Bug 1346993

Summary: Secure Connection Failed, Post ipa-server-install, no external CA being used
Product: Red Hat Enterprise Linux 7 Reporter: J. M. Becker <j.becker>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED DUPLICATE QA Contact: Kaleem <ksiddiqu>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.4CC: pvoborni, rcritten
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-06-22 17:16:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
secure_connection_failed none

Description J. M. Becker 2016-06-15 18:38:28 UTC 
Created attachment 1168470 [details]
secure_connection_failed

OK so in response to the difficulties of doing  this with an external-ca, I attempted the ipa-server-install as a self-signed CA.  Default --subject, as customizing that caused another bug which I've reported.

Generally I'd expect to see, an untrusted certificate warning, rather than an SSL error.
Comment 1 J. M. Becker 2016-06-15 18:39:31 UTC 
FreeIPA installed from RHEL7 Packages, 4.2.0-15 el7_2.15
Comment 2 J. M. Becker 2016-06-15 19:04:24 UTC 
Strangly When I used a properly parsed --subject, this error did not occur.
Comment 4 Petr Vobornik 2016-06-17 16:00:24 UTC 
Looks like duplicate of bug 747959

This error page is displayed by browser, IPA cannot change it content. It is caused by the fact that server was reinstalled and then CA cert has exactly the same subject and serial number. Solution is to remove the old cert - exception or CA cert from browser and probably restart the browser.
Comment 5 J. M. Becker 2016-06-17 17:54:40 UTC 
(In reply to Petr Vobornik from comment #4)
> Looks like duplicate of bug 747959
> 
> This error page is displayed by browser, IPA cannot change it content. It is
> caused by the fact that server was reinstalled and then CA cert has exactly
> the same subject and serial number. Solution is to remove the old cert -
> exception or CA cert from browser and probably restart the browser.


This makes sense.

Can the certificates created during ipa-server-install be more fully purged after ipa-server-install --uninstall ?
Comment 6 Rob Crittenden 2016-06-17 18:21:02 UTC 
No because the certificates are on whatever client accessed the server.
Comment 7 Petr Vobornik 2016-06-22 17:16:47 UTC 
Per IdM triage on Jul 21, closing as duplicate of bug 747959

*** This bug has been marked as a duplicate of bug 747959 ***