On Tue, Nov 11, 2014 at 02:11:55AM +0000, Les Stott wrote: > > -----Original Message----- > > From: Fraser Tweedale [mailto:[email protected]] > > Sent: Tuesday, 11 November 2014 12:51 PM > > To: Les Stott > > Cc: [email protected] > > Subject: Re: [Freeipa-users] how to overcome same serial number in cert > > issue on different master servers? > > > > On Tue, Nov 11, 2014 at 01:40:50AM +0000, Les Stott wrote: > > > Hi, > > > > > > I have a standard rhel6 deployment for FreeIPA in two environments. > > > > > > One environment is in our Production Data Center, The Other in our DR > > Data Center. > > > > > > Both environments are setup with the same domain (mydomain.com) for > > FreeIPA. This is to support dr/failover etc. > > > > > > In each environment, there is a master. In Prod its serverA.mydomain.com, > > In DR its serverB.mydomain.com. > > > > > > The master in each environment gets a generated certificate by IPA. This > > certificate shows a Serial Number of "0A" > > > > > > My problem is that because the certificates have the same Organization, > > OU and Serial Number, I can only browse to one of them (using Firefox). > > > > > > If I browse to https://serverA.mydomain.com/ipa/ui/ and accept the > > certificate it works fine. > > > If I then try to browse to https://serverB.mydomain.com/ipa/ui/ it comes > > up with the following error: > > > > > > "Your certificate contains the same serial number as another certificate > > issued by the certificate authority. Please get a new certificate > > containing a > > unique serial number. (Error code: sec_error_reused_issuer_and_serial)" > > > > > > If I remove the stored browser certificate for serverA, then browse to > > serverB, and accept the certificate, it works, but then the "same serial > > number" error pops up for browsing serverA. > > > > > > Note: both environments were built separately and are not linked in > > anyway (no replication between prod/dr). > > > > > > Is there a way to generate unique serial numbers for the masters? > > > > > > Thanks in advance, > > > > > > Les > > > > > > > > > > > Hi Les, > > > > Ideally, you should prevent this situation by using different common names > > (CN) for your CAs and server certifications across the different > > environments. If this is not possible, you can configure the Dogtag CA to > > use > > random serial numbers: > > > > http://dogtagpki.org/wiki/Random_Certificate_Serial_Numbers#How_to_U > > se_Random_Certificate_Serial_Numbers > > > > This does not guarantee that you will not get serial number collisions, but > > reduces the likelihood. > > > > Thanks for the quick reply. > > In this case the common name is different between both > environments. In prod the master was serverA, in DR the master was > serverB. It just happened that way. So having a different > CommonName doesn't help. > Do the CA certificates bear the same commonName? This is probably what Firefox uses to determine if there are serial number collisions.
> I'll look into the dogtag random certificate serial number > generation. > > Does anyone know of a correct way to re-issue the cert's for each > master with a random serial number? > > Thanks, > > Les > > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
