[Freeipa-users] IPA 4.1.0 UI certificate confusion
Martin Kosek
mkosek at redhat.com
Fri Nov 6 17:03:11 UTC 2015
On 11/06/2015 05:16 PM, Cal Sawyer wrote:
> Hello
>
> I became aware the other day that building new IPA infrastructure on CentOS6
> was seriously going to limit my ability to stay current with improvements, so
> i've rebuilt my primary and secondary IPA hosts on CentOS7 (one day apart).
> Installation went fine except that i cannot access one or the other host's UI
> (Error code: sec_error_reused_issuer_and_serial). This was never an issue in
> 3.0 where i could access either in the same browser session
I rather think this is a problem of using the same browser against reinstalled
FreeIPA, which have the same CA subject and same serial as the CentOS6 IPA, but
different cert.
Related thread:
https://www.redhat.com/archives/freeipa-users/2015-September/msg00298.html
Related ticket with workaround:
https://fedorahosted.org/freeipa/ticket/2016
> Using Firefox (38) and Chrome (46) I can access any one of the 2 hosts in any
> order on the first attempt (with Firefox only after deleting the previous
> host's cert) but the second host will always be inaccessible with
> ERR_SSL_SERVER_CERT_BAD_FORMAT. Chrome is similar, except it doesn't trust
> either host's certificate (red-crossed-out https in URL). I've confirmed this
> using a clean account as well. My working environment is CentOS 6.6.
>
> The Opera browser on the contrary sees both hosts equally well with zero complaints
>
> Is this behaviour by design or ?
This is certainly not by design, I think it is all about the browser. Did you
try the new CentOS7 with new browser or at least with a fresh Firefox profile,
if it also gives you cert error?
More information about the Freeipa-users
mailing list