On 24 April 2016 at 11:27, Duncan Gibb <[email protected]> wrote:
DG> ipa-ca-install fails. DG> I haven't found the relevant source code for this operation yet, Found it here: https://git.fedorahosted.org/cgit/pki.git/tree/base/common/src/com/netscape/cmscore/dbs/DBSubsystem.java?id=10502e34a10fb3b672aef1161cc271003c7806ba&h=DOGTAG_10_2_6_BRANCH#n400 DG> but it looks suspiciously like the CA serial number range is being DG> treated as a signed 32-bit integer somewhere and it's overflowed. I was wrong; it's just coincidence that the previous box got a range around 0x7ffe0001 The exception - LDAP error 68 - is "object already exists", presumably trying to add this again: > dn: cn=120000001,ou=requests,ou=ranges,o=ipaca > objectClass: top > objectClass: pkiRange > beginRange: 120000001 > cn: 120000001 > endRange: 130000000 > host: ipa-a2.my.domain.dom > SecurePort: 443 Magically, without me actually making any manual changes, just restarting the CA twice with: systemctl restart [email protected] this error went away and a new object appeared: dn: cn=120000001,ou=certificateRepository,ou=ranges,o=ipaca objectClass: top objectClass: pkiRange beginRange: 120000001 cn: 120000001 endRange: 130000000 host: ipa-a2.my.domain.dom SecurePort: 443 ipa-ca-install says the CA replica is "already installed", but that just seems to mean the config files are present. ipa cert-show commands work (although I don't know that they didn't before). I'm slightly distrusting of installs that seem to break then seem to fix themselves. Is there a good way to validate that all is well? Cheers Duncan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
