[Freeipa-users] Duplicate serials in issued ipa certs

Fraser Tweedale ftweedal at redhat.com
Sun May 8 23:10:22 UTC 2016 

On Fri, May 06, 2016 at 11:33:10AM +0000, wouter.hummelink at kpn.com wrote:
> Hello,
> 
> I discovered today that our IPA CA has been issuing certs with duplicate serials, causing issues in several ways when dealing with hosts that have such a cert in place. (Complaints about duplicate serials)
> Removing the offending cert from the host results in de same type of error
> These all seem to have been issued from the server that in the past was reinstalled with the same hostname.
> 
Can you please describe the history of the server in more detail?
(i.e. what do you mean by "was reinstalled" - including whether it
was a replica, etc).  Also, which FreeIPA version(s) are you using?

Thanks,
Fraser

> ipa host-show app
> ipa: ERROR: Certificate format error: (SEC_ERROR_REUSED_ISSUER_AND_SERIAL) You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert.
> 
> IPA cert-find indeed shows 2 issued certs with the same serial (several actually)
> 
> (anonymized)
> Serial number (hex): 0xFFF0007
>   Serial number: 268369927
>   Status: VALID
>   Subject: CN=app.example.org,O=EXAMPLE.ORG
> 
>   Serial number (hex): 0xFFF0007
>   Serial number: 268369927
>   Status: VALID
>   Subject: CN=ipa.example.org,O=EXAMPLE.ORG
> 
> The ipa client won't let me revoke or otherwise kill these certs with the same error.
> What to do?
> 
> Met vriendelijke groet,
> 
> Wouter Hummelink
> Cloud Engineer
> [Description: Beschrijving: Beschrijving: cid:image003.gif at 01CC7CE9.FCFEC140]
> KPN IT Solutions
> Platform Organisation Cloud Services
> Mail: wouter.hummelink at kpn.com<mailto:wouter.hummelink at kpn.com>
> Telefoon: +31 (0)6 1288 2447
> [cid:image002.png at 01D0DA65.706AE4B0]
> P Save Paper - Do you really need to print this e-mail?
> *********************************************************************************************************************************************************
> KPN IT SOLUTIONS is de 'handelsnaam' voor KPN Corporate Market BV, Handelsregister 52959597 Amsterdam
> The information transmitted is intended only for use by the addressee and may contain confidential and/or privileged material.
> Any review, re-transmission, dissemination or other use of it, or the taking of any action in reliance upon this information by persons
> and/or entities other than the intended recipient is prohibited. If you received this in error, please inform the sender and/or addressee immediately
> and delete the material. Thank you.
> *********************************************************************************************************************************************************
> 




> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list