[Freeipa-users] IPA 4.1.0 UI certificate confusion

Fri Nov 6 17:59:12 UTC 2015

Confirming that inclusion of a timestamped subject works well, Martin.  
Can open both instances in separate tabs the same Firefox session.  Same 
is possible in Chrome, which dislikes the certs and does its red-cross thing

many thanks for this fix!

Cal Sawyer | Systems Engineer | BlueBolt Ltd

On 06/11/15 17:28, Cal Sawyer wrote:
> Hi, Martin
>
> Many thanks for this info
>
> My user and personal workstations have to remain on CentOS6 until IPA 
> is deployed across the board, when i think we might have better case 
> for migrating to EL7.  However, we also have loads of software with 
> complex dependencies in production that makes major version updates 
> precarious
>
> In answer to your question, yes, accessing these IPA servers from a 
> fresh user account that's never seen these sites before exhibits the 
> exact same issues whether in Firefox or Chrome - you ge the first one 
> but the second (and 3rd, 4th - as many as you have) will block
>
> That idea of specifying a different timestamp in Subject when 
> installing secondary instances seems worth trying right now and will 
> report back
>
> cheers
>
> Cal Sawyer | Systems Engineer | BlueBolt Ltd
>
>
> On 06/11/15 17:03, Martin Kosek wrote:
>> On 11/06/2015 05:16 PM, Cal Sawyer wrote:
>>> Hello
>>>
>>> I became aware the other day that building new IPA infrastructure on 
>>> CentOS6
>>> was seriously going to limit my ability to stay current with 
>>> improvements, so
>>> i've rebuilt my primary and secondary IPA hosts on CentOS7 (one day 
>>> apart).
>>> Installation went fine except that i cannot access one or the other 
>>> host's UI
>>> (Error code: sec_error_reused_issuer_and_serial). This was never an 
>>> issue in
>>> 3.0 where i could access either in the same browser session
>>
>> I rather think this is a problem of using the same browser against 
>> reinstalled FreeIPA, which have the same CA subject and same serial 
>> as the CentOS6 IPA, but different cert.
>>
>> Related thread:
>> https://www.redhat.com/archives/freeipa-users/2015-September/msg00298.html 
>>
>>
>> Related ticket with workaround:
>> https://fedorahosted.org/freeipa/ticket/2016
>>
>>> Using Firefox (38) and Chrome (46) I can access any one of the 2 
>>> hosts in any
>>> order on the first attempt (with Firefox only after deleting the 
>>> previous
>>> host's cert) but the second host will always be inaccessible with
>>> ERR_SSL_SERVER_CERT_BAD_FORMAT. Chrome is similar, except it doesn't 
>>> trust
>>> either host's certificate (red-crossed-out https in URL). I've 
>>> confirmed this
>>> using a clean account as well.   My working environment is CentOS 6.6.
>>>
>>> The Opera browser on the contrary sees both hosts equally well with 
>>> zero complaints
>>>
>>> Is this behaviour by design or ?
>>
>> This is certainly not by design, I think it is all about the browser. 
>> Did you try the new CentOS7 with new browser or at least with a fresh 
>> Firefox profile, if it also gives you cert error?
>