[Freeipa-users] sec_error_reused_issuer_and_serial

Fraser Tweedale ftweedal at redhat.com
Wed Sep 23 00:59:19 UTC 2015 

On Tue, Sep 22, 2015 at 09:52:38PM +0000, Les Stott wrote:
> The only way to get around it, because you are using the same
> domain name, is to use different browsers to visit each site.
> Firefox for sitea, chrome for siteb.
> 
It is not the only way; you can flush your browser cache / offline
data for the site and cause the browswer to forget about the issuer.
Certainly with Firefox this is possible (I don't use Chromium).

Or you can use separate Firefox profiles (again I am unsure if
Chromium has this feature) for the separate installations.

Or for installations / experimentation, you can specify a different
"Organization" component of the root issuer DN when installing
FreeIPA.  I include a "timestamp" when installing test servers:

    ipa-server-install --subject 'O=IPA.LOCAL 201508311610'

Hope that helps!
Fraser

> It's got to do with the fact that the Parent certificate name (generated automatically during install) is the same on both and because the domain matches then firefox throws the ssl warning.
> 
> I have the same thing in my environments for production and dr where the domain name is the same in both.
> 
> Regards,
> 
> Les
> 
> From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Winfried de Heiden
> Sent: Tuesday, 22 September 2015 10:27 PM
> To: freeipa-users at redhat.com
> Subject: [Freeipa-users] sec_error_reused_issuer_and_serial
> 
> Hi all,
> 
> Playing around with freeipa on Fedora 22 after installing I cannot access the UI. Firefox will tell "sec_error_reused_issuer_and_serial".
> 
> I allready have an Freeipa (Fedora 21 based) and somewhere there seems to be a conflict in the certificates. After using a different domain name all goes well.
> 
> I want to test and try a few things on a test Freeipa server using the same domain name. Deleting all certicates in Firefox or even trying a new and clean profile did not help. How can I avoid this conflict?
> 
> Winfried
> 

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list