Re: [Freeipa-users] sec_error_reused_issuer_and_serial
On Tue, Sep 22, 2015 at 09:52:38PM +, Les Stott wrote: > The only way to get around it, because you are using the same > domain name, is to use different browsers to visit each site. > Firefox for sitea, chrome for siteb. > It is not the only way; you can flush your browser cache / offline data for the site and cause the browswer to forget about the issuer. Certainly with Firefox this is possible (I don't use Chromium). Or you can use separate Firefox profiles (again I am unsure if Chromium has this feature) for the separate installations. Or for installations / experimentation, you can specify a different "Organization" component of the root issuer DN when installing FreeIPA. I include a "timestamp" when installing test servers: ipa-server-install --subject 'O=IPA.LOCAL 201508311610' Hope that helps! Fraser > It's got to do with the fact that the Parent certificate name (generated > automatically during install) is the same on both and because the domain > matches then firefox throws the ssl warning. > > I have the same thing in my environments for production and dr where the > domain name is the same in both. > > Regards, > > Les > > From: freeipa-users-boun...@redhat.com > [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Winfried de Heiden > Sent: Tuesday, 22 September 2015 10:27 PM > To: freeipa-users@redhat.com > Subject: [Freeipa-users] sec_error_reused_issuer_and_serial > > Hi all, > > Playing around with freeipa on Fedora 22 after installing I cannot access the > UI. Firefox will tell "sec_error_reused_issuer_and_serial". > > I allready have an Freeipa (Fedora 21 based) and somewhere there seems to be > a conflict in the certificates. After using a different domain name all goes > well. > > I want to test and try a few things on a test Freeipa server using the same > domain name. Deleting all certicates in Firefox or even trying a new and > clean profile did not help. How can I avoid this conflict? > > Winfried > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] sec_error_reused_issuer_and_serial
The only way to get around it, because you are using the same domain name, is to use different browsers to visit each site. Firefox for sitea, chrome for siteb. It's got to do with the fact that the Parent certificate name (generated automatically during install) is the same on both and because the domain matches then firefox throws the ssl warning. I have the same thing in my environments for production and dr where the domain name is the same in both. Regards, Les From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Winfried de Heiden Sent: Tuesday, 22 September 2015 10:27 PM To: freeipa-users@redhat.com Subject: [Freeipa-users] sec_error_reused_issuer_and_serial Hi all, Playing around with freeipa on Fedora 22 after installing I cannot access the UI. Firefox will tell "sec_error_reused_issuer_and_serial". I allready have an Freeipa (Fedora 21 based) and somewhere there seems to be a conflict in the certificates. After using a different domain name all goes well. I want to test and try a few things on a test Freeipa server using the same domain name. Deleting all certicates in Firefox or even trying a new and clean profile did not help. How can I avoid this conflict? Winfried -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] sec_error_reused_issuer_and_serial
> -Original Message- > From: Fraser Tweedale [mailto:ftwee...@redhat.com] > Sent: Wednesday, 23 September 2015 10:59 AM > To: Les Stott > Cc: Winfried de Heiden; freeipa-users@redhat.com > Subject: Re: [Freeipa-users] sec_error_reused_issuer_and_serial > > On Tue, Sep 22, 2015 at 09:52:38PM +, Les Stott wrote: > > The only way to get around it, because you are using the same domain > > name, is to use different browsers to visit each site. > > Firefox for sitea, chrome for siteb. > > > It is not the only way; you can flush your browser cache / offline data for > the > site and cause the browswer to forget about the issuer. > Certainly with Firefox this is possible (I don't use Chromium). > This never worked for me. Or if it did, it made siteb accessible, but then sitea had the ssl error and vice versa. > Or you can use separate Firefox profiles (again I am unsure if Chromium has > this feature) for the separate installations. > > Or for installations / experimentation, you can specify a different > "Organization" component of the root issuer DN when installing FreeIPA. I > include a "timestamp" when installing test servers: > > ipa-server-install --subject 'O=IPA.LOCAL 201508311610' Never knew about that option. It would make sense if something like that was the default I think Thanks for the info. Regards, Les > > Hope that helps! > Fraser > > > It's got to do with the fact that the Parent certificate name (generated > automatically during install) is the same on both and because the domain > matches then firefox throws the ssl warning. > > > > I have the same thing in my environments for production and dr where the > domain name is the same in both. > > > > Regards, > > > > Les > > > > From: freeipa-users-boun...@redhat.com > > [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Winfried de > > Heiden > > Sent: Tuesday, 22 September 2015 10:27 PM > > To: freeipa-users@redhat.com > > Subject: [Freeipa-users] sec_error_reused_issuer_and_serial > > > > Hi all, > > > > Playing around with freeipa on Fedora 22 after installing I cannot access > > the > UI. Firefox will tell "sec_error_reused_issuer_and_serial". > > > > I allready have an Freeipa (Fedora 21 based) and somewhere there seems > to be a conflict in the certificates. After using a different domain name all > goes well. > > > > I want to test and try a few things on a test Freeipa server using the same > domain name. Deleting all certicates in Firefox or even trying a new and clean > profile did not help. How can I avoid this conflict? > > > > Winfried > > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] sec_error_reused_issuer_and_serial
On Wed, Sep 23, 2015 at 02:54:29AM +, Les Stott wrote: > > > > -Original Message- > > From: Fraser Tweedale [mailto:ftwee...@redhat.com] > > Sent: Wednesday, 23 September 2015 10:59 AM > > To: Les Stott > > Cc: Winfried de Heiden; freeipa-users@redhat.com > > Subject: Re: [Freeipa-users] sec_error_reused_issuer_and_serial > > > > On Tue, Sep 22, 2015 at 09:52:38PM +, Les Stott wrote: > > > The only way to get around it, because you are using the same domain > > > name, is to use different browsers to visit each site. > > > Firefox for sitea, chrome for siteb. > > > > > It is not the only way; you can flush your browser cache / offline data for > > the > > site and cause the browswer to forget about the issuer. > > Certainly with Firefox this is possible (I don't use Chromium). > > > > This never worked for me. Or if it did, it made siteb accessible, but then > sitea had the ssl error and vice versa. > Yes, you have to keep doing it; it is not a permanent fix :) > > Or you can use separate Firefox profiles (again I am unsure if Chromium has > > this feature) for the separate installations. > > > > Or for installations / experimentation, you can specify a different > > "Organization" component of the root issuer DN when installing FreeIPA. I > > include a "timestamp" when installing test servers: > > > > ipa-server-install --subject 'O=IPA.LOCAL 201508311610' > > Never knew about that option. It would make sense if something like that was > the default I think > I don't think we want it as a default. A `--test' flag that injects a timestamp or some randomness into the DN might be worthwhile. Cheers, Fraser > Thanks for the info. > > Regards, > > Les > > > > > Hope that helps! > > Fraser > > > > > It's got to do with the fact that the Parent certificate name (generated > > automatically during install) is the same on both and because the domain > > matches then firefox throws the ssl warning. > > > > > > I have the same thing in my environments for production and dr where the > > domain name is the same in both. > > > > > > Regards, > > > > > > Les > > > > > > From: freeipa-users-boun...@redhat.com > > > [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Winfried de > > > Heiden > > > Sent: Tuesday, 22 September 2015 10:27 PM > > > To: freeipa-users@redhat.com > > > Subject: [Freeipa-users] sec_error_reused_issuer_and_serial > > > > > > Hi all, > > > > > > Playing around with freeipa on Fedora 22 after installing I cannot access > > > the > > UI. Firefox will tell "sec_error_reused_issuer_and_serial". > > > > > > I allready have an Freeipa (Fedora 21 based) and somewhere there seems > > to be a conflict in the certificates. After using a different domain name > > all > > goes well. > > > > > > I want to test and try a few things on a test Freeipa server using the > > > same > > domain name. Deleting all certicates in Firefox or even trying a new and > > clean > > profile did not help. How can I avoid this conflict? > > > > > > Winfried > > > > > > > > -- > > > Manage your subscription for the Freeipa-users mailing list: > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
