Re: [Freeipa-users] how to overcome same serial number in cert issue on different master servers?
> -Original Message- > From: Rob Crittenden [mailto:rcrit...@redhat.com] > Sent: Wednesday, 12 November 2014 6:33 AM > To: Fraser Tweedale; Les Stott > Cc: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] how to overcome same serial number in cert > issue on different master servers? > > Fraser Tweedale wrote: > > On Tue, Nov 11, 2014 at 04:17:37AM +, Les Stott wrote: > >>> -Original Message- > >>> From: Fraser Tweedale [mailto:ftwee...@redhat.com] > >>> Sent: Tuesday, 11 November 2014 1:59 PM > >>> To: Les Stott > >>> Cc: freeipa-users@redhat.com > >>> Subject: Re: [Freeipa-users] how to overcome same serial number in > >>> cert issue on different master servers? > >>> > >>> On Tue, Nov 11, 2014 at 02:11:55AM +, Les Stott wrote: > >>>>> -Original Message- > >>>>> From: Fraser Tweedale [mailto:ftwee...@redhat.com] > >>>>> Sent: Tuesday, 11 November 2014 12:51 PM > >>>>> To: Les Stott > >>>>> Cc: freeipa-users@redhat.com > >>>>> Subject: Re: [Freeipa-users] how to overcome same serial number in > >>>>> cert issue on different master servers? > >>>>> > >>>>> On Tue, Nov 11, 2014 at 01:40:50AM +, Les Stott wrote: > >>>>>> Hi, > >>>>>> > >>>>>> I have a standard rhel6 deployment for FreeIPA in two > environments. > >>>>>> > >>>>>> One environment is in our Production Data Center, The Other in > >>>>>> our DR > >>>>> Data Center. > >>>>>> > >>>>>> Both environments are setup with the same domain > (mydomain.com) > >>>>>> for > >>>>> FreeIPA. This is to support dr/failover etc. > >>>>>> > >>>>>> In each environment, there is a master. In Prod its > >>>>>> serverA.mydomain.com, > >>>>> In DR its serverB.mydomain.com. > >>>>>> > >>>>>> The master in each environment gets a generated certificate by > >>>>>> IPA. This > >>>>> certificate shows a Serial Number of "0A" > >>>>>> > >>>>>> My problem is that because the certificates have the same > >>>>>> Organization, > >>>>> OU and Serial Number, I can only browse to one of them (using > Firefox). > >>>>>> > >>>>>> If I browse to https://serverA.mydomain.com/ipa/ui/ and accept > >>>>>> the > >>>>> certificate it works fine. > >>>>>> If I then try to browse to https://serverB.mydomain.com/ipa/ui/ > >>>>>> it comes > >>>>> up with the following error: > >>>>>> > >>>>>> "Your certificate contains the same serial number as another > >>>>>> certificate > >>>>> issued by the certificate authority. Please get a new certificate > >>>>> containing a unique serial number. (Error code: > >>> sec_error_reused_issuer_and_serial)" > >>>>>> > >>>>>> If I remove the stored browser certificate for serverA, then > >>>>>> browse to > >>>>> serverB, and accept the certificate, it works, but then the "same > >>>>> serial number" error pops up for browsing serverA. > >>>>>> > >>>>>> Note: both environments were built separately and are not linked > >>>>>> in > >>>>> anyway (no replication between prod/dr). > >>>>>> > >>>>>> Is there a way to generate unique serial numbers for the masters? > >>>>>> > >>>>>> Thanks in advance, > >>>>>> > >>>>>> Les > >>>>>> > >>>>>> > >>>>>> > >>>>> Hi Les, > >>>>> > >>>>> Ideally, you should prevent this situation by using different > >>>>> common names > >>>>> (CN) for your CAs and server certifications across the different > >>>>> environments. If this is not possible, you can configure the > >>>>> Dogtag CA to use random serial numbers: > >>>>> > >>>
Re: [Freeipa-users] how to overcome same serial number in cert issue on different master servers?
Fraser Tweedale wrote: > On Tue, Nov 11, 2014 at 04:17:37AM +, Les Stott wrote: >>> -Original Message- >>> From: Fraser Tweedale [mailto:ftwee...@redhat.com] >>> Sent: Tuesday, 11 November 2014 1:59 PM >>> To: Les Stott >>> Cc: freeipa-users@redhat.com >>> Subject: Re: [Freeipa-users] how to overcome same serial number in cert >>> issue on different master servers? >>> >>> On Tue, Nov 11, 2014 at 02:11:55AM +, Les Stott wrote: >>>>> -Original Message- >>>>> From: Fraser Tweedale [mailto:ftwee...@redhat.com] >>>>> Sent: Tuesday, 11 November 2014 12:51 PM >>>>> To: Les Stott >>>>> Cc: freeipa-users@redhat.com >>>>> Subject: Re: [Freeipa-users] how to overcome same serial number in >>>>> cert issue on different master servers? >>>>> >>>>> On Tue, Nov 11, 2014 at 01:40:50AM +, Les Stott wrote: >>>>>> Hi, >>>>>> >>>>>> I have a standard rhel6 deployment for FreeIPA in two environments. >>>>>> >>>>>> One environment is in our Production Data Center, The Other in our >>>>>> DR >>>>> Data Center. >>>>>> >>>>>> Both environments are setup with the same domain (mydomain.com) >>>>>> for >>>>> FreeIPA. This is to support dr/failover etc. >>>>>> >>>>>> In each environment, there is a master. In Prod its >>>>>> serverA.mydomain.com, >>>>> In DR its serverB.mydomain.com. >>>>>> >>>>>> The master in each environment gets a generated certificate by >>>>>> IPA. This >>>>> certificate shows a Serial Number of "0A" >>>>>> >>>>>> My problem is that because the certificates have the same >>>>>> Organization, >>>>> OU and Serial Number, I can only browse to one of them (using Firefox). >>>>>> >>>>>> If I browse to https://serverA.mydomain.com/ipa/ui/ and accept the >>>>> certificate it works fine. >>>>>> If I then try to browse to https://serverB.mydomain.com/ipa/ui/ it >>>>>> comes >>>>> up with the following error: >>>>>> >>>>>> "Your certificate contains the same serial number as another >>>>>> certificate >>>>> issued by the certificate authority. Please get a new certificate >>>>> containing a unique serial number. (Error code: >>> sec_error_reused_issuer_and_serial)" >>>>>> >>>>>> If I remove the stored browser certificate for serverA, then >>>>>> browse to >>>>> serverB, and accept the certificate, it works, but then the "same >>>>> serial number" error pops up for browsing serverA. >>>>>> >>>>>> Note: both environments were built separately and are not linked >>>>>> in >>>>> anyway (no replication between prod/dr). >>>>>> >>>>>> Is there a way to generate unique serial numbers for the masters? >>>>>> >>>>>> Thanks in advance, >>>>>> >>>>>> Les >>>>>> >>>>>> >>>>>> >>>>> Hi Les, >>>>> >>>>> Ideally, you should prevent this situation by using different common >>>>> names >>>>> (CN) for your CAs and server certifications across the different >>>>> environments. If this is not possible, you can configure the Dogtag >>>>> CA to use random serial numbers: >>>>> >>>>> >>> http://dogtagpki.org/wiki/Random_Certificate_Serial_Numbers#How_to_U >>>>> se_Random_Certificate_Serial_Numbers >>>>> >>>>> This does not guarantee that you will not get serial number >>>>> collisions, but reduces the likelihood. >>>>> >>>> >>>> Thanks for the quick reply. >>>> >>>> In this case the common name is different between both environments. >>>> In prod the master was serverA, in DR the master was serverB. It just >>>> happened that way. So having a different CommonName doesn't help. >>>> >>> Do the CA certificates bear the same commonName? This is probably what >>&
Re: [Freeipa-users] how to overcome same serial number in cert issue on different master servers?
On Tue, 11 Nov 2014 14:19:02 -0500 Simo Sorce wrote: > On Tue, 11 Nov 2014 04:17:37 + > Les Stott wrote: > > > > -Original Message- > > > From: Fraser Tweedale [mailto:ftwee...@redhat.com] > > > Sent: Tuesday, 11 November 2014 1:59 PM > > > To: Les Stott > > > Cc: freeipa-users@redhat.com > > > Subject: Re: [Freeipa-users] how to overcome same serial number in > > > cert issue on different master servers? > > > > > > On Tue, Nov 11, 2014 at 02:11:55AM +, Les Stott wrote: > > > > > -Original Message- > > > > > From: Fraser Tweedale [mailto:ftwee...@redhat.com] > > > > > Sent: Tuesday, 11 November 2014 12:51 PM > > > > > To: Les Stott > > > > > Cc: freeipa-users@redhat.com > > > > > Subject: Re: [Freeipa-users] how to overcome same serial > > > > > number in cert issue on different master servers? > > > > > > > > > > On Tue, Nov 11, 2014 at 01:40:50AM +, Les Stott wrote: > > > > > > Hi, > > > > > > > > > > > > I have a standard rhel6 deployment for FreeIPA in two > > > > > > environments. > > > > > > > > > > > > One environment is in our Production Data Center, The Other > > > > > > in our DR > > > > > Data Center. > > > > > > > > > > > > Both environments are setup with the same domain > > > > > > (mydomain.com) for > > > > > FreeIPA. This is to support dr/failover etc. > > > > > > > > > > > > In each environment, there is a master. In Prod its > > > > > > serverA.mydomain.com, > > > > > In DR its serverB.mydomain.com. > > > > > > > > > > > > The master in each environment gets a generated certificate > > > > > > by IPA. This > > > > > certificate shows a Serial Number of "0A" > > > > > > > > > > > > My problem is that because the certificates have the same > > > > > > Organization, > > > > > OU and Serial Number, I can only browse to one of them (using > > > > > Firefox). > > > > > > > > > > > > If I browse to https://serverA.mydomain.com/ipa/ui/ and > > > > > > accept the > > > > > certificate it works fine. > > > > > > If I then try to browse to > > > > > > https://serverB.mydomain.com/ipa/ui/ it comes > > > > > up with the following error: > > > > > > > > > > > > "Your certificate contains the same serial number as another > > > > > > certificate > > > > > issued by the certificate authority. Please get a new > > > > > certificate containing a unique serial number. (Error code: > > > sec_error_reused_issuer_and_serial)" > > > > > > > > > > > > If I remove the stored browser certificate for serverA, then > > > > > > browse to > > > > > serverB, and accept the certificate, it works, but then the > > > > > "same serial number" error pops up for browsing serverA. > > > > > > > > > > > > Note: both environments were built separately and are not > > > > > > linked in > > > > > anyway (no replication between prod/dr). > > > > > > > > > > > > Is there a way to generate unique serial numbers for the > > > > > > masters? > > > > > > > > > > > > Thanks in advance, > > > > > > > > > > > > Les > > > > > > > > > > > > > > > > > > > > > > > Hi Les, > > > > > > > > > > Ideally, you should prevent this situation by using different > > > > > common names > > > > > (CN) for your CAs and server certifications across the > > > > > different environments. If this is not possible, you can > > > > > configure the Dogtag CA to use random serial numbers: > > > > > > > > > > > > > http://dogtagpki.org/wiki/Random_Certificate_Serial_Numbers#How_to_U > > > > > se_Random_Certificate_Serial_Numbers > > > > > > > > > > This does not guarantee that you will not get serial number > > > > >
Re: [Freeipa-users] how to overcome same serial number in cert issue on different master servers?
On Tue, 11 Nov 2014 04:17:37 + Les Stott wrote: > > -Original Message- > > From: Fraser Tweedale [mailto:ftwee...@redhat.com] > > Sent: Tuesday, 11 November 2014 1:59 PM > > To: Les Stott > > Cc: freeipa-users@redhat.com > > Subject: Re: [Freeipa-users] how to overcome same serial number in > > cert issue on different master servers? > > > > On Tue, Nov 11, 2014 at 02:11:55AM +, Les Stott wrote: > > > > -Original Message- > > > > From: Fraser Tweedale [mailto:ftwee...@redhat.com] > > > > Sent: Tuesday, 11 November 2014 12:51 PM > > > > To: Les Stott > > > > Cc: freeipa-users@redhat.com > > > > Subject: Re: [Freeipa-users] how to overcome same serial number > > > > in cert issue on different master servers? > > > > > > > > On Tue, Nov 11, 2014 at 01:40:50AM +, Les Stott wrote: > > > > > Hi, > > > > > > > > > > I have a standard rhel6 deployment for FreeIPA in two > > > > > environments. > > > > > > > > > > One environment is in our Production Data Center, The Other > > > > > in our DR > > > > Data Center. > > > > > > > > > > Both environments are setup with the same domain > > > > > (mydomain.com) for > > > > FreeIPA. This is to support dr/failover etc. > > > > > > > > > > In each environment, there is a master. In Prod its > > > > > serverA.mydomain.com, > > > > In DR its serverB.mydomain.com. > > > > > > > > > > The master in each environment gets a generated certificate by > > > > > IPA. This > > > > certificate shows a Serial Number of "0A" > > > > > > > > > > My problem is that because the certificates have the same > > > > > Organization, > > > > OU and Serial Number, I can only browse to one of them (using > > > > Firefox). > > > > > > > > > > If I browse to https://serverA.mydomain.com/ipa/ui/ and > > > > > accept the > > > > certificate it works fine. > > > > > If I then try to browse to > > > > > https://serverB.mydomain.com/ipa/ui/ it comes > > > > up with the following error: > > > > > > > > > > "Your certificate contains the same serial number as another > > > > > certificate > > > > issued by the certificate authority. Please get a new > > > > certificate containing a unique serial number. (Error code: > > sec_error_reused_issuer_and_serial)" > > > > > > > > > > If I remove the stored browser certificate for serverA, then > > > > > browse to > > > > serverB, and accept the certificate, it works, but then the > > > > "same serial number" error pops up for browsing serverA. > > > > > > > > > > Note: both environments were built separately and are not > > > > > linked in > > > > anyway (no replication between prod/dr). > > > > > > > > > > Is there a way to generate unique serial numbers for the > > > > > masters? > > > > > > > > > > Thanks in advance, > > > > > > > > > > Les > > > > > > > > > > > > > > > > > > > Hi Les, > > > > > > > > Ideally, you should prevent this situation by using different > > > > common names > > > > (CN) for your CAs and server certifications across the different > > > > environments. If this is not possible, you can configure the > > > > Dogtag CA to use random serial numbers: > > > > > > > > > > http://dogtagpki.org/wiki/Random_Certificate_Serial_Numbers#How_to_U > > > > se_Random_Certificate_Serial_Numbers > > > > > > > > This does not guarantee that you will not get serial number > > > > collisions, but reduces the likelihood. > > > > > > > > > > Thanks for the quick reply. > > > > > > In this case the common name is different between both > > > environments. In prod the master was serverA, in DR the master > > > was serverB. It just happened that way. So having a different > > > CommonName doesn't help. > > > > > Do the CA certificates bear the same commonName? This is probably > > what Firefox
Re: [Freeipa-users] how to overcome same serial number in cert issue on different master servers?
On Tue, Nov 11, 2014 at 04:17:37AM +, Les Stott wrote: > > -Original Message- > > From: Fraser Tweedale [mailto:ftwee...@redhat.com] > > Sent: Tuesday, 11 November 2014 1:59 PM > > To: Les Stott > > Cc: freeipa-users@redhat.com > > Subject: Re: [Freeipa-users] how to overcome same serial number in cert > > issue on different master servers? > > > > On Tue, Nov 11, 2014 at 02:11:55AM +, Les Stott wrote: > > > > -Original Message- > > > > From: Fraser Tweedale [mailto:ftwee...@redhat.com] > > > > Sent: Tuesday, 11 November 2014 12:51 PM > > > > To: Les Stott > > > > Cc: freeipa-users@redhat.com > > > > Subject: Re: [Freeipa-users] how to overcome same serial number in > > > > cert issue on different master servers? > > > > > > > > On Tue, Nov 11, 2014 at 01:40:50AM +, Les Stott wrote: > > > > > Hi, > > > > > > > > > > I have a standard rhel6 deployment for FreeIPA in two environments. > > > > > > > > > > One environment is in our Production Data Center, The Other in our > > > > > DR > > > > Data Center. > > > > > > > > > > Both environments are setup with the same domain (mydomain.com) > > > > > for > > > > FreeIPA. This is to support dr/failover etc. > > > > > > > > > > In each environment, there is a master. In Prod its > > > > > serverA.mydomain.com, > > > > In DR its serverB.mydomain.com. > > > > > > > > > > The master in each environment gets a generated certificate by > > > > > IPA. This > > > > certificate shows a Serial Number of "0A" > > > > > > > > > > My problem is that because the certificates have the same > > > > > Organization, > > > > OU and Serial Number, I can only browse to one of them (using Firefox). > > > > > > > > > > If I browse to https://serverA.mydomain.com/ipa/ui/ and accept the > > > > certificate it works fine. > > > > > If I then try to browse to https://serverB.mydomain.com/ipa/ui/ it > > > > > comes > > > > up with the following error: > > > > > > > > > > "Your certificate contains the same serial number as another > > > > > certificate > > > > issued by the certificate authority. Please get a new certificate > > > > containing a unique serial number. (Error code: > > sec_error_reused_issuer_and_serial)" > > > > > > > > > > If I remove the stored browser certificate for serverA, then > > > > > browse to > > > > serverB, and accept the certificate, it works, but then the "same > > > > serial number" error pops up for browsing serverA. > > > > > > > > > > Note: both environments were built separately and are not linked > > > > > in > > > > anyway (no replication between prod/dr). > > > > > > > > > > Is there a way to generate unique serial numbers for the masters? > > > > > > > > > > Thanks in advance, > > > > > > > > > > Les > > > > > > > > > > > > > > > > > > > Hi Les, > > > > > > > > Ideally, you should prevent this situation by using different common > > > > names > > > > (CN) for your CAs and server certifications across the different > > > > environments. If this is not possible, you can configure the Dogtag > > > > CA to use random serial numbers: > > > > > > > > > > http://dogtagpki.org/wiki/Random_Certificate_Serial_Numbers#How_to_U > > > > se_Random_Certificate_Serial_Numbers > > > > > > > > This does not guarantee that you will not get serial number > > > > collisions, but reduces the likelihood. > > > > > > > > > > Thanks for the quick reply. > > > > > > In this case the common name is different between both environments. > > > In prod the master was serverA, in DR the master was serverB. It just > > > happened that way. So having a different CommonName doesn't help. > > > > > Do the CA certificates bear the same commonName? This is probably what > > Firefox uses to determine if there are serial number collisions. > > > > It appears so. >
Re: [Freeipa-users] how to overcome same serial number in cert issue on different master servers?
> -Original Message- > From: Fraser Tweedale [mailto:ftwee...@redhat.com] > Sent: Tuesday, 11 November 2014 1:59 PM > To: Les Stott > Cc: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] how to overcome same serial number in cert > issue on different master servers? > > On Tue, Nov 11, 2014 at 02:11:55AM +, Les Stott wrote: > > > -Original Message- > > > From: Fraser Tweedale [mailto:ftwee...@redhat.com] > > > Sent: Tuesday, 11 November 2014 12:51 PM > > > To: Les Stott > > > Cc: freeipa-users@redhat.com > > > Subject: Re: [Freeipa-users] how to overcome same serial number in > > > cert issue on different master servers? > > > > > > On Tue, Nov 11, 2014 at 01:40:50AM +, Les Stott wrote: > > > > Hi, > > > > > > > > I have a standard rhel6 deployment for FreeIPA in two environments. > > > > > > > > One environment is in our Production Data Center, The Other in our > > > > DR > > > Data Center. > > > > > > > > Both environments are setup with the same domain (mydomain.com) > > > > for > > > FreeIPA. This is to support dr/failover etc. > > > > > > > > In each environment, there is a master. In Prod its > > > > serverA.mydomain.com, > > > In DR its serverB.mydomain.com. > > > > > > > > The master in each environment gets a generated certificate by > > > > IPA. This > > > certificate shows a Serial Number of "0A" > > > > > > > > My problem is that because the certificates have the same > > > > Organization, > > > OU and Serial Number, I can only browse to one of them (using Firefox). > > > > > > > > If I browse to https://serverA.mydomain.com/ipa/ui/ and accept the > > > certificate it works fine. > > > > If I then try to browse to https://serverB.mydomain.com/ipa/ui/ it > > > > comes > > > up with the following error: > > > > > > > > "Your certificate contains the same serial number as another > > > > certificate > > > issued by the certificate authority. Please get a new certificate > > > containing a unique serial number. (Error code: > sec_error_reused_issuer_and_serial)" > > > > > > > > If I remove the stored browser certificate for serverA, then > > > > browse to > > > serverB, and accept the certificate, it works, but then the "same > > > serial number" error pops up for browsing serverA. > > > > > > > > Note: both environments were built separately and are not linked > > > > in > > > anyway (no replication between prod/dr). > > > > > > > > Is there a way to generate unique serial numbers for the masters? > > > > > > > > Thanks in advance, > > > > > > > > Les > > > > > > > > > > > > > > > Hi Les, > > > > > > Ideally, you should prevent this situation by using different common > > > names > > > (CN) for your CAs and server certifications across the different > > > environments. If this is not possible, you can configure the Dogtag > > > CA to use random serial numbers: > > > > > > > http://dogtagpki.org/wiki/Random_Certificate_Serial_Numbers#How_to_U > > > se_Random_Certificate_Serial_Numbers > > > > > > This does not guarantee that you will not get serial number > > > collisions, but reduces the likelihood. > > > > > > > Thanks for the quick reply. > > > > In this case the common name is different between both environments. > > In prod the master was serverA, in DR the master was serverB. It just > > happened that way. So having a different CommonName doesn't help. > > > Do the CA certificates bear the same commonName? This is probably what > Firefox uses to determine if there are serial number collisions. > It appears so. The certificate for the CA on the master serverA shows: Issued To Common Name (CN) serverA.mydomain.com Organization (O) mydomain.com Organizational Unit (OU) Serial Number 0A Issued By: Common Name (CN) Certificate Authority Organization (O) mydomain.com Organizational Unit (OU) The certificate for the CA on the master serverB shows: Issued To Common Name (CN) serverB.mydomain.com Organization (O) mydomain.com Organizational Unit (OU) Serial Number 0A Issued By: Common Name (CN) Certificate Authority Organization (O) mydomain.com Organizational Unit (OU) Shouldn't the Common Name of the CA be different? Or is it the same in order to make CA replication easier? Is there a way to re-issue certificates for the masters so they get unique serial numbers (without making the systems blow up)? Thanks, Les -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] how to overcome same serial number in cert issue on different master servers?
On Tue, Nov 11, 2014 at 02:11:55AM +, Les Stott wrote: > > -Original Message- > > From: Fraser Tweedale [mailto:ftwee...@redhat.com] > > Sent: Tuesday, 11 November 2014 12:51 PM > > To: Les Stott > > Cc: freeipa-users@redhat.com > > Subject: Re: [Freeipa-users] how to overcome same serial number in cert > > issue on different master servers? > > > > On Tue, Nov 11, 2014 at 01:40:50AM +, Les Stott wrote: > > > Hi, > > > > > > I have a standard rhel6 deployment for FreeIPA in two environments. > > > > > > One environment is in our Production Data Center, The Other in our DR > > Data Center. > > > > > > Both environments are setup with the same domain (mydomain.com) for > > FreeIPA. This is to support dr/failover etc. > > > > > > In each environment, there is a master. In Prod its serverA.mydomain.com, > > In DR its serverB.mydomain.com. > > > > > > The master in each environment gets a generated certificate by IPA. This > > certificate shows a Serial Number of "0A" > > > > > > My problem is that because the certificates have the same Organization, > > OU and Serial Number, I can only browse to one of them (using Firefox). > > > > > > If I browse to https://serverA.mydomain.com/ipa/ui/ and accept the > > certificate it works fine. > > > If I then try to browse to https://serverB.mydomain.com/ipa/ui/ it comes > > up with the following error: > > > > > > "Your certificate contains the same serial number as another certificate > > issued by the certificate authority. Please get a new certificate > > containing a > > unique serial number. (Error code: sec_error_reused_issuer_and_serial)" > > > > > > If I remove the stored browser certificate for serverA, then browse to > > serverB, and accept the certificate, it works, but then the "same serial > > number" error pops up for browsing serverA. > > > > > > Note: both environments were built separately and are not linked in > > anyway (no replication between prod/dr). > > > > > > Is there a way to generate unique serial numbers for the masters? > > > > > > Thanks in advance, > > > > > > Les > > > > > > > > > > > Hi Les, > > > > Ideally, you should prevent this situation by using different common names > > (CN) for your CAs and server certifications across the different > > environments. If this is not possible, you can configure the Dogtag CA to > > use > > random serial numbers: > > > > http://dogtagpki.org/wiki/Random_Certificate_Serial_Numbers#How_to_U > > se_Random_Certificate_Serial_Numbers > > > > This does not guarantee that you will not get serial number collisions, but > > reduces the likelihood. > > > > Thanks for the quick reply. > > In this case the common name is different between both > environments. In prod the master was serverA, in DR the master was > serverB. It just happened that way. So having a different > CommonName doesn't help. > Do the CA certificates bear the same commonName? This is probably what Firefox uses to determine if there are serial number collisions. > I'll look into the dogtag random certificate serial number > generation. > > Does anyone know of a correct way to re-issue the cert's for each > master with a random serial number? > > Thanks, > > Les > > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] how to overcome same serial number in cert issue on different master servers?
> -Original Message- > From: Fraser Tweedale [mailto:ftwee...@redhat.com] > Sent: Tuesday, 11 November 2014 12:51 PM > To: Les Stott > Cc: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] how to overcome same serial number in cert > issue on different master servers? > > On Tue, Nov 11, 2014 at 01:40:50AM +, Les Stott wrote: > > Hi, > > > > I have a standard rhel6 deployment for FreeIPA in two environments. > > > > One environment is in our Production Data Center, The Other in our DR > Data Center. > > > > Both environments are setup with the same domain (mydomain.com) for > FreeIPA. This is to support dr/failover etc. > > > > In each environment, there is a master. In Prod its serverA.mydomain.com, > In DR its serverB.mydomain.com. > > > > The master in each environment gets a generated certificate by IPA. This > certificate shows a Serial Number of "0A" > > > > My problem is that because the certificates have the same Organization, > OU and Serial Number, I can only browse to one of them (using Firefox). > > > > If I browse to https://serverA.mydomain.com/ipa/ui/ and accept the > certificate it works fine. > > If I then try to browse to https://serverB.mydomain.com/ipa/ui/ it comes > up with the following error: > > > > "Your certificate contains the same serial number as another certificate > issued by the certificate authority. Please get a new certificate containing a > unique serial number. (Error code: sec_error_reused_issuer_and_serial)" > > > > If I remove the stored browser certificate for serverA, then browse to > serverB, and accept the certificate, it works, but then the "same serial > number" error pops up for browsing serverA. > > > > Note: both environments were built separately and are not linked in > anyway (no replication between prod/dr). > > > > Is there a way to generate unique serial numbers for the masters? > > > > Thanks in advance, > > > > Les > > > > > > > Hi Les, > > Ideally, you should prevent this situation by using different common names > (CN) for your CAs and server certifications across the different > environments. If this is not possible, you can configure the Dogtag CA to use > random serial numbers: > > http://dogtagpki.org/wiki/Random_Certificate_Serial_Numbers#How_to_U > se_Random_Certificate_Serial_Numbers > > This does not guarantee that you will not get serial number collisions, but > reduces the likelihood. > Thanks for the quick reply. In this case the common name is different between both environments. In prod the master was serverA, in DR the master was serverB. It just happened that way. So having a different CommonName doesn't help. I'll look into the dogtag random certificate serial number generation. Does anyone know of a correct way to re-issue the cert's for each master with a random serial number? Thanks, Les -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] how to overcome same serial number in cert issue on different master servers?
On Tue, Nov 11, 2014 at 01:40:50AM +, Les Stott wrote: > Hi, > > I have a standard rhel6 deployment for FreeIPA in two environments. > > One environment is in our Production Data Center, The Other in our DR Data > Center. > > Both environments are setup with the same domain (mydomain.com) for FreeIPA. > This is to support dr/failover etc. > > In each environment, there is a master. In Prod its serverA.mydomain.com, In > DR its serverB.mydomain.com. > > The master in each environment gets a generated certificate by IPA. This > certificate shows a Serial Number of "0A" > > My problem is that because the certificates have the same Organization, OU > and Serial Number, I can only browse to one of them (using Firefox). > > If I browse to https://serverA.mydomain.com/ipa/ui/ and accept the > certificate it works fine. > If I then try to browse to https://serverB.mydomain.com/ipa/ui/ it comes up > with the following error: > > "Your certificate contains the same serial number as another certificate > issued by the certificate authority. Please get a new certificate containing > a unique serial number. (Error code: sec_error_reused_issuer_and_serial)" > > If I remove the stored browser certificate for serverA, then browse to > serverB, and accept the certificate, it works, but then the "same serial > number" error pops up for browsing serverA. > > Note: both environments were built separately and are not linked in anyway > (no replication between prod/dr). > > Is there a way to generate unique serial numbers for the masters? > > Thanks in advance, > > Les > > > Hi Les, Ideally, you should prevent this situation by using different common names (CN) for your CAs and server certifications across the different environments. If this is not possible, you can configure the Dogtag CA to use random serial numbers: http://dogtagpki.org/wiki/Random_Certificate_Serial_Numbers#How_to_Use_Random_Certificate_Serial_Numbers This does not guarantee that you will not get serial number collisions, but reduces the likelihood. Regards, Fraser > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] how to overcome same serial number in cert issue on different master servers?
Hi, I have a standard rhel6 deployment for FreeIPA in two environments. One environment is in our Production Data Center, The Other in our DR Data Center. Both environments are setup with the same domain (mydomain.com) for FreeIPA. This is to support dr/failover etc. In each environment, there is a master. In Prod its serverA.mydomain.com, In DR its serverB.mydomain.com. The master in each environment gets a generated certificate by IPA. This certificate shows a Serial Number of "0A" My problem is that because the certificates have the same Organization, OU and Serial Number, I can only browse to one of them (using Firefox). If I browse to https://serverA.mydomain.com/ipa/ui/ and accept the certificate it works fine. If I then try to browse to https://serverB.mydomain.com/ipa/ui/ it comes up with the following error: "Your certificate contains the same serial number as another certificate issued by the certificate authority. Please get a new certificate containing a unique serial number. (Error code: sec_error_reused_issuer_and_serial)" If I remove the stored browser certificate for serverA, then browse to serverB, and accept the certificate, it works, but then the "same serial number" error pops up for browsing serverA. Note: both environments were built separately and are not linked in anyway (no replication between prod/dr). Is there a way to generate unique serial numbers for the masters? Thanks in advance, Les -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
