RFE: Add certificate serial number uniqueness check #122
Comments
|
I'm going to close this as wontfix. Doing a sort of manual de-dup of the certificate server seems out-of-bounds for a standalone script. I could validate that all of the on-disk certs are unique but what are the consequences if they aren't, etc. I think this is beyond a health checker as this points to a deeper issue. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Moved from https://pagure.io/freeipa/issue/8231
In a recent customer case, IPA RA certificate authentication to pki-tomcatd was failing. It was quite hard to diagnose, but turned out to be that the IPA RA cert had the same serial number as the LDAP service certificate. pki-tomatd had already seen the LDAP certificate (due to ldaps connection). As a consequence, when it saw the IPA RA certificate with the same serial number, it rejected it.
(The duplicate serial number probably arose due to replication and/or range conflicts).
Update health check tool to detect cases of duplicate issuer/serial on IPA infra system certificates. It should load the whole set of relevant certificates on the host, and check for duplicates.
The text was updated successfully, but these errors were encountered: