On Fri, May 06, 2016 at 11:33:10AM +0000, wouter.hummel...@kpn.com wrote: > Hello, > > I discovered today that our IPA CA has been issuing certs with duplicate > serials, causing issues in several ways when dealing with hosts that have > such a cert in place. (Complaints about duplicate serials) > Removing the offending cert from the host results in de same type of error > These all seem to have been issued from the server that in the past was > reinstalled with the same hostname. > Can you please describe the history of the server in more detail? (i.e. what do you mean by "was reinstalled" - including whether it was a replica, etc). Also, which FreeIPA version(s) are you using?
Thanks, Fraser > ipa host-show app > ipa: ERROR: Certificate format error: (SEC_ERROR_REUSED_ISSUER_AND_SERIAL) > You are attempting to import a cert with the same issuer/serial as an > existing cert, but that is not the same cert. > > IPA cert-find indeed shows 2 issued certs with the same serial (several > actually) > > (anonymized) > Serial number (hex): 0xFFF0007 > Serial number: 268369927 > Status: VALID > Subject: CN=app.example.org,O=EXAMPLE.ORG > > Serial number (hex): 0xFFF0007 > Serial number: 268369927 > Status: VALID > Subject: CN=ipa.example.org,O=EXAMPLE.ORG > > The ipa client won't let me revoke or otherwise kill these certs with the > same error. > What to do? > > Met vriendelijke groet, > > Wouter Hummelink > Cloud Engineer > [Description: Beschrijving: Beschrijving: cid:image003.gif@01CC7CE9.FCFEC140] > KPN IT Solutions > Platform Organisation Cloud Services > Mail: wouter.hummel...@kpn.com<mailto:wouter.hummel...@kpn.com> > Telefoon: +31 (0)6 1288 2447 > [cid:image002.png@01D0DA65.706AE4B0] > P Save Paper - Do you really need to print this e-mail? > ********************************************************************************************************************************************************* > KPN IT SOLUTIONS is de 'handelsnaam' voor KPN Corporate Market BV, > Handelsregister 52959597 Amsterdam > The information transmitted is intended only for use by the addressee and may > contain confidential and/or privileged material. > Any review, re-transmission, dissemination or other use of it, or the taking > of any action in reliance upon this information by persons > and/or entities other than the intended recipient is prohibited. If you > received this in error, please inform the sender and/or addressee immediately > and delete the material. Thank you. > ********************************************************************************************************************************************************* > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project