[Freeipa-users] IPA 4.1.0 UI certificate confusion
Cal Sawyer
cal-s at blue-bolt.com
Fri Nov 6 17:59:12 UTC 2015
Confirming that inclusion of a timestamped subject works well, Martin.
Can open both instances in separate tabs the same Firefox session. Same
is possible in Chrome, which dislikes the certs and does its red-cross thing
many thanks for this fix!
Cal Sawyer | Systems Engineer | BlueBolt Ltd
On 06/11/15 17:28, Cal Sawyer wrote:
> Hi, Martin
>
> Many thanks for this info
>
> My user and personal workstations have to remain on CentOS6 until IPA
> is deployed across the board, when i think we might have better case
> for migrating to EL7. However, we also have loads of software with
> complex dependencies in production that makes major version updates
> precarious
>
> In answer to your question, yes, accessing these IPA servers from a
> fresh user account that's never seen these sites before exhibits the
> exact same issues whether in Firefox or Chrome - you ge the first one
> but the second (and 3rd, 4th - as many as you have) will block
>
> That idea of specifying a different timestamp in Subject when
> installing secondary instances seems worth trying right now and will
> report back
>
> cheers
>
> Cal Sawyer | Systems Engineer | BlueBolt Ltd
>
>
> On 06/11/15 17:03, Martin Kosek wrote:
>> On 11/06/2015 05:16 PM, Cal Sawyer wrote:
>>> Hello
>>>
>>> I became aware the other day that building new IPA infrastructure on
>>> CentOS6
>>> was seriously going to limit my ability to stay current with
>>> improvements, so
>>> i've rebuilt my primary and secondary IPA hosts on CentOS7 (one day
>>> apart).
>>> Installation went fine except that i cannot access one or the other
>>> host's UI
>>> (Error code: sec_error_reused_issuer_and_serial). This was never an
>>> issue in
>>> 3.0 where i could access either in the same browser session
>>
>> I rather think this is a problem of using the same browser against
>> reinstalled FreeIPA, which have the same CA subject and same serial
>> as the CentOS6 IPA, but different cert.
>>
>> Related thread:
>> https://www.redhat.com/archives/freeipa-users/2015-September/msg00298.html
>>
>>
>> Related ticket with workaround:
>> https://fedorahosted.org/freeipa/ticket/2016
>>
>>> Using Firefox (38) and Chrome (46) I can access any one of the 2
>>> hosts in any
>>> order on the first attempt (with Firefox only after deleting the
>>> previous
>>> host's cert) but the second host will always be inaccessible with
>>> ERR_SSL_SERVER_CERT_BAD_FORMAT. Chrome is similar, except it doesn't
>>> trust
>>> either host's certificate (red-crossed-out https in URL). I've
>>> confirmed this
>>> using a clean account as well. My working environment is CentOS 6.6.
>>>
>>> The Opera browser on the contrary sees both hosts equally well with
>>> zero complaints
>>>
>>> Is this behaviour by design or ?
>>
>> This is certainly not by design, I think it is all about the browser.
>> Did you try the new CentOS7 with new browser or at least with a fresh
>> Firefox profile, if it also gives you cert error?
>
More information about the Freeipa-users
mailing list