[Freeipa-users] Duplicate serials in issued ipa certs
wouter.hummelink at kpn.com
wouter.hummelink at kpn.com
Mon Jul 4 07:40:35 UTC 2016
I haven't had time to get back on this, but I still have this issue with a few certificates having been issued with identical serials.
Since the API busts on any resource hit by this I'm at a bit of a loss how to proceed.
I've tried manually deleting the offending certificate from the host, but can't seem to figure out how to have ldapmodify accept the change.
-----Original Message-----
From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of wouter.hummelink at kpn.com
Sent: maandag 9 mei 2016 07:49
To: ftweedal at redhat.com
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Duplicate serials in issued ipa certs
All 4 of our ipa servers are RHEL7.2 with IPA 4.2.
Last august the original CA master was damaged so I moved the CRL role to another server, decommissioned the machine and deleted all the replication agreements and rebuilt the machine.
That machine now appears to have issued the certs that have duplicated serials.
My immediate problem now is however that I can't deprovision the machine that one of these certs was issued for, nor can I revoke the certs.
What would be the proper way to remove these certs from ldap?
-----Oorspronkelijk bericht-----
Van: Fraser Tweedale [mailto:ftweedal at redhat.com]
Verzonden: maandag 9 mei 2016 01:10
Aan: Hummelink, Wouter
CC: freeipa-users at redhat.com
Onderwerp: Re: [Freeipa-users] Duplicate serials in issued ipa certs
On Fri, May 06, 2016 at 11:33:10AM +0000, wouter.hummelink at kpn.com wrote:
> Hello,
>
> I discovered today that our IPA CA has been issuing certs with
> duplicate serials, causing issues in several ways when dealing with
> hosts that have such a cert in place. (Complaints about duplicate serials) Removing the offending cert from the host results in de same type of error These all seem to have been issued from the server that in the past was reinstalled with the same hostname.
>
Can you please describe the history of the server in more detail?
(i.e. what do you mean by "was reinstalled" - including whether it was a replica, etc). Also, which FreeIPA version(s) are you using?
Thanks,
Fraser
> ipa host-show app
> ipa: ERROR: Certificate format error: (SEC_ERROR_REUSED_ISSUER_AND_SERIAL) You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert.
>
> IPA cert-find indeed shows 2 issued certs with the same serial
> (several actually)
>
> (anonymized)
> Serial number (hex): 0xFFF0007
> Serial number: 268369927
> Status: VALID
> Subject: CN=app.example.org,O=EXAMPLE.ORG
>
> Serial number (hex): 0xFFF0007
> Serial number: 268369927
> Status: VALID
> Subject: CN=ipa.example.org,O=EXAMPLE.ORG
>
> The ipa client won't let me revoke or otherwise kill these certs with the same error.
> What to do?
>
> Met vriendelijke groet,
>
> Wouter Hummelink
> Cloud Engineer
> [Description: Beschrijving: Beschrijving:
> cid:image003.gif at 01CC7CE9.FCFEC140]
> KPN IT Solutions
> Platform Organisation Cloud Services
> Mail: wouter.hummelink at kpn.com<mailto:wouter.hummelink at kpn.com>
> Telefoon: +31 (0)6 1288 2447
> [cid:image002.png at 01D0DA65.706AE4B0]
> P Save Paper - Do you really need to print this e-mail?
> **********************************************************************
> **********************************************************************
> ************* KPN IT SOLUTIONS is de 'handelsnaam' voor KPN Corporate
> Market BV, Handelsregister 52959597 Amsterdam The information
> transmitted is intended only for use by the addressee and may contain confidential and/or privileged material.
> Any review, re-transmission, dissemination or other use of it, or the
> taking of any action in reliance upon this information by persons
> and/or entities other than the intended recipient is prohibited. If you received this in error, please inform the sender and/or addressee immediately and delete the material. Thank you.
> **********************************************************************
> **********************************************************************
> *************
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list