Bug 747959 - [RFE] Support random serial numbers in IPA certificates
[RFE] Support random serial numbers in IPA certificates
Status: ASSIGNED
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
7.0
Unspecified Unspecified
low Severity low
: rc
: ---
Assigned To: Martin Kosek
Namita Soman
: FutureFeature
: 1346993 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2011-10-21 09:58 EDT by David Juran
Modified: 2016-06-22 13:16 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 384303 None None None 2016-04-14 10:45 EDT
Red Hat Knowledge Base (Solution) 873193 None None None 2016-04-14 10:44 EDT

  None (edit)
Description David Juran 2011-10-21 09:58:48 EDT
Description of problem:
If re-installing an IPA server, the SSL cert for the IPA admin UI will get the same serial number as before. Firefox will then refuse to connect to the site with the error code sec_error_reused_issuer_and_serial 

Version-Release number of selected component (if applicable):
ipa-server-2.1.1-4

How reproducible:
every time

Steps to Reproduce:
1. ipa-server-install --uninstall
2. ipa-server-install
3. Connect to ipa server using firefox
  
Additional info:

Maybe the certificate can be in some way tied to the time-stamp? That would be an easy way of making it monotonically increasing.
Comment 2 Rob Crittenden 2011-10-21 10:18:08 EDT
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2016
Comment 3 David Juran 2011-10-21 10:36:51 EDT
Workaround: http://adam.younglogic.com/2011/08/httpd-cert/
Comment 13 Petr Vobornik 2016-06-22 13:16:47 EDT
*** Bug 1346993 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.