Natxo Asenjo wrote:



On Tue, Sep 27, 2016 at 1:42 PM, Rob Crittenden <rcrit...@redhat.com
<mailto:rcrit...@redhat.com>> wrote:


    It's hard to say, it may in fact not be a problem.

    It is really a matter of what service the certificate(s) are related
    to. I'd look at the serial numbers and then correlate those to the
    issued certificates.

    I'd also do a service-find on the hostname to see if any services
    have certificates issued and with what serial numbers.


I agree, it could be that. But just for testing I have created a vm,
joined it to the domain and resubmitted the certificate.

Now there are two valid host certificates with the same subject:


  $ ipa cert-find --subject=throwaway.unix.iriszorg.nl
<http://throwaway.unix.iriszorg.nl>
----------------------
2 certificates matched
----------------------
   Serial number (hex): 0x3FFE0002
   Serial number: 1073610754
   Status: VALID
   Subject: CN=throwaway.unix.iriszorg.nl
<http://throwaway.unix.iriszorg.nl>,O=UNIX.IRISZORG.NL
<http://UNIX.IRISZORG.NL>

   Serial number (hex): 0x3FFE0003
   Serial number: 1073610755
   Status: VALID
   Subject: CN=throwaway.unix.iriszorg.nl
<http://throwaway.unix.iriszorg.nl>,O=UNIX.IRISZORG.NL
<http://UNIX.IRISZORG.NL>
----------------------------
Number of entries returned 2
----------------------------


So it certmonger in this centos 6.8 32bit host is renewing but not
having the old certificate revoked.

I'd check the Apache log to find the cert_request call to see if you can see if there are any issues raised. It should be doing a cert_revoke at the same time.

Can you should how this certificate is being tracked?

rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to