All 4 of our  ipa servers are RHEL7.2 with IPA 4.2.
Last august the original  CA master was damaged so I moved the CRL role to 
another server, 
decommissioned the machine and deleted all the replication agreements and 
rebuilt the machine.

That machine now appears to have issued the certs that have duplicated serials.
My immediate problem now is however that I can't deprovision the machine that 
one of these certs was issued for, nor can I revoke the certs.

What would be the proper way to remove these certs from ldap?

-----Oorspronkelijk bericht-----
Van: Fraser Tweedale [mailto:ftwee...@redhat.com] 
Verzonden: maandag 9 mei 2016 01:10
Aan: Hummelink, Wouter
CC: freeipa-users@redhat.com
Onderwerp: Re: [Freeipa-users] Duplicate serials in issued ipa certs

On Fri, May 06, 2016 at 11:33:10AM +0000, wouter.hummel...@kpn.com wrote:
> Hello,
> 
> I discovered today that our IPA CA has been issuing certs with 
> duplicate serials, causing issues in several ways when dealing with 
> hosts that have such a cert in place. (Complaints about duplicate serials) 
> Removing the offending cert from the host results in de same type of error 
> These all seem to have been issued from the server that in the past was 
> reinstalled with the same hostname.
> 
Can you please describe the history of the server in more detail?
(i.e. what do you mean by "was reinstalled" - including whether it was a 
replica, etc).  Also, which FreeIPA version(s) are you using?

Thanks,
Fraser

> ipa host-show app
> ipa: ERROR: Certificate format error: (SEC_ERROR_REUSED_ISSUER_AND_SERIAL) 
> You are attempting to import a cert with the same issuer/serial as an 
> existing cert, but that is not the same cert.
> 
> IPA cert-find indeed shows 2 issued certs with the same serial 
> (several actually)
> 
> (anonymized)
> Serial number (hex): 0xFFF0007
>   Serial number: 268369927
>   Status: VALID
>   Subject: CN=app.example.org,O=EXAMPLE.ORG
> 
>   Serial number (hex): 0xFFF0007
>   Serial number: 268369927
>   Status: VALID
>   Subject: CN=ipa.example.org,O=EXAMPLE.ORG
> 
> The ipa client won't let me revoke or otherwise kill these certs with the 
> same error.
> What to do?
> 
> Met vriendelijke groet,
> 
> Wouter Hummelink
> Cloud Engineer
> [Description: Beschrijving: Beschrijving: 
> cid:image003.gif@01CC7CE9.FCFEC140]
> KPN IT Solutions
> Platform Organisation Cloud Services
> Mail: wouter.hummel...@kpn.com<mailto:wouter.hummel...@kpn.com>
> Telefoon: +31 (0)6 1288 2447
> [cid:image002.png@01D0DA65.706AE4B0]
> P Save Paper - Do you really need to print this e-mail?
> **********************************************************************
> **********************************************************************
> ************* KPN IT SOLUTIONS is de 'handelsnaam' voor KPN Corporate 
> Market BV, Handelsregister 52959597 Amsterdam The information 
> transmitted is intended only for use by the addressee and may contain 
> confidential and/or privileged material.
> Any review, re-transmission, dissemination or other use of it, or the 
> taking of any action in reliance upon this information by persons 
> and/or entities other than the intended recipient is prohibited. If you 
> received this in error, please inform the sender and/or addressee immediately 
> and delete the material. Thank you.
> **********************************************************************
> **********************************************************************
> *************
> 




> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to