On 24 April 2016 at 11:27, Duncan Gibb <duncan.li...@gmail.com> wrote:
DG> ipa-ca-install fails.
DG> I haven't found the relevant source code for this operation yet,
Found it here:
DG> but it looks suspiciously like the CA serial number range is being
DG> treated as a signed 32-bit integer somewhere and it's overflowed.
I was wrong; it's just coincidence that the previous box got a range
The exception - LDAP error 68 - is "object already exists", presumably
trying to add this again:
> dn: cn=120000001,ou=requests,ou=ranges,o=ipaca
> objectClass: top
> objectClass: pkiRange
> beginRange: 120000001
> cn: 120000001
> endRange: 130000000
> host: ipa-a2.my.domain.dom
> SecurePort: 443
Magically, without me actually making any manual changes, just
restarting the CA twice with:
systemctl restart email@example.com
this error went away and a new object appeared:
ipa-ca-install says the CA replica is "already installed", but that
just seems to mean the config files are present. ipa cert-show
commands work (although I don't know that they didn't before).
I'm slightly distrusting of installs that seem to break then seem to
fix themselves. Is there a good way to validate that all is well?
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project