On Tue, 11 Nov 2014 14:19:02 -0500 Simo Sorce <s...@redhat.com> wrote:
> On Tue, 11 Nov 2014 04:17:37 +0000 > Les Stott <l...@imagine-sw.com> wrote: > > > > -----Original Message----- > > > From: Fraser Tweedale [mailto:ftwee...@redhat.com] > > > Sent: Tuesday, 11 November 2014 1:59 PM > > > To: Les Stott > > > Cc: freeipa-users@redhat.com > > > Subject: Re: [Freeipa-users] how to overcome same serial number in > > > cert issue on different master servers? > > > > > > On Tue, Nov 11, 2014 at 02:11:55AM +0000, Les Stott wrote: > > > > > -----Original Message----- > > > > > From: Fraser Tweedale [mailto:ftwee...@redhat.com] > > > > > Sent: Tuesday, 11 November 2014 12:51 PM > > > > > To: Les Stott > > > > > Cc: freeipa-users@redhat.com > > > > > Subject: Re: [Freeipa-users] how to overcome same serial > > > > > number in cert issue on different master servers? > > > > > > > > > > On Tue, Nov 11, 2014 at 01:40:50AM +0000, Les Stott wrote: > > > > > > Hi, > > > > > > > > > > > > I have a standard rhel6 deployment for FreeIPA in two > > > > > > environments. > > > > > > > > > > > > One environment is in our Production Data Center, The Other > > > > > > in our DR > > > > > Data Center. > > > > > > > > > > > > Both environments are setup with the same domain > > > > > > (mydomain.com) for > > > > > FreeIPA. This is to support dr/failover etc. > > > > > > > > > > > > In each environment, there is a master. In Prod its > > > > > > serverA.mydomain.com, > > > > > In DR its serverB.mydomain.com. > > > > > > > > > > > > The master in each environment gets a generated certificate > > > > > > by IPA. This > > > > > certificate shows a Serial Number of "0A" > > > > > > > > > > > > My problem is that because the certificates have the same > > > > > > Organization, > > > > > OU and Serial Number, I can only browse to one of them (using > > > > > Firefox). > > > > > > > > > > > > If I browse to https://serverA.mydomain.com/ipa/ui/ and > > > > > > accept the > > > > > certificate it works fine. > > > > > > If I then try to browse to > > > > > > https://serverB.mydomain.com/ipa/ui/ it comes > > > > > up with the following error: > > > > > > > > > > > > "Your certificate contains the same serial number as another > > > > > > certificate > > > > > issued by the certificate authority. Please get a new > > > > > certificate containing a unique serial number. (Error code: > > > sec_error_reused_issuer_and_serial)" > > > > > > > > > > > > If I remove the stored browser certificate for serverA, then > > > > > > browse to > > > > > serverB, and accept the certificate, it works, but then the > > > > > "same serial number" error pops up for browsing serverA. > > > > > > > > > > > > Note: both environments were built separately and are not > > > > > > linked in > > > > > anyway (no replication between prod/dr). > > > > > > > > > > > > Is there a way to generate unique serial numbers for the > > > > > > masters? > > > > > > > > > > > > Thanks in advance, > > > > > > > > > > > > Les > > > > > > > > > > > > > > > > > > > > > > > Hi Les, > > > > > > > > > > Ideally, you should prevent this situation by using different > > > > > common names > > > > > (CN) for your CAs and server certifications across the > > > > > different environments. If this is not possible, you can > > > > > configure the Dogtag CA to use random serial numbers: > > > > > > > > > > > > > http://dogtagpki.org/wiki/Random_Certificate_Serial_Numbers#How_to_U > > > > > se_Random_Certificate_Serial_Numbers > > > > > > > > > > This does not guarantee that you will not get serial number > > > > > collisions, but reduces the likelihood. > > > > > > > > > > > > > Thanks for the quick reply. > > > > > > > > In this case the common name is different between both > > > > environments. In prod the master was serverA, in DR the master > > > > was serverB. It just happened that way. So having a different > > > > CommonName doesn't help. > > > > > > > Do the CA certificates bear the same commonName? This is probably > > > what Firefox uses to determine if there are serial number > > > collisions. > > > > > > > It appears so. > > > > The certificate for the CA on the master serverA shows: > > > > Issued To > > Common Name (CN) serverA.mydomain.com > > Organization (O) mydomain.com > > Organizational Unit (OU) <Not part of certificate> > > Serial Number 0A > > Issued By: > > Common Name (CN) Certificate Authority > > Organization (O) mydomain.com > > Organizational Unit (OU) <Not part of certificate> > > > > The certificate for the CA on the master serverB shows: > > > > Issued To > > Common Name (CN) serverB.mydomain.com > > Organization (O) mydomain.com > > Organizational Unit (OU) <Not part of certificate> > > Serial Number 0A > > Issued By: > > Common Name (CN) Certificate Authority > > Organization (O) mydomain.com > > Organizational Unit (OU) <Not part of certificate> > > > > > > Shouldn't the Common Name of the CA be different? Or is it the same > > in order to make CA replication easier? > > > > Is there a way to re-issue certificates for the masters so they get > > unique serial numbers (without making the systems blow up)? > > It is strongly advised not to use the same domain/realm name for 2 > different IPA installations, there are a ton of weird and extremely > hard to debug errors that will come your way if you do so. > *especially* if you have clients that access both environments. > > A better scheme would be to use mydfomain.com from prod and > dr.mydomain.com for the other. Oh, I just realized that in your first email yuou said you used the same name for failover/disaster recovery. This will *not* work as well as you think. All certificates and all Kerberos keys will fail to work if you create 2 domains that just happen to have the same name, but really have different CA keys and Kerberos keys. HTH, Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project