[Freeipa-users] ipa-ca-install failure - id ranges overflow?
Duncan Gibb
duncan.lists at gmail.com
Sun Apr 24 10:27:43 UTC 2016
Hello
I'm trying to re-install one of six FreeIPA 4.2.0 servers in my
domain. Normally I would do an install as one step with
ipa-replica-install --setup-ca --no-ntp --setup-dns --forwarder
A.B.C.D --forwarder E.F.G.H
/var/lib/ipa/replica-info-ipa-a2.my.domain.dom.gpg
but this fails in the CA setup. So instead I broke it into an
ipa-replica-install, an ipa-dns-install and an ipa-ca-install. The
first two steps succeed and look OK, but the ipa-ca-install fails.
I think the problem is with the CA range allocations (details below).
Can anyone help me figure our how to:
* re-use or free CA id ranges which have been taken by replicas but never used?
* change the size of future range allocations so this doesn't happen again?
Many thanks.
Duncan
Detail:
On the failing server, ipa-a2, /var/log/pki/pki-tomcat/ca/debug contains:
[22/Apr/2016:14:26:31][localhost-startStop-1]: DBSubsystem:
getEntryAttribute: dn=ou=certificateRepository, ou=ca, o=ipaca
attr=description:;
[22/Apr/2016:14:26:31][localhost-startStop-1]: CertificateRepository:
getLastSerialNumberInRange mEnableRandomSerialNumbers=false
mMinRandomBitLength=4 CollisionRecovery=3,10
[22/Apr/2016:14:26:31][localhost-startStop-1]: CertificateRepository:
getLastSerialNumberInRange modeChange=false enableRsnAtConfig=false
mForceModeChange=false mode=
[22/Apr/2016:14:26:31][localhost-startStop-1]: CertificateRepository:
getLastSerialNumberInRange mEnableRandomSerialNumbers=false
[22/Apr/2016:14:26:31][localhost-startStop-1]: In
LdapBoundConnFactory::getConn()
[22/Apr/2016:14:26:31][localhost-startStop-1]: masterConn is connected: true
[22/Apr/2016:14:26:31][localhost-startStop-1]: getConn: conn is connected true
[22/Apr/2016:14:26:31][localhost-startStop-1]: getConn: mNumConns now 2
[22/Apr/2016:14:26:31][localhost-startStop-1]: In
findCertRecordsInList with Jumpto 1610416128
[22/Apr/2016:14:26:31][localhost-startStop-1]: In DBVirtualList filter
attrs startFrom sortKey pageSize filter: (certStatus=*) attrs: null
pageSize -5 startFrom 101610416128
[22/Apr/2016:14:26:31][localhost-startStop-1]: returnConn: mNumConns now 3
[22/Apr/2016:14:26:31][localhost-startStop-1]: getEntries returning 6
[22/Apr/2016:14:26:31][localhost-startStop-1]: mTop 48
[22/Apr/2016:14:26:31][localhost-startStop-1]: Getting Virtual List size: 61
[22/Apr/2016:14:26:31][localhost-startStop-1]:
CertificateRepository:getLastSerialNumberInRange: recList size 61
[22/Apr/2016:14:26:31][localhost-startStop-1]:
CertificateRepository:getLastSerialNumberInRange: ltSize 54
[22/Apr/2016:14:26:31][localhost-startStop-1]: getElementAt: 0 mTop 48
[22/Apr/2016:14:26:31][localhost-startStop-1]: reverse direction getting index 5
[22/Apr/2016:14:26:31][localhost-startStop-1]:
CertificateRepository:getLastCertRecordSerialNo: serialno 1878982657
[22/Apr/2016:14:26:31][localhost-startStop-1]: getElementAt: 1 mTop 48
[22/Apr/2016:14:26:31][localhost-startStop-1]: reverse direction getting index 4
[22/Apr/2016:14:26:31][localhost-startStop-1]:
CertificateRepository:getLastCertRecordSerialNo: serialno 805175300
[22/Apr/2016:14:26:31][localhost-startStop-1]: getElementAt: 2 mTop 48
[22/Apr/2016:14:26:31][localhost-startStop-1]: reverse direction getting index 3
[22/Apr/2016:14:26:31][localhost-startStop-1]:
CertificateRepository:getLastCertRecordSerialNo: serialno 805175299
[22/Apr/2016:14:26:31][localhost-startStop-1]: getElementAt: 3 mTop 48
[22/Apr/2016:14:26:31][localhost-startStop-1]: reverse direction getting index 2
[22/Apr/2016:14:26:31][localhost-startStop-1]:
CertificateRepository:getLastCertRecordSerialNo: serialno 805175298
[22/Apr/2016:14:26:31][localhost-startStop-1]: getElementAt: 4 mTop 48
[22/Apr/2016:14:26:31][localhost-startStop-1]: reverse direction getting index 1
[22/Apr/2016:14:26:31][localhost-startStop-1]:
CertificateRepository:getLastCertRecordSerialNo: serialno 805175297
[22/Apr/2016:14:26:31][localhost-startStop-1]:
CertificateRepository:getLastCertRecordSerialNo: returning 1610350592
[22/Apr/2016:14:26:31][localhost-startStop-1]: Repository:
mLastSerialNo: 1610350592
[22/Apr/2016:14:26:31][localhost-startStop-1]: Serial numbers left in
range: 65536
[22/Apr/2016:14:26:31][localhost-startStop-1]: Last Serial Number: 1610350592
[22/Apr/2016:14:26:31][localhost-startStop-1]: Serial Numbers available: 65536
[22/Apr/2016:14:26:31][localhost-startStop-1]: Low water mark reached.
Requesting next range
[22/Apr/2016:14:26:31][localhost-startStop-1]: In
LdapBoundConnFactory::getConn()
[22/Apr/2016:14:26:31][localhost-startStop-1]: masterConn is connected: true
[22/Apr/2016:14:26:31][localhost-startStop-1]: getConn: conn is connected true
[22/Apr/2016:14:26:31][localhost-startStop-1]: getConn: mNumConns now 2
[22/Apr/2016:14:26:31][localhost-startStop-1]: DBSubsystem:
getNextRange. Unable to provide next range
:netscape.ldap.LDAPException: error result (68)
[22/Apr/2016:14:26:31][localhost-startStop-1]: Releasing ldap connection
[22/Apr/2016:14:26:31][localhost-startStop-1]: returnConn: mNumConns now 3
java.lang.NullPointerException
at java.math.BigInteger.<init>(BigInteger.java:406)
at com.netscape.cmscore.dbs.Repository.checkRanges(Repository.java:500)
at com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1167)
at com.netscape.certsrv.apps.CMS.startup(CMS.java:200)
at com.netscape.certsrv.apps.CMS.start(CMS.java:1602)
at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114)
at javax.servlet.GenericServlet.init(GenericServlet.java:158)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123)
at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272)
at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197)
at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087)
at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210)
at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901)
at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632)
at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:672)
at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1862)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
For comparison the same log for server ipa-b1 re-installed a few days
earlier says:
[19/Apr/2016:03:40:26][localhost-startStop-1]: DBSubsystem:
getEntryAttribute: dn=ou=certificateRepository, ou=ca, o=ipaca
attr=description:;
[19/Apr/2016:03:40:26][localhost-startStop-1]: CertificateRepository:
getLastSerialNumberInRange mEnableRandomSerialNumbers=false
mMinRandomBitLength=4 CollisionRecovery=3,10
[19/Apr/2016:03:40:26][localhost-startStop-1]: CertificateRepository:
getLastSerialNumberInRange modeChange=false enableRsnAtConfig=false
mForceModeChange=false mode=
[19/Apr/2016:03:40:26][localhost-startStop-1]: CertificateRepository:
getLastSerialNumberInRange mEnableRandomSerialNumbers=false
[19/Apr/2016:03:40:26][localhost-startStop-1]: In
LdapBoundConnFactory::getConn()
[19/Apr/2016:03:40:26][localhost-startStop-1]: masterConn is connected: true
[19/Apr/2016:03:40:26][localhost-startStop-1]: getConn: conn is connected true
[19/Apr/2016:03:40:26][localhost-startStop-1]: getConn: mNumConns now 2
[19/Apr/2016:03:40:26][localhost-startStop-1]: In
findCertRecordsInList with Jumpto 2147418112
[19/Apr/2016:03:40:26][localhost-startStop-1]: In DBVirtualList filter
attrs startFrom sortKey pageSize filter: (certStatus=*) attrs: null
pageSize -5 startFrom 102147418112
[19/Apr/2016:03:40:26][localhost-startStop-1]: returnConn: mNumConns now 3
[19/Apr/2016:03:40:26][localhost-startStop-1]: getEntries returning 6
[19/Apr/2016:03:40:26][localhost-startStop-1]: mTop 46
[19/Apr/2016:03:40:26][localhost-startStop-1]: Getting Virtual List size: 52
[19/Apr/2016:03:40:26][localhost-startStop-1]:
CertificateRepository:getLastSerialNumberInRange: recList size 52
[19/Apr/2016:03:40:26][localhost-startStop-1]:
CertificateRepository:getLastSerialNumberInRange: ltSize 52
[19/Apr/2016:03:40:26][localhost-startStop-1]: getElementAt: 0 mTop 46
[19/Apr/2016:03:40:26][localhost-startStop-1]: reverse direction getting index 5
[19/Apr/2016:03:40:26][localhost-startStop-1]:
CertificateRepository:getLastCertRecordSerialNo: serialno 1878982664
[19/Apr/2016:03:40:26][localhost-startStop-1]: getElementAt: 1 mTop 46
[19/Apr/2016:03:40:26][localhost-startStop-1]: reverse direction getting index 4
[19/Apr/2016:03:40:26][localhost-startStop-1]:
CertificateRepository:getLastCertRecordSerialNo: serialno 1878982663
[19/Apr/2016:03:40:26][localhost-startStop-1]: getElementAt: 2 mTop 46
[19/Apr/2016:03:40:26][localhost-startStop-1]: reverse direction getting index 3
[19/Apr/2016:03:40:26][localhost-startStop-1]:
CertificateRepository:getLastCertRecordSerialNo: serialno 1878982662
[19/Apr/2016:03:40:26][localhost-startStop-1]: getElementAt: 3 mTop 46
[19/Apr/2016:03:40:26][localhost-startStop-1]: reverse direction getting index 2
[19/Apr/2016:03:40:26][localhost-startStop-1]:
CertificateRepository:getLastCertRecordSerialNo: serialno 1878982661
[19/Apr/2016:03:40:26][localhost-startStop-1]: getElementAt: 4 mTop 46
[19/Apr/2016:03:40:26][localhost-startStop-1]: reverse direction getting index 1
[19/Apr/2016:03:40:26][localhost-startStop-1]:
CertificateRepository:getLastCertRecordSerialNo: serialno 1878982660
[19/Apr/2016:03:40:26][localhost-startStop-1]:
CertificateRepository:getLastCertRecordSerialNo: returning 2147352576
[19/Apr/2016:03:40:26][localhost-startStop-1]: Repository:
mLastSerialNo: 2147352576
[19/Apr/2016:03:40:26][localhost-startStop-1]: Serial numbers left in
range: 65536
[19/Apr/2016:03:40:26][localhost-startStop-1]: Last Serial Number: 2147352576
[19/Apr/2016:03:40:26][localhost-startStop-1]: Serial Numbers available: 65536
[19/Apr/2016:03:40:26][localhost-startStop-1]: Low water mark reached.
Requesting next range
[19/Apr/2016:03:40:26][localhost-startStop-1]: In
LdapBoundConnFactory::getConn()
[19/Apr/2016:03:40:26][localhost-startStop-1]: masterConn is connected: true
[19/Apr/2016:03:40:26][localhost-startStop-1]: getConn: conn is connected true
[19/Apr/2016:03:40:26][localhost-startStop-1]: getConn: mNumConns now 2
[19/Apr/2016:03:40:26][localhost-startStop-1]: DBSubsystem:
getNextRange Next range has been added: 110000001 - 120000000
[19/Apr/2016:03:40:26][localhost-startStop-1]: Releasing ldap connection
[19/Apr/2016:03:40:26][localhost-startStop-1]: returnConn: mNumConns now 3
[19/Apr/2016:03:40:26][localhost-startStop-1]: nNextMinSerialNo has
been set to 110000001
[19/Apr/2016:03:40:26][localhost-startStop-1]: DBSubsystem: Setting
next min certs number: 110000001
[19/Apr/2016:03:40:26][localhost-startStop-1]: DBSubsystem: Setting
next max certs number: 120000000
[19/Apr/2016:03:40:26][localhost-startStop-1]: Checking for a range conflict
[19/Apr/2016:03:40:26][localhost-startStop-1]: In
LdapBoundConnFactory::getConn()
[19/Apr/2016:03:40:26][localhost-startStop-1]: masterConn is connected: true
[19/Apr/2016:03:40:26][localhost-startStop-1]: getConn: conn is connected true
[19/Apr/2016:03:40:26][localhost-startStop-1]: getConn: mNumConns now 2
[19/Apr/2016:03:40:26][localhost-startStop-1]: Releasing ldap connection
[19/Apr/2016:03:40:26][localhost-startStop-1]: returnConn: mNumConns now 3
[19/Apr/2016:03:40:27][http-bio-8443-exec-2]: according to ccMode,
authorization for servlet: caGetStatus is LDAP based, not XML {1}, use
default authz mgr: {2}.
[19/Apr/2016:03:40:27][http-bio-8443-exec-2]: CMSServlet:service() uri
= /ca/admin/ca/getStatus
[19/Apr/2016:03:40:27][http-bio-8443-exec-2]: CMSServlet: caGetStatus
start to service.
[19/Apr/2016:03:40:27][http-bio-8443-exec-2]: CMSServlet: curDate=Tue
Apr 19 03:40:27 CDT 2016 id=caGetStatus time=24
[19/Apr/2016:03:40:27][http-bio-8080-exec-2]: according to ccMode,
authorization for servlet: caGetCertChain is LDAP based, not XML {1},
use default authz mgr: {2}.
[19/Apr/2016:03:40:27][http-bio-8080-exec-2]: CMSServlet:service() uri
= /ca/ee/ca/getCertChain
[19/Apr/2016:03:40:27][http-bio-8080-exec-2]: CMSServlet:
caGetCertChain start to service.
[19/Apr/2016:03:40:27][http-bio-8080-exec-2]: CMSServlet: curDate=Tue
Apr 19 03:40:27 CDT 2016 id=caGetCertChain time=7
[19/Apr/2016:03:40:28][http-bio-8080-exec-4]: according to ccMode,
authorization for servlet: caProfileList is LDAP based, not XML {1},
use default authz mgr: {2}.
[19/Apr/2016:03:40:28][http-bio-8080-exec-4]: according to ccMode,
authorization for servlet: caProfileList is LDAP based, not XML {1},
use default authz mgr: {2}.
[19/Apr/2016:03:40:28][http-bio-8080-exec-4]: CMSServlet:service() uri
= /ca/ee/ca/profileList
[19/Apr/2016:03:40:28][http-bio-8080-exec-4]: CMSServlet::service()
param name='xml' value='true'
[19/Apr/2016:03:40:28][http-bio-8080-exec-4]: CMSServlet:
caProfileList start to service.
I haven't found the relevant source code for this operation yet, but
it looks suspiciously like the CA serial number range is being treated
as a signed 32-bit integer somewhere and it's overflowed.
There are a bunch of what appear to be config options for the range
allocation behaviour in /var/lib/pki/pki-tomcat/ca/conf/CS.cfg
dbs.beginReplicaNumber=1381
dbs.beginRequestNumber=59960001
dbs.beginSerialNumber=5ffc0001
dbs.enableRandomSerialNumbers=false
dbs.enableSerialManagement=true
dbs.endReplicaNumber=1384
dbs.endRequestNumber=59970000
dbs.endSerialNumber=5ffd0000
dbs.ldap=internaldb
dbs.newSchemaEntryAdded=true
dbs.nextBeginRequestNumber=120000001
dbs.nextEndRequestNumber=130000000
dbs.randomSerialNumberCounter=-1
dbs.replicaCloneTransferNumber=5
dbs.replicaDN=ou=replica
dbs.replicaIncrement=100
dbs.replicaLowWaterMark=20
dbs.replicaRangeDN=ou=replica, ou=ranges
dbs.requestCloneTransferNumber=10000
dbs.requestDN=ou=ca, ou=requests
dbs.requestIncrement=10000000
dbs.requestLowWaterMark=2000000
dbs.requestRangeDN=ou=requests, ou=ranges
dbs.serialCloneTransferNumber=10000
dbs.serialDN=ou=certificateRepository, ou=ca
dbs.serialIncrement=10000000
dbs.serialLowWaterMark=2000000
dbs.serialRangeDN=ou=certificateRepository, ou=ranges
(some values are different on each box - above is from ipa-a2).
Could someone help me find docs for exactly what these mean? Is there
any logic as to which are decimal and which are hex?
In LDAP I have a whole pile of pkiRange objects:
dn: ou=replica,o=ipaca
objectClass: top
objectClass: repository
nextRange: 1400
ou: replica
serialno: 010
dn: ou=ranges,o=ipaca
objectClass: top
objectClass: organizationalUnit
ou: ranges
dn: ou=replica,ou=ranges,o=ipaca
objectClass: top
objectClass: organizationalUnit
ou: replica
dn: cn=1000,ou=replica,ou=ranges,o=ipaca
objectClass: top
objectClass: pkiRange
beginRange: 1000
cn: 1000
endRange: 1099
host: ipa-b2.my.domain.dom
SecurePort: 443
dn: cn=1100,ou=replica,ou=ranges,o=ipaca
objectClass: top
objectClass: pkiRange
beginRange: 1100
cn: 1100
endRange: 1199
host: ipa-a2.my.domain.dom
SecurePort: 443
dn: cn=1200,ou=replica,ou=ranges,o=ipaca
objectClass: top
objectClass: pkiRange
beginRange: 1200
cn: 1200
endRange: 1299
host: ipa-c2.my.domain.dom
SecurePort: 443
dn: cn=1300,ou=replica,ou=ranges,o=ipaca
objectClass: top
objectClass: pkiRange
beginRange: 1300
cn: 1300
endRange: 1399
host: ipa-c1.my.domain.dom
SecurePort: 443
dn: cn=1300+nsuniqueid=1b461b25-eb9211e5-b84091d6-4ee1ae2e,ou=replica,ou=ranges,o=ipaca
objectClass: top
objectClass: pkiRange
beginRange: 1300
cn: 1300
endRange: 1399
host: ipa-b2.my.domain.dom
SecurePort: 443
dn: ou=requests,ou=ranges,o=ipaca
objectClass: top
objectClass: organizationalUnit
ou: requests
dn: cn=10000001,ou=requests,ou=ranges,o=ipaca
objectClass: top
objectClass: pkiRange
beginRange: 10000001
cn: 10000001
endRange: 20000000
host: ipa-a2.my.domain.dom
SecurePort: 443
dn: cn=20000001,ou=requests,ou=ranges,o=ipaca
objectClass: top
objectClass: pkiRange
beginRange: 20000001
cn: 20000001
endRange: 30000000
host: ipa-b2.my.domain.dom
SecurePort: 443
dn: cn=30000001,ou=requests,ou=ranges,o=ipaca
objectClass: top
objectClass: pkiRange
beginRange: 30000001
cn: 30000001
endRange: 40000000
host: ipa-b1.my.domain.dom
SecurePort: 443
dn: cn=40000001,ou=requests,ou=ranges,o=ipaca
objectClass: top
objectClass: pkiRange
beginRange: 40000001
cn: 40000001
endRange: 50000000
host: ipa-b1.my.domain.dom
SecurePort: 443
dn: cn=50000001,ou=requests,ou=ranges,o=ipaca
objectClass: top
objectClass: pkiRange
beginRange: 50000001
cn: 50000001
endRange: 60000000
host: ipa-c1.my.domain.dom
SecurePort: 443
dn: cn=60000001,ou=requests,ou=ranges,o=ipaca
objectClass: top
objectClass: pkiRange
beginRange: 60000001
cn: 60000001
endRange: 70000000
host: ipa-c2.my.domain.dom
SecurePort: 443
dn: cn=70000001,ou=requests,ou=ranges,o=ipaca
objectClass: top
objectClass: pkiRange
beginRange: 70000001
cn: 70000001
endRange: 80000000
host: ipa-b2.my.domain.dom
SecurePort: 443
dn: cn=80000001,ou=requests,ou=ranges,o=ipaca
objectClass: top
objectClass: pkiRange
beginRange: 80000001
cn: 80000001
endRange: 90000000
host: ipa-a2.my.domain.dom
SecurePort: 443
dn: cn=90000001,ou=requests,ou=ranges,o=ipaca
objectClass: top
objectClass: pkiRange
beginRange: 90000001
cn: 90000001
endRange: 100000000
host: ipa-a2.my.domain.dom
SecurePort: 443
dn: cn=100000001,ou=requests,ou=ranges,o=ipaca
objectClass: top
objectClass: pkiRange
beginRange: 100000001
cn: 100000001
endRange: 110000000
host: ipa-b1.my.domain.dom
SecurePort: 443
dn: cn=110000001,ou=requests,ou=ranges,o=ipaca
objectClass: top
objectClass: pkiRange
beginRange: 110000001
cn: 110000001
endRange: 120000000
host: ipa-b1.my.domain.dom
SecurePort: 443
dn: cn=120000001,ou=requests,ou=ranges,o=ipaca
objectClass: top
objectClass: pkiRange
beginRange: 120000001
cn: 120000001
endRange: 130000000
host: ipa-a2.my.domain.dom
SecurePort: 443
dn: ou=certificateRepository,ou=ranges,o=ipaca
objectClass: top
objectClass: organizationalUnit
ou: certificateRepository
dn: cn=10000001,ou=certificateRepository,ou=ranges,o=ipaca
objectClass: top
objectClass: pkiRange
beginRange: 10000001
cn: 10000001
endRange: 20000000
host: ipa-a2.my.domain.dom
SecurePort: 443
dn: cn=20000001,ou=certificateRepository,ou=ranges,o=ipaca
objectClass: top
objectClass: pkiRange
beginRange: 20000001
cn: 20000001
endRange: 30000000
host: ipa-b2.my.domain.dom
SecurePort: 443
dn: cn=30000001,ou=certificateRepository,ou=ranges,o=ipaca
objectClass: top
objectClass: pkiRange
beginRange: 30000001
cn: 30000001
endRange: 40000000
host: ipa-b1.my.domain.dom
SecurePort: 443
dn: cn=40000001,ou=certificateRepository,ou=ranges,o=ipaca
objectClass: top
objectClass: pkiRange
beginRange: 40000001
cn: 40000001
endRange: 50000000
host: ipa-b1.my.domain.dom
SecurePort: 443
dn: cn=50000001,ou=certificateRepository,ou=ranges,o=ipaca
objectClass: top
objectClass: pkiRange
beginRange: 50000001
cn: 50000001
endRange: 60000000
host: ipa-c1.my.domain.dom
SecurePort: 443
dn: cn=60000001,ou=certificateRepository,ou=ranges,o=ipaca
objectClass: top
objectClass: pkiRange
beginRange: 60000001
cn: 60000001
endRange: 70000000
host: ipa-c2.my.domain.dom
SecurePort: 443
dn: cn=70000001,ou=certificateRepository,ou=ranges,o=ipaca
objectClass: top
objectClass: pkiRange
beginRange: 70000001
cn: 70000001
endRange: 80000000
host: ipa-b2.my.domain.dom
SecurePort: 443
dn: cn=80000001,ou=certificateRepository,ou=ranges,o=ipaca
objectClass: top
objectClass: pkiRange
beginRange: 80000001
cn: 80000001
endRange: 90000000
host: ipa-a2.my.domain.dom
SecurePort: 443
dn: cn=90000001,ou=certificateRepository,ou=ranges,o=ipaca
objectClass: top
objectClass: pkiRange
beginRange: 90000001
cn: 90000001
endRange: 100000000
host: ipa-a2.my.domain.dom
SecurePort: 443
dn: cn=100000001,ou=certificateRepository,ou=ranges,o=ipaca
objectClass: top
objectClass: pkiRange
beginRange: 100000001
cn: 100000001
endRange: 110000000
host: ipa-b1.my.domain.dom
SecurePort: 443
dn: cn=110000001,ou=certificateRepository,ou=ranges,o=ipaca
objectClass: top
objectClass: pkiRange
beginRange: 110000001
cn: 110000001
endRange: 120000000
host: ipa-b1.my.domain.dom
SecurePort: 443
Obviously some of these are dupes caused by re-installation and/or
upgrades of servers. Is it safe to delete ones related to ranges
where there are no certs issued?
If I can make a range of, say 10000000 ids available, how do I carve
that up into sensible-sized chunks and get IPA to hand them out to
future replicas?
Thanks again.
Duncan
More information about the Freeipa-users
mailing list