[Freeipa-users] IPA 4.1.0 UI certificate confusion

Cal Sawyer cal-s at blue-bolt.com
Fri Nov 6 17:28:41 UTC 2015 

Hi, Martin

Many thanks for this info

My user and personal workstations have to remain on CentOS6 until IPA is 
deployed across the board, when i think we might have better case for 
migrating to EL7.  However, we also have loads of software with complex 
dependencies in production that makes major version updates precarious

In answer to your question, yes, accessing these IPA servers from a 
fresh user account that's never seen these sites before exhibits the 
exact same issues whether in Firefox or Chrome - you ge the first one 
but the second (and 3rd, 4th - as many as you have) will block

That idea of specifying a different timestamp in Subject when installing 
secondary instances seems worth trying right now and will report back

cheers

Cal Sawyer | Systems Engineer | BlueBolt Ltd


On 06/11/15 17:03, Martin Kosek wrote:
> On 11/06/2015 05:16 PM, Cal Sawyer wrote:
>> Hello
>>
>> I became aware the other day that building new IPA infrastructure on 
>> CentOS6
>> was seriously going to limit my ability to stay current with 
>> improvements, so
>> i've rebuilt my primary and secondary IPA hosts on CentOS7 (one day 
>> apart).
>> Installation went fine except that i cannot access one or the other 
>> host's UI
>> (Error code: sec_error_reused_issuer_and_serial). This was never an 
>> issue in
>> 3.0 where i could access either in the same browser session
>
> I rather think this is a problem of using the same browser against 
> reinstalled FreeIPA, which have the same CA subject and same serial as 
> the CentOS6 IPA, but different cert.
>
> Related thread:
> https://www.redhat.com/archives/freeipa-users/2015-September/msg00298.html 
>
>
> Related ticket with workaround:
> https://fedorahosted.org/freeipa/ticket/2016
>
>> Using Firefox (38) and Chrome (46) I can access any one of the 2 
>> hosts in any
>> order on the first attempt (with Firefox only after deleting the 
>> previous
>> host's cert) but the second host will always be inaccessible with
>> ERR_SSL_SERVER_CERT_BAD_FORMAT. Chrome is similar, except it doesn't 
>> trust
>> either host's certificate (red-crossed-out https in URL).  I've 
>> confirmed this
>> using a clean account as well.   My working environment is CentOS 6.6.
>>
>> The Opera browser on the contrary sees both hosts equally well with 
>> zero complaints
>>
>> Is this behaviour by design or ?
>
> This is certainly not by design, I think it is all about the browser. 
> Did you try the new CentOS7 with new browser or at least with a fresh 
> Firefox profile, if it also gives you cert error?

More information about the Freeipa-users mailing list