Natxo Asenjo wrote:
On Tue, Sep 27, 2016 at 1:42 PM, Rob Crittenden <rcrit...@redhat.com <mailto:rcrit...@redhat.com>> wrote: It's hard to say, it may in fact not be a problem. It is really a matter of what service the certificate(s) are related to. I'd look at the serial numbers and then correlate those to the issued certificates. I'd also do a service-find on the hostname to see if any services have certificates issued and with what serial numbers. I agree, it could be that. But just for testing I have created a vm, joined it to the domain and resubmitted the certificate. Now there are two valid host certificates with the same subject: $ ipa cert-find --subject=throwaway.unix.iriszorg.nl <http://throwaway.unix.iriszorg.nl> ---------------------- 2 certificates matched ---------------------- Serial number (hex): 0x3FFE0002 Serial number: 1073610754 Status: VALID Subject: CN=throwaway.unix.iriszorg.nl <http://throwaway.unix.iriszorg.nl>,O=UNIX.IRISZORG.NL <http://UNIX.IRISZORG.NL> Serial number (hex): 0x3FFE0003 Serial number: 1073610755 Status: VALID Subject: CN=throwaway.unix.iriszorg.nl <http://throwaway.unix.iriszorg.nl>,O=UNIX.IRISZORG.NL <http://UNIX.IRISZORG.NL> ---------------------------- Number of entries returned 2 ---------------------------- So it certmonger in this centos 6.8 32bit host is renewing but not having the old certificate revoked.
I'd check the Apache log to find the cert_request call to see if you can see if there are any issues raised. It should be doing a cert_revoke at the same time.
Can you should how this certificate is being tracked? rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project