>
> > Serial Number 0A
> > Issued By:
> > Common Name (CN) Certificate Authority
> > Organization (O) mydomain.com
> > Organizational Unit (OU) <Not part of certificate>
> > 
> > 
> > Shouldn't the Common Name of the CA be different? Or is it the same
> > in order to make CA replication easier?
> > 
> > Is there a way to re-issue certificates for the masters so they get
> > unique serial numbers (without making the systems blow up)?
> 
> It is strongly advised not to use the same domain/realm name for 2
> different IPA installations, there are a ton of weird and extremely
> hard to debug errors that will come your way if you do so.
> *especially* if you have clients that access both environments.
> 
> A better scheme would be to use mydfomain.com from prod and
> dr.mydomain.com for the other.

Oh, I just realized that in your first email yuou said you used the
same name for failover/disaster recovery.

This will *not* work as well as you think. All certificates and all
Kerberos keys will fail to work if you create 2 domains that just
happen to have the same name, but really have different CA keys and
Kerberos keys.

HTH,
Simo.

-- 
Simo Sorce * Red Hat, Inc * New York




More information about the Freeipa-users mailing list