Re: [Freeipa-users] IPA 4.1.0 UI certificate confusion
Hi, Martin Many thanks for this info My user and personal workstations have to remain on CentOS6 until IPA is deployed across the board, when i think we might have better case for migrating to EL7. However, we also have loads of software with complex dependencies in production that makes major version updates precarious In answer to your question, yes, accessing these IPA servers from a fresh user account that's never seen these sites before exhibits the exact same issues whether in Firefox or Chrome - you ge the first one but the second (and 3rd, 4th - as many as you have) will block That idea of specifying a different timestamp in Subject when installing secondary instances seems worth trying right now and will report back cheers Cal Sawyer | Systems Engineer | BlueBolt Ltd On 06/11/15 17:03, Martin Kosek wrote: On 11/06/2015 05:16 PM, Cal Sawyer wrote: Hello I became aware the other day that building new IPA infrastructure on CentOS6 was seriously going to limit my ability to stay current with improvements, so i've rebuilt my primary and secondary IPA hosts on CentOS7 (one day apart). Installation went fine except that i cannot access one or the other host's UI (Error code: sec_error_reused_issuer_and_serial). This was never an issue in 3.0 where i could access either in the same browser session I rather think this is a problem of using the same browser against reinstalled FreeIPA, which have the same CA subject and same serial as the CentOS6 IPA, but different cert. Related thread: https://www.redhat.com/archives/freeipa-users/2015-September/msg00298.html Related ticket with workaround: https://fedorahosted.org/freeipa/ticket/2016 Using Firefox (38) and Chrome (46) I can access any one of the 2 hosts in any order on the first attempt (with Firefox only after deleting the previous host's cert) but the second host will always be inaccessible with ERR_SSL_SERVER_CERT_BAD_FORMAT. Chrome is similar, except it doesn't trust either host's certificate (red-crossed-out https in URL). I've confirmed this using a clean account as well. My working environment is CentOS 6.6. The Opera browser on the contrary sees both hosts equally well with zero complaints Is this behaviour by design or ? This is certainly not by design, I think it is all about the browser. Did you try the new CentOS7 with new browser or at least with a fresh Firefox profile, if it also gives you cert error? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA 4.1.0 UI certificate confusion
Good. But still, I am curious about your architecture. It almost looks like you are installing several FreeIPA servers (ipa-server-install), but with the same realm/domain. Can you share the reasoning? Maybe an advise can be given for the whole FreeIPA architecture. It is not something expected, normally you would install one FreeIPA server with realm "example.com" and then install replicas (ipa-replica-install) for redundancy or load balancing. On 11/06/2015 06:59 PM, Cal Sawyer wrote: Confirming that inclusion of a timestamped subject works well, Martin. Can open both instances in separate tabs the same Firefox session. Same is possible in Chrome, which dislikes the certs and does its red-cross thing many thanks for this fix! Cal Sawyer | Systems Engineer | BlueBolt Ltd On 06/11/15 17:28, Cal Sawyer wrote: Hi, Martin Many thanks for this info My user and personal workstations have to remain on CentOS6 until IPA is deployed across the board, when i think we might have better case for migrating to EL7. However, we also have loads of software with complex dependencies in production that makes major version updates precarious In answer to your question, yes, accessing these IPA servers from a fresh user account that's never seen these sites before exhibits the exact same issues whether in Firefox or Chrome - you ge the first one but the second (and 3rd, 4th - as many as you have) will block That idea of specifying a different timestamp in Subject when installing secondary instances seems worth trying right now and will report back cheers Cal Sawyer | Systems Engineer | BlueBolt Ltd On 06/11/15 17:03, Martin Kosek wrote: On 11/06/2015 05:16 PM, Cal Sawyer wrote: Hello I became aware the other day that building new IPA infrastructure on CentOS6 was seriously going to limit my ability to stay current with improvements, so i've rebuilt my primary and secondary IPA hosts on CentOS7 (one day apart). Installation went fine except that i cannot access one or the other host's UI (Error code: sec_error_reused_issuer_and_serial). This was never an issue in 3.0 where i could access either in the same browser session I rather think this is a problem of using the same browser against reinstalled FreeIPA, which have the same CA subject and same serial as the CentOS6 IPA, but different cert. Related thread: https://www.redhat.com/archives/freeipa-users/2015-September/msg00298.html Related ticket with workaround: https://fedorahosted.org/freeipa/ticket/2016 Using Firefox (38) and Chrome (46) I can access any one of the 2 hosts in any order on the first attempt (with Firefox only after deleting the previous host's cert) but the second host will always be inaccessible with ERR_SSL_SERVER_CERT_BAD_FORMAT. Chrome is similar, except it doesn't trust either host's certificate (red-crossed-out https in URL). I've confirmed this using a clean account as well. My working environment is CentOS 6.6. The Opera browser on the contrary sees both hosts equally well with zero complaints Is this behaviour by design or ? This is certainly not by design, I think it is all about the browser. Did you try the new CentOS7 with new browser or at least with a fresh Firefox profile, if it also gives you cert error? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA 4.1.0 UI certificate confusion
On 11/06/2015 05:16 PM, Cal Sawyer wrote: Hello I became aware the other day that building new IPA infrastructure on CentOS6 was seriously going to limit my ability to stay current with improvements, so i've rebuilt my primary and secondary IPA hosts on CentOS7 (one day apart). Installation went fine except that i cannot access one or the other host's UI (Error code: sec_error_reused_issuer_and_serial). This was never an issue in 3.0 where i could access either in the same browser session I rather think this is a problem of using the same browser against reinstalled FreeIPA, which have the same CA subject and same serial as the CentOS6 IPA, but different cert. Related thread: https://www.redhat.com/archives/freeipa-users/2015-September/msg00298.html Related ticket with workaround: https://fedorahosted.org/freeipa/ticket/2016 Using Firefox (38) and Chrome (46) I can access any one of the 2 hosts in any order on the first attempt (with Firefox only after deleting the previous host's cert) but the second host will always be inaccessible with ERR_SSL_SERVER_CERT_BAD_FORMAT. Chrome is similar, except it doesn't trust either host's certificate (red-crossed-out https in URL). I've confirmed this using a clean account as well. My working environment is CentOS 6.6. The Opera browser on the contrary sees both hosts equally well with zero complaints Is this behaviour by design or ? This is certainly not by design, I think it is all about the browser. Did you try the new CentOS7 with new browser or at least with a fresh Firefox profile, if it also gives you cert error? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA 4.1.0 UI certificate confusion
Confirming that inclusion of a timestamped subject works well, Martin. Can open both instances in separate tabs the same Firefox session. Same is possible in Chrome, which dislikes the certs and does its red-cross thing many thanks for this fix! Cal Sawyer | Systems Engineer | BlueBolt Ltd On 06/11/15 17:28, Cal Sawyer wrote: Hi, Martin Many thanks for this info My user and personal workstations have to remain on CentOS6 until IPA is deployed across the board, when i think we might have better case for migrating to EL7. However, we also have loads of software with complex dependencies in production that makes major version updates precarious In answer to your question, yes, accessing these IPA servers from a fresh user account that's never seen these sites before exhibits the exact same issues whether in Firefox or Chrome - you ge the first one but the second (and 3rd, 4th - as many as you have) will block That idea of specifying a different timestamp in Subject when installing secondary instances seems worth trying right now and will report back cheers Cal Sawyer | Systems Engineer | BlueBolt Ltd On 06/11/15 17:03, Martin Kosek wrote: On 11/06/2015 05:16 PM, Cal Sawyer wrote: Hello I became aware the other day that building new IPA infrastructure on CentOS6 was seriously going to limit my ability to stay current with improvements, so i've rebuilt my primary and secondary IPA hosts on CentOS7 (one day apart). Installation went fine except that i cannot access one or the other host's UI (Error code: sec_error_reused_issuer_and_serial). This was never an issue in 3.0 where i could access either in the same browser session I rather think this is a problem of using the same browser against reinstalled FreeIPA, which have the same CA subject and same serial as the CentOS6 IPA, but different cert. Related thread: https://www.redhat.com/archives/freeipa-users/2015-September/msg00298.html Related ticket with workaround: https://fedorahosted.org/freeipa/ticket/2016 Using Firefox (38) and Chrome (46) I can access any one of the 2 hosts in any order on the first attempt (with Firefox only after deleting the previous host's cert) but the second host will always be inaccessible with ERR_SSL_SERVER_CERT_BAD_FORMAT. Chrome is similar, except it doesn't trust either host's certificate (red-crossed-out https in URL). I've confirmed this using a clean account as well. My working environment is CentOS 6.6. The Opera browser on the contrary sees both hosts equally well with zero complaints Is this behaviour by design or ? This is certainly not by design, I think it is all about the browser. Did you try the new CentOS7 with new browser or at least with a fresh Firefox profile, if it also gives you cert error? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
