[Freeipa-users] RHEL 7 Upgrade experience so far
Erinn Looney-Triggs
erinn.looneytriggs at gmail.com
Tue Aug 5 18:29:59 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 08/04/2014 01:51 PM, Ade Lee wrote:
> OK - I suspect you may be running into an issue with serial number
> generation. Each time we install a clone, we end up allocating a
> new range of serial numbers for the clone.
>
> The idea is to keep separate ranges for each CA replica so that no
> two replicas can issue certs with the same serial number.
>
> The problem is that you've probably retried the install a whole
> bunch of times and now perhaps the serial number range is too
> high.
>
> This is just a guess - but you can see what ranges have been
> assigned by looking in :
>
> 1, ou-ranges, o=ipaca (on the master directory server) 2. CS.cfg
> for the master (look for the attributes dbs.* 3. The value of the
> attribute nextRange on : ou=certificateRepository, o=ipaca and
> ou=Requests, o=ipaca
>
> Please send me that info, and I'll explain how to clean that up.
>
> Ade
>
Ok, after that brief little side trip down deleting my CA lane, here
is what I have for the ranges info:
1. Hmm ok, I'll do the best I can here, LDAP is not yet my forte:
dn: ou=ranges,o=ipaca
objectClass: organizationalUnit
objectClass: top
ou: ranges
dn: ou=replica,ou=ranges,o=ipaca
objectClass: organizationalUnit
objectClass: top
ou: replica
dn: ou=requests,ou=ranges,o=ipaca
objectClass: organizationalUnit
objectClass: top
ou: requests
dn: ou=certificateRepository,ou=ranges,o=ipaca
objectClass: organizationalUnit
objectClass: top
ou: certificateRepository
dn: cn=10000001,ou=requests,ou=ranges,o=ipaca
objectClass: pkiRange
objectClass: top
beginRange: 10000001
cn: 10000001
endRange: 20000000
host: ipa2.example.com
SecurePort: 443
dn: cn=10000001,ou=certificateRepository,ou=ranges,o=ipaca
objectClass: pkiRange
objectClass: top
beginRange: 10000001
cn: 10000001
endRange: 20000000
host: ipa2.example.com
SecurePort: 443
2.
dbs.beginReplicaNumber=1
dbs.beginRequestNumber=1
dbs.beginSerialNumber=1
dbs.enableSerialManagement=true
dbs.endReplicaNumber=50
dbs.endRequestNumber=9900000
dbs.endSerialNumber=ff60000
dbs.ldap=internaldb
dbs.newSchemaEntryAdded=true
dbs.replicaCloneTransferNumber=5
dbs.replicaDN=ou=replica
dbs.replicaIncrement=100
dbs.replicaLowWaterMark=20
dbs.replicaRangeDN=ou=replica, ou=ranges
dbs.requestCloneTransferNumber=10000
dbs.requestDN=ou=ca, ou=requests
dbs.requestIncrement=10000000
dbs.requestLowWaterMark=2000000
dbs.requestRangeDN=ou=requests, ou=ranges
dbs.serialCloneTransferNumber=10000
dbs.serialDN=ou=certificateRepository, ou=ca
dbs.serialIncrement=10000000
dbs.serialLowWaterMark=2000000
dbs.serialRangeDN=ou=certificateRepository, ou=ranges
3.
In ou=ca,ou=ranges,o=ipaca nextRange: 20000001
Ditto for ou=certificateRepository,ou=ca,o=ipaca
Thanks,
- -Erinn
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBCAAGBQJT4SKhAAoJEFg7BmJL2iPOBmUIAKoiE7IOW3ld9ja03L9oOvdc
geI56IWSXV2i5p5vln+BWQMvBko724smohWFxCJ88LY4NIXKYIV877+oDUBYX0BO
pygaDZp43qTll4mo+0akYk8Ooy/4qpP2a9uslxUH6/KfhmGmo/aF1WPbfmw5t5p3
nfktyOfHp0iaD5nGjfjTlF8jhJ0UQRZxkX49u2zXKMNVZ3Oay7sItziBUtnvXcaD
eIeOKjgY3dUuGulqXGqkhSev7ZV5w7WUA8snyDyG/Ls0LZdgYc3+RvdA9DuNxXFL
PE36+1tfVIDnVwvwSPz/dKTMs/ThHPBbNQh/7UYVUEe5dVnUIvhVJEHJupFj9xk=
=u2/z
-----END PGP SIGNATURE-----
More information about the Freeipa-users
mailing list