[Freeipa-users] ipa-ca-install failure - id ranges overflow?
Duncan Gibb
duncan.lists at gmail.com
Sun Apr 24 20:31:52 UTC 2016
On 24 April 2016 at 11:27, Duncan Gibb <duncan.lists at gmail.com> wrote:
DG> ipa-ca-install fails.
DG> I haven't found the relevant source code for this operation yet,
Found it here:
https://git.fedorahosted.org/cgit/pki.git/tree/base/common/src/com/netscape/cmscore/dbs/DBSubsystem.java?id=10502e34a10fb3b672aef1161cc271003c7806ba&h=DOGTAG_10_2_6_BRANCH#n400
DG> but it looks suspiciously like the CA serial number range is being
DG> treated as a signed 32-bit integer somewhere and it's overflowed.
I was wrong; it's just coincidence that the previous box got a range
around 0x7ffe0001
The exception - LDAP error 68 - is "object already exists", presumably
trying to add this again:
> dn: cn=120000001,ou=requests,ou=ranges,o=ipaca
> objectClass: top
> objectClass: pkiRange
> beginRange: 120000001
> cn: 120000001
> endRange: 130000000
> host: ipa-a2.my.domain.dom
> SecurePort: 443
Magically, without me actually making any manual changes, just
restarting the CA twice with:
systemctl restart pki-tomcatd at pki-tomcat.service
this error went away and a new object appeared:
dn: cn=120000001,ou=certificateRepository,ou=ranges,o=ipaca
objectClass: top
objectClass: pkiRange
beginRange: 120000001
cn: 120000001
endRange: 130000000
host: ipa-a2.my.domain.dom
SecurePort: 443
ipa-ca-install says the CA replica is "already installed", but that
just seems to mean the config files are present. ipa cert-show
commands work (although I don't know that they didn't before).
I'm slightly distrusting of installs that seem to break then seem to
fix themselves. Is there a good way to validate that all is well?
Cheers
Duncan
More information about the Freeipa-users
mailing list