On 11/06/2015 05:16 PM, Cal Sawyer wrote:
Hello

I became aware the other day that building new IPA infrastructure on CentOS6
was seriously going to limit my ability to stay current with improvements, so
i've rebuilt my primary and secondary IPA hosts on CentOS7 (one day apart).
Installation went fine except that i cannot access one or the other host's UI
(Error code: sec_error_reused_issuer_and_serial). This was never an issue in
3.0 where i could access either in the same browser session

I rather think this is a problem of using the same browser against reinstalled FreeIPA, which have the same CA subject and same serial as the CentOS6 IPA, but different cert.

Related thread:
https://www.redhat.com/archives/freeipa-users/2015-September/msg00298.html

Related ticket with workaround:
https://fedorahosted.org/freeipa/ticket/2016

Using Firefox (38) and Chrome (46) I can access any one of the 2 hosts in any
order on the first attempt (with Firefox only after deleting the previous
host's cert) but the second host will always be inaccessible with
ERR_SSL_SERVER_CERT_BAD_FORMAT. Chrome is similar, except it doesn't trust
either host's certificate (red-crossed-out https in URL).  I've confirmed this
using a clean account as well.   My working environment is CentOS 6.6.

The Opera browser on the contrary sees both hosts equally well with zero 
complaints

Is this behaviour by design or ?

This is certainly not by design, I think it is all about the browser. Did you try the new CentOS7 with new browser or at least with a fresh Firefox profile, if it also gives you cert error?

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to