In a recent customer case, IPA RA certificate authentication to pki-tomcatd was failing. It was quite hard to diagnose, but turned out to be that the IPA RA cert had the same serial number as the LDAP service certificate. pki-tomatd had already seen the LDAP certificate (due to ldaps connection). As a consequence, when it saw the IPA RA certificate with the same serial number, it rejected it.
(The duplicate serial number probably arose due to replication and/or range conflicts).
Update health check tool to detect cases of duplicate issuer/serial on IPA infra system certificates. It should load the whole set of relevant certificates on the host, and check for duplicates.
Moved to https://github.com/freeipa/freeipa-healthcheck/issues/122
Closing.
Metadata Update from @rcritten: - Issue close_status updated to: duplicate - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.