Closed Bug 457528 Opened 16 years ago Closed 16 years ago

Certificate for localhost.localdomain reports sec_error_reused_issuer_and_serial instead of sec_error_unknown_issuer

Categories

(NSS :: Libraries, defect)

Product:
NSS
Component:
Libraries
Version:
3.12.2
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: eddy_nigg, Assigned: nelson)

Details

Visit or create a self-signed certificate for localhost.localdomain issued by localhost.localdomain. Assign to the certificate a serial number (00). Access the site with a specific URL (like domain.com). 

Use the same certificate or create a new one with the same parameters as above. Access also this site but different URL. (like other.com).

The error reported is:

An error occurred during a connection to other.com.

You have received an invalid certificate.  Please contact the server administrator or email correspondent and give them the following information:

Your certificate contains the same serial number as another certificate issued by the certificate authority.  Please get a new certificate containing a unique serial number.

(Error code: *sec_error_reused_issuer_and_serial*)

I expected to receive *sec_error_unknown_issuer* instead of the error above.
Flags: blocking1.9.1?
> create a new one with the same parameters as above.
That's called "reusing a serial number".  
It's invalid, even in self-signed certs. 
No two different certs may bear the same issuer name AND serial number.
Never.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → INVALID
Obviously! But I'd prefer to know FIRST if this is a legitimate cert chained to a trusted root before I start bothering why it has issued twice the same serial. Or in other words, I wouldn't care if I'd knew in first place that the cert was self issued.
And Nelson, next time please read the description more carefully, because the issue is NOT that the same issuer used the same serial twice, it's that the sequence and priority of errors is wrong.
Status: RESOLVED → REOPENED
Resolution: INVALID → ---
Is there a bug about "please get a new certificate"? Telling that to a user makes absolutely no sense.

also is there a bug about it not pointing to the other certificate? The error isn't particularly helpful on its own.
Status: REOPENED → NEW
Summary: Certificate for localhost.localdomain reports sec_error_reused_issuer_and_serial → Certificate for localhost.localdomain reports sec_error_reused_issuer_and_serial instead of sec_error_unknown_issuer
Eddy, It's only a bug if it's not working as designed and intended.
But it is working as designed and intended.
You would like the design and intent to be different, I gather. 
But that's just not going to change any time soon.  

Timeless, I don't understand your comment 4.  I think maybe it's a complaint
about the text of some error messages displayed by the browser somewhere?
Status: NEW → RESOLVED
Closed: 16 years ago16 years ago
Resolution: --- → WONTFIX
In that case the design is wrong IMO. Why should I bother about same serials if the certificate is issued by localhost.localdomain. Would I know that the certificate isn't legitimate and was issued by localhost.localdomain (sick) I wouldn't care about the same serial - I'd not visit that page. But because I expected the site I visited to have a certificate issued by us, I had to workaround just to realize that the certificate wasn't even issued by us.
Eddy, I know you're a pretty careful CA, and you don't reuse serial numbers.
So, the error message about reused serial numbers should be a big clue that
the cert did not come from your CA.  :)
LOL...believe me I changed colors a few times before finding out. I never imagined that I'd come across different site certificates like localhost.localdomain twice within the same session and Firefox telling me this...
Flags: blocking1.9.1?
You need to log in before you can comment on or make changes to this bug.