[Freeipa-users] sec_error_reused_issuer_and_serial

Fraser Tweedale ftweedal at redhat.com
Wed Sep 23 05:55:02 UTC 2015 

On Wed, Sep 23, 2015 at 02:54:29AM +0000, Les Stott wrote:
> 
> 
> > -----Original Message-----
> > From: Fraser Tweedale [mailto:ftweedal at redhat.com]
> > Sent: Wednesday, 23 September 2015 10:59 AM
> > To: Les Stott
> > Cc: Winfried de Heiden; freeipa-users at redhat.com
> > Subject: Re: [Freeipa-users] sec_error_reused_issuer_and_serial
> > 
> > On Tue, Sep 22, 2015 at 09:52:38PM +0000, Les Stott wrote:
> > > The only way to get around it, because you are using the same domain
> > > name, is to use different browsers to visit each site.
> > > Firefox for sitea, chrome for siteb.
> > >
> > It is not the only way; you can flush your browser cache / offline data for the
> > site and cause the browswer to forget about the issuer.
> > Certainly with Firefox this is possible (I don't use Chromium).
> > 
> 
> This never worked for me. Or if it did, it made siteb accessible, but then sitea had the ssl error and vice versa.
> 
Yes, you have to keep doing it; it is not a permanent fix :)

> > Or you can use separate Firefox profiles (again I am unsure if Chromium has
> > this feature) for the separate installations.
> > 
> > Or for installations / experimentation, you can specify a different
> > "Organization" component of the root issuer DN when installing FreeIPA.  I
> > include a "timestamp" when installing test servers:
> > 
> >     ipa-server-install --subject 'O=IPA.LOCAL 201508311610'
> 
> Never knew about that option. It would make sense if something like that was the default I think....
> 
I don't think we want it as a default.  A `--test' flag that injects
a timestamp or some randomness into the DN might be worthwhile.

Cheers,
Fraser

> Thanks for the info.
> 
> Regards,
> 
> Les
> 
> > 
> > Hope that helps!
> > Fraser
> > 
> > > It's got to do with the fact that the Parent certificate name (generated
> > automatically during install) is the same on both and because the domain
> > matches then firefox throws the ssl warning.
> > >
> > > I have the same thing in my environments for production and dr where the
> > domain name is the same in both.
> > >
> > > Regards,
> > >
> > > Les
> > >
> > > From: freeipa-users-bounces at redhat.com
> > > [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Winfried de
> > > Heiden
> > > Sent: Tuesday, 22 September 2015 10:27 PM
> > > To: freeipa-users at redhat.com
> > > Subject: [Freeipa-users] sec_error_reused_issuer_and_serial
> > >
> > > Hi all,
> > >
> > > Playing around with freeipa on Fedora 22 after installing I cannot access the
> > UI. Firefox will tell "sec_error_reused_issuer_and_serial".
> > >
> > > I allready have an Freeipa (Fedora 21 based) and somewhere there seems
> > to be a conflict in the certificates. After using a different domain name all
> > goes well.
> > >
> > > I want to test and try a few things on a test Freeipa server using the same
> > domain name. Deleting all certicates in Firefox or even trying a new and clean
> > profile did not help. How can I avoid this conflict?
> > >
> > > Winfried
> > >
> > 
> > > --
> > > Manage your subscription for the Freeipa-users mailing list:
> > > https://www.redhat.com/mailman/listinfo/freeipa-users
> > > Go to http://freeipa.org for more info on the project
>

More information about the Freeipa-users mailing list