[Freeipa-users] another certmonger question
Rob Crittenden
rcritten at redhat.com
Thu Sep 29 11:16:30 UTC 2016
Natxo Asenjo wrote:
>
>
> On Tue, Sep 27, 2016 at 1:42 PM, Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>> wrote:
>
>
> It's hard to say, it may in fact not be a problem.
>
> It is really a matter of what service the certificate(s) are related
> to. I'd look at the serial numbers and then correlate those to the
> issued certificates.
>
> I'd also do a service-find on the hostname to see if any services
> have certificates issued and with what serial numbers.
>
>
> I agree, it could be that. But just for testing I have created a vm,
> joined it to the domain and resubmitted the certificate.
>
> Now there are two valid host certificates with the same subject:
>
>
> $ ipa cert-find --subject=throwaway.unix.iriszorg.nl
> <http://throwaway.unix.iriszorg.nl>
> ----------------------
> 2 certificates matched
> ----------------------
> Serial number (hex): 0x3FFE0002
> Serial number: 1073610754
> Status: VALID
> Subject: CN=throwaway.unix.iriszorg.nl
> <http://throwaway.unix.iriszorg.nl>,O=UNIX.IRISZORG.NL
> <http://UNIX.IRISZORG.NL>
>
> Serial number (hex): 0x3FFE0003
> Serial number: 1073610755
> Status: VALID
> Subject: CN=throwaway.unix.iriszorg.nl
> <http://throwaway.unix.iriszorg.nl>,O=UNIX.IRISZORG.NL
> <http://UNIX.IRISZORG.NL>
> ----------------------------
> Number of entries returned 2
> ----------------------------
>
>
> So it certmonger in this centos 6.8 32bit host is renewing but not
> having the old certificate revoked.
I'd check the Apache log to find the cert_request call to see if you can
see if there are any issues raised. It should be doing a cert_revoke at
the same time.
Can you should how this certificate is being tracked?
rob
More information about the Freeipa-users
mailing list