You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In a recent customer case, IPA RA certificate authentication to pki-tomcatd was failing. It was quite hard to diagnose, but turned out to be that the IPA RA cert had the same serial number as the LDAP service certificate. pki-tomatd had already seen the LDAP certificate (due to ldaps connection). As a consequence, when it saw the IPA RA certificate with the same serial number, it rejected it.
(The duplicate serial number probably arose due to replication and/or range conflicts).
Update health check tool to detect cases of duplicate issuer/serial on IPA infra system certificates. It should load the whole set of relevant certificates on the host, and check for duplicates.
The text was updated successfully, but these errors were encountered:
I'm going to close this as wontfix. Doing a sort of manual de-dup of the certificate server seems out-of-bounds for a standalone script. I could validate that all of the on-disk certs are unique but what are the consequences if they aren't, etc. I think this is beyond a health checker as this points to a deeper issue.
Moved from https://pagure.io/freeipa/issue/8231
In a recent customer case, IPA RA certificate authentication to pki-tomcatd was failing. It was quite hard to diagnose, but turned out to be that the IPA RA cert had the same serial number as the LDAP service certificate. pki-tomatd had already seen the LDAP certificate (due to ldaps connection). As a consequence, when it saw the IPA RA certificate with the same serial number, it rejected it.
(The duplicate serial number probably arose due to replication and/or range conflicts).
Update health check tool to detect cases of duplicate issuer/serial on IPA infra system certificates. It should load the whole set of relevant certificates on the host, and check for duplicates.
The text was updated successfully, but these errors were encountered: