Updating a certificate for a FreeIPA web server

As I install, uninstall, and re-install FreeIPA, I start getting:sec_error_reused_issuer_and_serial. This used to be a minor annoyance, solved by clearing the certificates out of, and restarting, the browser.  Recent versions of Firefox have complained even after doing this, leading to the current approach: clear your browser cache.  Instead, you can update the certificate on the web server, and this should give you a cert with a new serial number, and avoid the error message.

Updating the certificate for your IPA server is somewhat labor intensive, but here’s how to do it.

A FreeIPA install  keeps the certificate  database for the web server in  /etc/http/alias.  The passphrase for this database is stored in the file /etc/http/alias/pwdfile.txt

First, generate a Certificate Signing Request:

 certutil -R -s "CN=$HOSTNAME" -d /etc/httpd/alias/ -f /etc/httpd/alias/pwdfile.txt  -g 1024 -a > $HOSTNAME.csr

This will ask you to type into a buffer, to provide some entropy for the random algorithm. Once it has generated the request, send it to IPA for signing then import it into your web servers NSS Database:

ipa cert-request ./$HOSTNAME.csr --principal=HTTP/`hostname` > $HOSTNAME.crt
 awk '/Certificate:/ {print $3}'  $HOSTNAME.crt | certutil -A -d /etc/httpd/alias/ -n "Server-Cert" -t "u,u,u" -a -f /etc/httpd/alias/pwdfile.txt 

And restart your web server:

service ipa restart

And, of course, restart your browser.

A similar approach will work for any Apache httpd using mod_nss, but you will have to change the step where you get the new certificate.

UPDATE here is a simple script you can use to do it all in one command. This uses the ipa command to get the certificate into the right format, so you don’t need awk.



certutil -R -s "CN=$HOSTNAME" -d /etc/httpd/alias/ -f /etc/httpd/alias/pwdfile.txt  -g 1024 -a > $CSR
ipa cert-request $CSR --principal=$PRINCIPAL
ipa service-show $PRINCIPAL --out $CERT
certutil -A -d /etc/httpd/alias/  -n "Server-Cert"  -t "u,u,u" -a  -f /etc/httpd/alias/pwdfile.txt -i $CERT

rm $CERT
rm $CSR

One thought on “Updating a certificate for a FreeIPA web server

  1. Hey Adam,

    I do this to alleviate the ‘sec_error_reused_issuer_and_serial’ problem: (I keep creating a bunch of CA instances)

    1/ Fire up firefox profile-manager,
    # Firefox -ProfileManager

    2/ Delete the profile(assuming it’s just a test profile) which has all the old CA/other subsystem certs in it.


    1/ Use a new profile every-time you configure subsystems via firefox.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.