I have a standard rhel6 deployment for FreeIPA in two environments.

One environment is in our Production Data Center, The Other in our DR Data 

Both environments are setup with the same domain (mydomain.com) for FreeIPA. 
This is to support dr/failover etc.

In each environment, there is a master. In Prod its serverA.mydomain.com, In DR 
its serverB.mydomain.com.

The master in each environment gets a generated certificate by IPA. This 
certificate shows a Serial Number of "0A"

My problem is that because the certificates have the same Organization, OU and 
Serial Number, I can only browse to one of them (using Firefox).

If I browse to https://serverA.mydomain.com/ipa/ui/ and accept the certificate 
it works fine.
If I then try to browse to https://serverB.mydomain.com/ipa/ui/ it comes up 
with the following error:

"Your certificate contains the same serial number as another certificate issued 
by the certificate authority. Please get a new certificate containing a unique 
serial number. (Error code: sec_error_reused_issuer_and_serial)"

If I remove the stored browser certificate for serverA, then browse to serverB, 
and accept the certificate, it works, but then the "same serial number" error 
pops up for browsing serverA.

Note: both environments were built separately and are not linked in anyway (no 
replication between prod/dr).

Is there a way to generate unique serial numbers for the masters?

Thanks in advance,


Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to