[Freeipa-users] Duplicate serials in issued ipa certs
wouter.hummelink at kpn.com
wouter.hummelink at kpn.com
Fri May 6 11:33:10 UTC 2016
Hello,
I discovered today that our IPA CA has been issuing certs with duplicate serials, causing issues in several ways when dealing with hosts that have such a cert in place. (Complaints about duplicate serials)
Removing the offending cert from the host results in de same type of error
These all seem to have been issued from the server that in the past was reinstalled with the same hostname.
ipa host-show app
ipa: ERROR: Certificate format error: (SEC_ERROR_REUSED_ISSUER_AND_SERIAL) You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert.
IPA cert-find indeed shows 2 issued certs with the same serial (several actually)
(anonymized)
Serial number (hex): 0xFFF0007
Serial number: 268369927
Status: VALID
Subject: CN=app.example.org,O=EXAMPLE.ORG
Serial number (hex): 0xFFF0007
Serial number: 268369927
Status: VALID
Subject: CN=ipa.example.org,O=EXAMPLE.ORG
The ipa client won't let me revoke or otherwise kill these certs with the same error.
What to do?
Met vriendelijke groet,
Wouter Hummelink
Cloud Engineer
[Description: Beschrijving: Beschrijving: cid:image003.gif at 01CC7CE9.FCFEC140]
KPN IT Solutions
Platform Organisation Cloud Services
Mail: wouter.hummelink at kpn.com<mailto:wouter.hummelink at kpn.com>
Telefoon: +31 (0)6 1288 2447
[cid:image002.png at 01D0DA65.706AE4B0]
P Save Paper - Do you really need to print this e-mail?
*********************************************************************************************************************************************************
KPN IT SOLUTIONS is de 'handelsnaam' voor KPN Corporate Market BV, Handelsregister 52959597 Amsterdam
The information transmitted is intended only for use by the addressee and may contain confidential and/or privileged material.
Any review, re-transmission, dissemination or other use of it, or the taking of any action in reliance upon this information by persons
and/or entities other than the intended recipient is prohibited. If you received this in error, please inform the sender and/or addressee immediately
and delete the material. Thank you.
*********************************************************************************************************************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160506/0a33185a/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.gif
Type: image/gif
Size: 2045 bytes
Desc: image001.gif
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160506/0a33185a/attachment.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 49569 bytes
Desc: image002.png
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160506/0a33185a/attachment.png>
More information about the Freeipa-users
mailing list