https://bugzilla.redhat.com/show_bug.cgi?id=747959
Description of problem: If re-installing an IPA server, the SSL cert for the IPA admin UI will get the same serial number as before. Firefox will then refuse to connect to the site with the error code sec_error_reused_issuer_and_serial Version-Release number of selected component (if applicable): ipa-server-2.1.1-4 How reproducible: every time Steps to Reproduce: 1. ipa-server-install --uninstall 2. ipa-server-install 3. Connect to ipa server using firefox Additional info: Maybe the certificate can be in some way tied to the time-stamp? That would be an easy way of making it monotonically increasing.
There is a workaround:
Firefox: - remove certificate exceptions and/or CA certificate (preferences/encryption/'view certificates') - clear offline storage (preferences/advanced/network/'clear now') - refresh page
Chrome: - {{{chrome://settings/clearBrowserData }}}
Not planned for dogtag 10, moving to NEEDS_TRIAGE.
By default in IPA have random serial numbers, define starting serial number as an option.
https://fedorahosted.org/pki/milestone/Random Serial Numbers Effort
The dogtag ticket for the installer option is https://fedorahosted.org/pki/ticket/323
Moving unfinished March tickets to April milestone.
Ticket 323 was for the 8.1 version of these changes. For dogtag 10 these are the tickets to watch:
https://fedorahosted.org/pki/ticket/569 https://fedorahosted.org/pki/ticket/570 https://fedorahosted.org/pki/ticket/579 https://fedorahosted.org/pki/ticket/580
Currently in the 10.0.2 milestone.
Moving to next IPA MIlestone as this is not going to be ready in time for the beta.
This feature is just being ported to dogtag 10 now. There is no point in rushing this, pushing it to the next release.
We will need to pass an option to pkispawn to enable random serial numbers.
We will also need to decide if the serial numbers will be random in IPA by default or whether we will add an option to ipa-server-install.
AFAICT I just need to set pki_random_serial_numbers_enable to True in the config file when installing.
The code in dogtag doesn't seem quite ready yet, even to call it experimental in IPA. Moving the target forward a bit.
As per Nathan's comment, the underlying PKI feature is not ready yet for default enrollment in F19 - moving to NEEDS_TRIAGE to re-triage this ticket.
3.4 development was shifted for one month, moving tickets to reflect reality better.
Adjusting time plan - 3.4 development was postponed as we focused on 3.3.x testing and stabilization.
Related discussion: http://www.redhat.com/archives/freeipa-devel/2014-April/msg00074.html
This was not completed in 4.0 time frame and is a too big change for such. Moving to next feature release.
Stretch goal of 4.2, this will likely not fit.
Moving to 4.3, we are too close to 4.2 deadline to be able to handle stretch RFEs.
A thought: when implemented, do we make random serial numbers the default, or optional? What do users / customers expect?
My hunch is that they would expect sequential serial numbers (starting from 1) to be the default. If so, this ticket gives minimal benefit w.r.t. the "reissued issuer and serial" problem. Users still have to "know about" the option to get the benefit, just like other existing workarounds e.g. --subject.
Thoughts?
I do not think we can change the default, however as we add more and more of such options we can have something like a wrapper install script for a specific category of use cases. For example I expect that if we define a developer/test environment wrapper script this option would be probably on by default.
Metadata Update from @rcritten: - Issue assigned to ftweedal - Issue set to the milestone: FreeIPA 4.5 backlog
Metadata Update from @ftweedal: - Assignee reset
Metadata Update from @rcritten: - Issue assigned to rcritten
dogtag 11.2.0 will introduce Random Serial Numbers v3. It is current in rawhide (F37).
https://github.com/dogtagpki/pki/blob/master/docs/installation/ca/Installing-CA-with-Random-Serial-Numbers-v3.adoc https://github.com/dogtagpki/pki/wiki/Configuring-CA-with-Random-Serial-Numbers-v3
https://github.com/dogtagpki/pki/wiki/Configuring-KRA-with-Random-Serial-Numbers-v3
Upstream test PR https://github.com/freeipa/freeipa/pull/6249
Filed https://github.com/dogtagpki/pki/issues/3996 opened to track issuing a temporary certificate in pki-server certfix. certutil complains about a serial number being too large.
Metadata Update from @rcritten: - Issue close_status updated to: None - Issue set to the milestone: None (was: FreeIPA 4.5 backlog)
master:
Metadata Update from @frenaud: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
ipa-4-10:
Metadata Update from @abbra: - Custom field changelog adjusted to During installation, FreeIPA CA now is configured to assign random serial numbers to issued certificates. The feature is only available when Dogtag PKI 11.2 or later is in use. Design document: https://freeipa.readthedocs.io/en/ipa-4-10/designs/random-serial-numbers.html
Login to comment on this ticket.