-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 08/04/2014 01:51 PM, Ade Lee wrote: > OK - I suspect you may be running into an issue with serial number > generation. Each time we install a clone, we end up allocating a > new range of serial numbers for the clone. > > The idea is to keep separate ranges for each CA replica so that no > two replicas can issue certs with the same serial number. > > The problem is that you've probably retried the install a whole > bunch of times and now perhaps the serial number range is too > high. > > This is just a guess - but you can see what ranges have been > assigned by looking in : > > 1, ou-ranges, o=ipaca (on the master directory server) 2. CS.cfg > for the master (look for the attributes dbs.* 3. The value of the > attribute nextRange on : ou=certificateRepository, o=ipaca and > ou=Requests, o=ipaca > > Please send me that info, and I'll explain how to clean that up. > > Ade >
Ok, after that brief little side trip down deleting my CA lane, here is what I have for the ranges info: 1. Hmm ok, I'll do the best I can here, LDAP is not yet my forte: dn: ou=ranges,o=ipaca objectClass: organizationalUnit objectClass: top ou: ranges dn: ou=replica,ou=ranges,o=ipaca objectClass: organizationalUnit objectClass: top ou: replica dn: ou=requests,ou=ranges,o=ipaca objectClass: organizationalUnit objectClass: top ou: requests dn: ou=certificateRepository,ou=ranges,o=ipaca objectClass: organizationalUnit objectClass: top ou: certificateRepository dn: cn=10000001,ou=requests,ou=ranges,o=ipaca objectClass: pkiRange objectClass: top beginRange: 10000001 cn: 10000001 endRange: 20000000 host: ipa2.example.com SecurePort: 443 dn: cn=10000001,ou=certificateRepository,ou=ranges,o=ipaca objectClass: pkiRange objectClass: top beginRange: 10000001 cn: 10000001 endRange: 20000000 host: ipa2.example.com SecurePort: 443 2. dbs.beginReplicaNumber=1 dbs.beginRequestNumber=1 dbs.beginSerialNumber=1 dbs.enableSerialManagement=true dbs.endReplicaNumber=50 dbs.endRequestNumber=9900000 dbs.endSerialNumber=ff60000 dbs.ldap=internaldb dbs.newSchemaEntryAdded=true dbs.replicaCloneTransferNumber=5 dbs.replicaDN=ou=replica dbs.replicaIncrement=100 dbs.replicaLowWaterMark=20 dbs.replicaRangeDN=ou=replica, ou=ranges dbs.requestCloneTransferNumber=10000 dbs.requestDN=ou=ca, ou=requests dbs.requestIncrement=10000000 dbs.requestLowWaterMark=2000000 dbs.requestRangeDN=ou=requests, ou=ranges dbs.serialCloneTransferNumber=10000 dbs.serialDN=ou=certificateRepository, ou=ca dbs.serialIncrement=10000000 dbs.serialLowWaterMark=2000000 dbs.serialRangeDN=ou=certificateRepository, ou=ranges 3. In ou=ca,ou=ranges,o=ipaca nextRange: 20000001 Ditto for ou=certificateRepository,ou=ca,o=ipaca Thanks, - -Erinn -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJT4SKhAAoJEFg7BmJL2iPOBmUIAKoiE7IOW3ld9ja03L9oOvdc geI56IWSXV2i5p5vln+BWQMvBko724smohWFxCJ88LY4NIXKYIV877+oDUBYX0BO pygaDZp43qTll4mo+0akYk8Ooy/4qpP2a9uslxUH6/KfhmGmo/aF1WPbfmw5t5p3 nfktyOfHp0iaD5nGjfjTlF8jhJ0UQRZxkX49u2zXKMNVZ3Oay7sItziBUtnvXcaD eIeOKjgY3dUuGulqXGqkhSev7ZV5w7WUA8snyDyG/Ls0LZdgYc3+RvdA9DuNxXFL PE36+1tfVIDnVwvwSPz/dKTMs/ThHPBbNQh/7UYVUEe5dVnUIvhVJEHJupFj9xk= =u2/z -----END PGP SIGNATURE----- -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project