[Freeipa-users] Re: Adding new replica with CA fails.
Confirmed Fraser. It worked! Thanks so much! Using the decimal value in the nextRange attribute did the trick. Thank you everyone for your help. All the best, Guillermo On Tue, Jul 7, 2020 at 3:57 AM Fraser Tweedale wrote: > > On Tue, Jul 07, 2020 at 12:04:58AM -0400, Guillermo Fuentes via FreeIPA-users > wrote: > > On Mon, Jul 6, 2020 at 5:31 PM Rob Crittenden wrote: > > > > > > Guillermo Fuentes via FreeIPA-users wrote: > > > > Hi Flo, > > > > Here is the value of the entry: > > > > # certificateRepository, ca, ipaca > > > > dn: ou=certificateRepository,ou=ca,o=ipaca > > > > objectClass: top > > > > objectClass: repository > > > > ou: certificateRepository > > > > serialno: 09268369921 > > > > nextRange: e001 > > > > > > > > The value of nextRange was modified by hand to fix another issue. > > > > According to this > > > > https://frasertweedale.github.io/blog-redhat/posts/2019-07-26-dogtag-replica-ranges.html > > > > it should be hexadecimal. > > > > > > Maybe try an upper-case E. > > > > > > rob > > > > Same result. > > > IIRC the ldap objects all use decimal representation. It is only in > CS.cfg where some ranges are hexadecimal and others are decimal. > I can confirm later. And update the blog post to clarify! > > Put the decimal representation in the `nextRange' attribute and see > how you go. > > Cheers, > Fraser > > > > > > > > > > > > > If the code is expecting a decimal value, I'm assuming converting the > > > > range from hex to decimal should do it, right? I'll also check for > > > > conflicts. > > > > > > > > Thanks! > > > > Guillermo > > > > > > > > On Mon, Jul 6, 2020 at 12:35 PM Florence Blanc-Renaud > > > > wrote: > > > >> > > > >> On 7/6/20 5:18 PM, Guillermo Fuentes via FreeIPA-users wrote: > > > >>> Hi all, > > > >>> > > > >>> I'm having an issue creating a new replica with CA. > > > >>> The Directory Service installation works fine but adding the CA clone > > > >>> fails with a java.lang.NumberFormatException when getting the serial > > > >>> number range. > > > >>> > > > >>> This is the error logged in /var/log/pki/pki-tomcat/ca/debug: > > > >>> ## > > > >>> ... > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: retrieving > > > >>> ou=ca, ou=requests,o=ipaca > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: updating > > > >>> nextRange from 8001 to 9001 > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: adding new > > > >>> range object: cn=8001,ou=requests, ou=ranges,o=ipaca > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: > > > >>> getNextRange Next range has been added: 8001 - 9000 > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Releasing ldap > > > >>> connection > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: returnConn: mNumConns > > > >>> now 3 > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: next > > > >>> range: 8001 > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Next min > > > >>> serial number: 8001 > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: Setting > > > >>> next min requests number: 8001 > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: Setting > > > >>> next max requests number: 9000 > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Checking for a range > > > >>> conflict > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: In > > > >>> LdapBoundConnFactory::getConn() > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: masterConn is > > > >>> connected: true > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: conn is > > > >>> connected true > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: mNumConns now > > > >>> 2 > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Releasing ldap > > > >>> connection > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: returnConn: mNumConns > > > >>> now 3 > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: CMSEngine: checking > > > >>> certificate serial number ranges > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Serial > > > >>> numbers left in range: 65536 > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Last serial > > > >>> number: 2415656960 > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Serial > > > >>> numbers available: 65536 > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Low water > > > >>> mark: 33554432 > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Requesting > > > >>> next range > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: In > > > >>> LdapBoundConnFactory::getConn() > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: masterConn is > > > >>> connected: true > > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: conn is > > > >>> connected true > > > >>>
[Freeipa-users] Re: Adding new replica with CA fails.
On Tue, Jul 07, 2020 at 12:04:58AM -0400, Guillermo Fuentes via FreeIPA-users wrote: > On Mon, Jul 6, 2020 at 5:31 PM Rob Crittenden wrote: > > > > Guillermo Fuentes via FreeIPA-users wrote: > > > Hi Flo, > > > Here is the value of the entry: > > > # certificateRepository, ca, ipaca > > > dn: ou=certificateRepository,ou=ca,o=ipaca > > > objectClass: top > > > objectClass: repository > > > ou: certificateRepository > > > serialno: 09268369921 > > > nextRange: e001 > > > > > > The value of nextRange was modified by hand to fix another issue. > > > According to this > > > https://frasertweedale.github.io/blog-redhat/posts/2019-07-26-dogtag-replica-ranges.html > > > it should be hexadecimal. > > > > Maybe try an upper-case E. > > > > rob > > Same result. > IIRC the ldap objects all use decimal representation. It is only in CS.cfg where some ranges are hexadecimal and others are decimal. I can confirm later. And update the blog post to clarify! Put the decimal representation in the `nextRange' attribute and see how you go. Cheers, Fraser > > > > > > > > If the code is expecting a decimal value, I'm assuming converting the > > > range from hex to decimal should do it, right? I'll also check for > > > conflicts. > > > > > > Thanks! > > > Guillermo > > > > > > On Mon, Jul 6, 2020 at 12:35 PM Florence Blanc-Renaud > > > wrote: > > >> > > >> On 7/6/20 5:18 PM, Guillermo Fuentes via FreeIPA-users wrote: > > >>> Hi all, > > >>> > > >>> I'm having an issue creating a new replica with CA. > > >>> The Directory Service installation works fine but adding the CA clone > > >>> fails with a java.lang.NumberFormatException when getting the serial > > >>> number range. > > >>> > > >>> This is the error logged in /var/log/pki/pki-tomcat/ca/debug: > > >>> ## > > >>> ... > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: retrieving > > >>> ou=ca, ou=requests,o=ipaca > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: updating > > >>> nextRange from 8001 to 9001 > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: adding new > > >>> range object: cn=8001,ou=requests, ou=ranges,o=ipaca > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: > > >>> getNextRange Next range has been added: 8001 - 9000 > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Releasing ldap connection > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: returnConn: mNumConns > > >>> now 3 > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: next range: > > >>> 8001 > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Next min > > >>> serial number: 8001 > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: Setting > > >>> next min requests number: 8001 > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: Setting > > >>> next max requests number: 9000 > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Checking for a range > > >>> conflict > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: In > > >>> LdapBoundConnFactory::getConn() > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: masterConn is connected: > > >>> true > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: conn is > > >>> connected true > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: mNumConns now 2 > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Releasing ldap connection > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: returnConn: mNumConns > > >>> now 3 > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: CMSEngine: checking > > >>> certificate serial number ranges > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Serial > > >>> numbers left in range: 65536 > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Last serial > > >>> number: 2415656960 > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Serial > > >>> numbers available: 65536 > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Low water > > >>> mark: 33554432 > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Requesting > > >>> next range > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: In > > >>> LdapBoundConnFactory::getConn() > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: masterConn is connected: > > >>> true > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: conn is > > >>> connected true > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: mNumConns now 2 > > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: retrieving > > >>> ou=certificateRepository, ou=ca,o=ipaca > > >> Hi, > > >> > > >> What is the content of this entry? > > >> ldapsearch -D "cn=directory manager" -W -b > > >> "ou=certificateRepository,ou=ca,o=ipaca" -s base > > >> > > >> According to the code, a decimal format is expected for the attribute > > >> nextRange. Was the value modified by hand?
[Freeipa-users] Re: Adding new replica with CA fails.
On Mon, Jul 6, 2020 at 5:31 PM Rob Crittenden wrote: > > Guillermo Fuentes via FreeIPA-users wrote: > > Hi Flo, > > Here is the value of the entry: > > # certificateRepository, ca, ipaca > > dn: ou=certificateRepository,ou=ca,o=ipaca > > objectClass: top > > objectClass: repository > > ou: certificateRepository > > serialno: 09268369921 > > nextRange: e001 > > > > The value of nextRange was modified by hand to fix another issue. > > According to this > > https://frasertweedale.github.io/blog-redhat/posts/2019-07-26-dogtag-replica-ranges.html > > it should be hexadecimal. > > Maybe try an upper-case E. > > rob Same result. > > > > > If the code is expecting a decimal value, I'm assuming converting the > > range from hex to decimal should do it, right? I'll also check for > > conflicts. > > > > Thanks! > > Guillermo > > > > On Mon, Jul 6, 2020 at 12:35 PM Florence Blanc-Renaud > > wrote: > >> > >> On 7/6/20 5:18 PM, Guillermo Fuentes via FreeIPA-users wrote: > >>> Hi all, > >>> > >>> I'm having an issue creating a new replica with CA. > >>> The Directory Service installation works fine but adding the CA clone > >>> fails with a java.lang.NumberFormatException when getting the serial > >>> number range. > >>> > >>> This is the error logged in /var/log/pki/pki-tomcat/ca/debug: > >>> ## > >>> ... > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: retrieving > >>> ou=ca, ou=requests,o=ipaca > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: updating > >>> nextRange from 8001 to 9001 > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: adding new > >>> range object: cn=8001,ou=requests, ou=ranges,o=ipaca > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: > >>> getNextRange Next range has been added: 8001 - 9000 > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Releasing ldap connection > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: returnConn: mNumConns now 3 > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: next range: > >>> 8001 > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Next min > >>> serial number: 8001 > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: Setting > >>> next min requests number: 8001 > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: Setting > >>> next max requests number: 9000 > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Checking for a range > >>> conflict > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: In > >>> LdapBoundConnFactory::getConn() > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: masterConn is connected: > >>> true > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: conn is connected > >>> true > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: mNumConns now 2 > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Releasing ldap connection > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: returnConn: mNumConns now 3 > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: CMSEngine: checking > >>> certificate serial number ranges > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Serial > >>> numbers left in range: 65536 > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Last serial > >>> number: 2415656960 > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Serial > >>> numbers available: 65536 > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Low water > >>> mark: 33554432 > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Requesting > >>> next range > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: In > >>> LdapBoundConnFactory::getConn() > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: masterConn is connected: > >>> true > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: conn is connected > >>> true > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: mNumConns now 2 > >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: retrieving > >>> ou=certificateRepository, ou=ca,o=ipaca > >> Hi, > >> > >> What is the content of this entry? > >> ldapsearch -D "cn=directory manager" -W -b > >> "ou=certificateRepository,ou=ca,o=ipaca" -s base > >> > >> According to the code, a decimal format is expected for the attribute > >> nextRange. Was the value modified by hand? If not, I would advise to > >> open an issue against dogtag, for the team to investigate how an > >> hexadecimal format could get written there: > >> https://pagure.io/dogtagpki/new_issue > >> > >> HTH, > >> flo > >> > >>> java.lang.NumberFormatException: For input string: "e001" > >>> at > >>> java.lang.NumberFormatException.forInputString(NumberFormatException.java:65) > >>> at java.lang.Integer.parseInt(Integer.java:580) > >>> at java.math.BigInteger.(BigInteger.java:470) > >>> at java.math.BigInteger.(BigInteger.java:606) > >>> at > >>>
[Freeipa-users] Re: Adding new replica with CA fails.
Guillermo Fuentes via FreeIPA-users wrote: > Hi Flo, > Here is the value of the entry: > # certificateRepository, ca, ipaca > dn: ou=certificateRepository,ou=ca,o=ipaca > objectClass: top > objectClass: repository > ou: certificateRepository > serialno: 09268369921 > nextRange: e001 > > The value of nextRange was modified by hand to fix another issue. > According to this > https://frasertweedale.github.io/blog-redhat/posts/2019-07-26-dogtag-replica-ranges.html > it should be hexadecimal. Maybe try an upper-case E. rob > > If the code is expecting a decimal value, I'm assuming converting the > range from hex to decimal should do it, right? I'll also check for > conflicts. > > Thanks! > Guillermo > > On Mon, Jul 6, 2020 at 12:35 PM Florence Blanc-Renaud wrote: >> >> On 7/6/20 5:18 PM, Guillermo Fuentes via FreeIPA-users wrote: >>> Hi all, >>> >>> I'm having an issue creating a new replica with CA. >>> The Directory Service installation works fine but adding the CA clone >>> fails with a java.lang.NumberFormatException when getting the serial >>> number range. >>> >>> This is the error logged in /var/log/pki/pki-tomcat/ca/debug: >>> ## >>> ... >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: retrieving >>> ou=ca, ou=requests,o=ipaca >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: updating >>> nextRange from 8001 to 9001 >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: adding new >>> range object: cn=8001,ou=requests, ou=ranges,o=ipaca >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: >>> getNextRange Next range has been added: 8001 - 9000 >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Releasing ldap connection >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: returnConn: mNumConns now 3 >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: next range: >>> 8001 >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Next min >>> serial number: 8001 >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: Setting >>> next min requests number: 8001 >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: Setting >>> next max requests number: 9000 >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Checking for a range conflict >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: In >>> LdapBoundConnFactory::getConn() >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: masterConn is connected: true >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: conn is connected >>> true >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: mNumConns now 2 >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Releasing ldap connection >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: returnConn: mNumConns now 3 >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: CMSEngine: checking >>> certificate serial number ranges >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Serial >>> numbers left in range: 65536 >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Last serial >>> number: 2415656960 >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Serial >>> numbers available: 65536 >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Low water >>> mark: 33554432 >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Requesting next >>> range >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: In >>> LdapBoundConnFactory::getConn() >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: masterConn is connected: true >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: conn is connected >>> true >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: mNumConns now 2 >>> [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: retrieving >>> ou=certificateRepository, ou=ca,o=ipaca >> Hi, >> >> What is the content of this entry? >> ldapsearch -D "cn=directory manager" -W -b >> "ou=certificateRepository,ou=ca,o=ipaca" -s base >> >> According to the code, a decimal format is expected for the attribute >> nextRange. Was the value modified by hand? If not, I would advise to >> open an issue against dogtag, for the team to investigate how an >> hexadecimal format could get written there: >> https://pagure.io/dogtagpki/new_issue >> >> HTH, >> flo >> >>> java.lang.NumberFormatException: For input string: "e001" >>> at >>> java.lang.NumberFormatException.forInputString(NumberFormatException.java:65) >>> at java.lang.Integer.parseInt(Integer.java:580) >>> at java.math.BigInteger.(BigInteger.java:470) >>> at java.math.BigInteger.(BigInteger.java:606) >>> at >>> com.netscape.cmscore.dbs.DBSubsystem.getNextRange(DBSubsystem.java:417) >>> at >>> com.netscape.cmscore.dbs.Repository.checkRanges(Repository.java:546) >>> at com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1268) >>> at com.netscape.certsrv.apps.CMS.startup(CMS.java:204) >>>
[Freeipa-users] Re: Adding new replica with CA fails.
Hi Flo, Here is the value of the entry: # certificateRepository, ca, ipaca dn: ou=certificateRepository,ou=ca,o=ipaca objectClass: top objectClass: repository ou: certificateRepository serialno: 09268369921 nextRange: e001 The value of nextRange was modified by hand to fix another issue. According to this https://frasertweedale.github.io/blog-redhat/posts/2019-07-26-dogtag-replica-ranges.html it should be hexadecimal. If the code is expecting a decimal value, I'm assuming converting the range from hex to decimal should do it, right? I'll also check for conflicts. Thanks! Guillermo On Mon, Jul 6, 2020 at 12:35 PM Florence Blanc-Renaud wrote: > > On 7/6/20 5:18 PM, Guillermo Fuentes via FreeIPA-users wrote: > > Hi all, > > > > I'm having an issue creating a new replica with CA. > > The Directory Service installation works fine but adding the CA clone > > fails with a java.lang.NumberFormatException when getting the serial > > number range. > > > > This is the error logged in /var/log/pki/pki-tomcat/ca/debug: > > ## > > ... > > [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: retrieving > > ou=ca, ou=requests,o=ipaca > > [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: updating > > nextRange from 8001 to 9001 > > [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: adding new > > range object: cn=8001,ou=requests, ou=ranges,o=ipaca > > [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: > > getNextRange Next range has been added: 8001 - 9000 > > [20/Jun/2020:15:09:55][localhost-startStop-1]: Releasing ldap connection > > [20/Jun/2020:15:09:55][localhost-startStop-1]: returnConn: mNumConns now 3 > > [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: next range: > > 8001 > > [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Next min > > serial number: 8001 > > [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: Setting > > next min requests number: 8001 > > [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: Setting > > next max requests number: 9000 > > [20/Jun/2020:15:09:55][localhost-startStop-1]: Checking for a range conflict > > [20/Jun/2020:15:09:55][localhost-startStop-1]: In > > LdapBoundConnFactory::getConn() > > [20/Jun/2020:15:09:55][localhost-startStop-1]: masterConn is connected: true > > [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: conn is connected > > true > > [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: mNumConns now 2 > > [20/Jun/2020:15:09:55][localhost-startStop-1]: Releasing ldap connection > > [20/Jun/2020:15:09:55][localhost-startStop-1]: returnConn: mNumConns now 3 > > [20/Jun/2020:15:09:55][localhost-startStop-1]: CMSEngine: checking > > certificate serial number ranges > > [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Serial > > numbers left in range: 65536 > > [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Last serial > > number: 2415656960 > > [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Serial > > numbers available: 65536 > > [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Low water > > mark: 33554432 > > [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Requesting next > > range > > [20/Jun/2020:15:09:55][localhost-startStop-1]: In > > LdapBoundConnFactory::getConn() > > [20/Jun/2020:15:09:55][localhost-startStop-1]: masterConn is connected: true > > [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: conn is connected > > true > > [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: mNumConns now 2 > > [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: retrieving > > ou=certificateRepository, ou=ca,o=ipaca > Hi, > > What is the content of this entry? > ldapsearch -D "cn=directory manager" -W -b > "ou=certificateRepository,ou=ca,o=ipaca" -s base > > According to the code, a decimal format is expected for the attribute > nextRange. Was the value modified by hand? If not, I would advise to > open an issue against dogtag, for the team to investigate how an > hexadecimal format could get written there: > https://pagure.io/dogtagpki/new_issue > > HTH, > flo > > > java.lang.NumberFormatException: For input string: "e001" > > at > > java.lang.NumberFormatException.forInputString(NumberFormatException.java:65) > > at java.lang.Integer.parseInt(Integer.java:580) > > at java.math.BigInteger.(BigInteger.java:470) > > at java.math.BigInteger.(BigInteger.java:606) > > at > > com.netscape.cmscore.dbs.DBSubsystem.getNextRange(DBSubsystem.java:417) > > at > > com.netscape.cmscore.dbs.Repository.checkRanges(Repository.java:546) > > at com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1268) > > at com.netscape.certsrv.apps.CMS.startup(CMS.java:204) > > at com.netscape.certsrv.apps.CMS.start(CMS.java:1459) > > at > >
[Freeipa-users] Re: Adding new replica with CA fails.
On 7/6/20 5:18 PM, Guillermo Fuentes via FreeIPA-users wrote: Hi all, I'm having an issue creating a new replica with CA. The Directory Service installation works fine but adding the CA clone fails with a java.lang.NumberFormatException when getting the serial number range. This is the error logged in /var/log/pki/pki-tomcat/ca/debug: ## ... [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: retrieving ou=ca, ou=requests,o=ipaca [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: updating nextRange from 8001 to 9001 [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: adding new range object: cn=8001,ou=requests, ou=ranges,o=ipaca [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: getNextRange Next range has been added: 8001 - 9000 [20/Jun/2020:15:09:55][localhost-startStop-1]: Releasing ldap connection [20/Jun/2020:15:09:55][localhost-startStop-1]: returnConn: mNumConns now 3 [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: next range: 8001 [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Next min serial number: 8001 [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: Setting next min requests number: 8001 [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: Setting next max requests number: 9000 [20/Jun/2020:15:09:55][localhost-startStop-1]: Checking for a range conflict [20/Jun/2020:15:09:55][localhost-startStop-1]: In LdapBoundConnFactory::getConn() [20/Jun/2020:15:09:55][localhost-startStop-1]: masterConn is connected: true [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: conn is connected true [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: mNumConns now 2 [20/Jun/2020:15:09:55][localhost-startStop-1]: Releasing ldap connection [20/Jun/2020:15:09:55][localhost-startStop-1]: returnConn: mNumConns now 3 [20/Jun/2020:15:09:55][localhost-startStop-1]: CMSEngine: checking certificate serial number ranges [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Serial numbers left in range: 65536 [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Last serial number: 2415656960 [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Serial numbers available: 65536 [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Low water mark: 33554432 [20/Jun/2020:15:09:55][localhost-startStop-1]: Repository: Requesting next range [20/Jun/2020:15:09:55][localhost-startStop-1]: In LdapBoundConnFactory::getConn() [20/Jun/2020:15:09:55][localhost-startStop-1]: masterConn is connected: true [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: conn is connected true [20/Jun/2020:15:09:55][localhost-startStop-1]: getConn: mNumConns now 2 [20/Jun/2020:15:09:55][localhost-startStop-1]: DBSubsystem: retrieving ou=certificateRepository, ou=ca,o=ipaca Hi, What is the content of this entry? ldapsearch -D "cn=directory manager" -W -b "ou=certificateRepository,ou=ca,o=ipaca" -s base According to the code, a decimal format is expected for the attribute nextRange. Was the value modified by hand? If not, I would advise to open an issue against dogtag, for the team to investigate how an hexadecimal format could get written there: https://pagure.io/dogtagpki/new_issue HTH, flo java.lang.NumberFormatException: For input string: "e001" at java.lang.NumberFormatException.forInputString(NumberFormatException.java:65) at java.lang.Integer.parseInt(Integer.java:580) at java.math.BigInteger.(BigInteger.java:470) at java.math.BigInteger.(BigInteger.java:606) at com.netscape.cmscore.dbs.DBSubsystem.getNextRange(DBSubsystem.java:417) at com.netscape.cmscore.dbs.Repository.checkRanges(Repository.java:546) at com.netscape.cmscore.apps.CMSEngine.startup(CMSEngine.java:1268) at com.netscape.certsrv.apps.CMS.startup(CMS.java:204) at com.netscape.certsrv.apps.CMS.start(CMS.java:1459) at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:117) at javax.servlet.GenericServlet.init(GenericServlet.java:158) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) ... ## This is logged in /var/log/pki/pki-ca-spawn.20200620150752.log: ## ... 2020-06-20 15:09:47 pkispawn: INFO ... executing 'systemctl