[Freeipa-users] how to overcome same serial number in cert issue on different master servers?

Les Stott Less at imagine-sw.com
Wed Nov 12 04:15:34 UTC 2014 

> -----Original Message-----
> From: Rob Crittenden [mailto:rcritten at redhat.com]
> Sent: Wednesday, 12 November 2014 6:33 AM
> To: Fraser Tweedale; Les Stott
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] how to overcome same serial number in cert
> issue on different master servers?
> 
> Fraser Tweedale wrote:
> > On Tue, Nov 11, 2014 at 04:17:37AM +0000, Les Stott wrote:
> >>> -----Original Message-----
> >>> From: Fraser Tweedale [mailto:ftweedal at redhat.com]
> >>> Sent: Tuesday, 11 November 2014 1:59 PM
> >>> To: Les Stott
> >>> Cc: freeipa-users at redhat.com
> >>> Subject: Re: [Freeipa-users] how to overcome same serial number in
> >>> cert issue on different master servers?
> >>>
> >>> On Tue, Nov 11, 2014 at 02:11:55AM +0000, Les Stott wrote:
> >>>>> -----Original Message-----
> >>>>> From: Fraser Tweedale [mailto:ftweedal at redhat.com]
> >>>>> Sent: Tuesday, 11 November 2014 12:51 PM
> >>>>> To: Les Stott
> >>>>> Cc: freeipa-users at redhat.com
> >>>>> Subject: Re: [Freeipa-users] how to overcome same serial number in
> >>>>> cert issue on different master servers?
> >>>>>
> >>>>> On Tue, Nov 11, 2014 at 01:40:50AM +0000, Les Stott wrote:
> >>>>>> Hi,
> >>>>>>
> >>>>>> I have a standard rhel6 deployment for FreeIPA in two
> environments.
> >>>>>>
> >>>>>> One environment is in our Production Data Center, The Other in
> >>>>>> our DR
> >>>>> Data Center.
> >>>>>>
> >>>>>> Both environments are setup with the same domain
> (mydomain.com)
> >>>>>> for
> >>>>> FreeIPA. This is to support dr/failover etc.
> >>>>>>
> >>>>>> In each environment, there is a master. In Prod its
> >>>>>> serverA.mydomain.com,
> >>>>> In DR its serverB.mydomain.com.
> >>>>>>
> >>>>>> The master in each environment gets a generated certificate by
> >>>>>> IPA. This
> >>>>> certificate shows a Serial Number of "0A"
> >>>>>>
> >>>>>> My problem is that because the certificates have the same
> >>>>>> Organization,
> >>>>> OU and Serial Number, I can only browse to one of them (using
> Firefox).
> >>>>>>
> >>>>>> If I browse to https://serverA.mydomain.com/ipa/ui/ and accept
> >>>>>> the
> >>>>> certificate it works fine.
> >>>>>> If I then try to browse to https://serverB.mydomain.com/ipa/ui/
> >>>>>> it comes
> >>>>> up with the following error:
> >>>>>>
> >>>>>> "Your certificate contains the same serial number as another
> >>>>>> certificate
> >>>>> issued by the certificate authority. Please get a new certificate
> >>>>> containing a unique serial number. (Error code:
> >>> sec_error_reused_issuer_and_serial)"
> >>>>>>
> >>>>>> If I remove the stored browser certificate for serverA, then
> >>>>>> browse to
> >>>>> serverB, and accept the certificate, it works, but then the "same
> >>>>> serial number" error pops up for browsing serverA.
> >>>>>>
> >>>>>> Note: both environments were built separately and are not linked
> >>>>>> in
> >>>>> anyway (no replication between prod/dr).
> >>>>>>
> >>>>>> Is there a way to generate unique serial numbers for the masters?
> >>>>>>
> >>>>>> Thanks in advance,
> >>>>>>
> >>>>>> Les
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>> Hi Les,
> >>>>>
> >>>>> Ideally, you should prevent this situation by using different
> >>>>> common names
> >>>>> (CN) for your CAs and server certifications across the different
> >>>>> environments.  If this is not possible, you can configure the
> >>>>> Dogtag CA to use random serial numbers:
> >>>>>
> >>>>>
> >>>
> http://dogtagpki.org/wiki/Random_Certificate_Serial_Numbers#How_to_U
> >>>>> se_Random_Certificate_Serial_Numbers
> >>>>>
> >>>>> This does not guarantee that you will not get serial number
> >>>>> collisions, but reduces the likelihood.
> >>>>>
> >>>>
> >>>> Thanks for the quick reply.
> >>>>
> >>>> In this case the common name is different between both
> environments.
> >>>> In prod the master was serverA, in DR the master was serverB. It
> >>>> just happened that way. So having a different CommonName doesn't
> help.
> >>>>
> >>> Do the CA certificates bear the same commonName?  This is probably
> >>> what Firefox uses to determine if there are serial number collisions.
> >>>
> >>
> >> It appears so.
> >>
> >> The certificate for the CA on the master serverA shows:
> >>
> >> Issued To
> >> Common Name (CN) serverA.mydomain.com Organization (O)
> mydomain.com
> >> Organizational Unit (OU) <Not part of certificate> Serial Number 0A
> >> Issued By:
> >> Common Name (CN) Certificate Authority Organization (O)
> mydomain.com
> >> Organizational Unit (OU) <Not part of certificate>
> >>
> >> The certificate for the CA on the master serverB shows:
> >>
> >> Issued To
> >> Common Name (CN) serverB.mydomain.com Organization (O)
> mydomain.com
> >> Organizational Unit (OU) <Not part of certificate> Serial Number 0A
> >> Issued By:
> >> Common Name (CN) Certificate Authority Organization (O)
> mydomain.com
> >> Organizational Unit (OU) <Not part of certificate>
> >>
> >>
> >> Shouldn't the Common Name of the CA be different? Or is it the same in
> order to make CA replication easier?
> >>
> > Both environments were probably set up with the same CN for the CA
> > (perhaps a default name).  I don't think this has anything to do with
> > replication.
> >
> >> Is there a way to re-issue certificates for the masters so they get unique
> serial numbers (without making the systems blow up)?
> >>
> > You can manually renew a certificate using Certmonger:
> >
> >
> > http://www.freeipa.org/page/Certmonger#Manually_renew_a_certificate
> >
> > You should enable random serial numbers before doing this.
> 
> The problem here isn't the server certs, it's the CA certs. He has two CA's
> with the same subjects and serial numbers claiming to be the same thing.
> 
> Honza added the ipa-cacert-manage command which can re-issue the CA
> certificate, but I forget if this is only available in 4.1 or also 4.0.
> 
> You probably only need to do this on one of the masters.
> 
> As Simo pointed out though, having two environments with the same realm
> should be avoided if possible.
> 
> rob

While both environments are identical in terms of domain names, they are separate in config and use. Hosts in prod only reference prod ipa servers. Hosts in DR only reference dr ipa servers.

The problem only arises with the cert because I use the same browser to browse each ipa server. It's the browser which cannot handle the same serial number/CA common name.

I don't believe this has any impact on ipa client hosts as they don't cross between prod and dr.

So, workarounds....

1. in prod, use https://<ipa-master>/ipa/ui/
    In dr, use https://<ipa-replica>/ipa/ui/
Or
2. use Firefox to browse one master,
     Use chrome to browse the other.

I had a quick look at randomizing dogtag serial numbers and manually renewing a certificate, tried it on a spare test server but couldn't get it to work (It is rhel6, ipa 3.0.0.37 and dogtag 9).

I can live with that for now.

In the not too distant future the next task will be a rhel7/ipa 4 upgrade. Looks like this issue will go away or be easier to manage in later versions.

I appreciate everyone's input on this.

Thanks,

Les

More information about the Freeipa-users mailing list