On 24 April 2016 at 11:27, Duncan Gibb <duncan.li...@gmail.com> wrote:

DG> ipa-ca-install fails.

DG> I haven't found the relevant source code for this operation yet,

Found it here:

 
https://git.fedorahosted.org/cgit/pki.git/tree/base/common/src/com/netscape/cmscore/dbs/DBSubsystem.java?id=10502e34a10fb3b672aef1161cc271003c7806ba&h=DOGTAG_10_2_6_BRANCH#n400

DG> but it looks suspiciously like the CA serial number range is being
DG> treated as a signed 32-bit integer somewhere and it's overflowed.

I was wrong; it's just coincidence that the previous box got a range
around 0x7ffe0001

The exception - LDAP error 68 - is "object already exists", presumably
trying to add this again:

> dn: cn=120000001,ou=requests,ou=ranges,o=ipaca
> objectClass: top
> objectClass: pkiRange
> beginRange: 120000001
> cn: 120000001
> endRange: 130000000
> host: ipa-a2.my.domain.dom
> SecurePort: 443


Magically, without me actually making any manual changes, just
restarting the CA twice with:

  systemctl restart pki-tomcatd@pki-tomcat.service

this error went away and a new object appeared:

dn: cn=120000001,ou=certificateRepository,ou=ranges,o=ipaca
objectClass: top
objectClass: pkiRange
beginRange: 120000001
cn: 120000001
endRange: 130000000
host: ipa-a2.my.domain.dom
SecurePort: 443


ipa-ca-install says the CA replica is "already installed", but that
just seems to mean the config files are present.  ipa cert-show
commands work (although I don't know that they didn't before).

I'm slightly distrusting of installs that seem to break then seem to
fix themselves.  Is there a good way to validate that all is well?


Cheers


Duncan

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to