CA's automatic range management is broken when switching to new range in certificate repository.
Here is dbs section of CS.cfg before range switch:
dbs.beginReplicaNumber=1 dbs.beginRequestNumber=1 dbs.beginSerialNumber=1 dbs.enableSerialManagement=true dbs.endReplicaNumber=95 dbs.endRequestNumber=9990000 dbs.endSerialNumber=8000000 dbs.ldap=internaldb dbs.newSchemaEntryAdded=true dbs.nextBeginSerialNumber=20000001 dbs.nextEndSerialNumber=30000001 dbs.replicaCloneTransferNumber=5 dbs.replicaDN=ou=replica dbs.replicaIncrement=100 dbs.replicaLowWaterMark=20 dbs.replicaRangeDN=ou=replica, ou=ranges dbs.requestCloneTransferNumber=10000 dbs.requestDN=ou=ca, ou=requests dbs.requestIncrement=10000000 dbs.requestLowWaterMark=2000000 dbs.requestRangeDN=ou=requests, ou=ranges dbs.serialCloneTransferNumber=10000 dbs.serialDN=ou=certificateRepository, ou=ca dbs.serialIncrement=10000000 dbs.serialLowWaterMark=2000000 dbs.serialRangeDN=ou=certificateRepository, ou=ranges
Here is dbs section of CS.cfg after range switch:
dbs.beginReplicaNumber=1 dbs.beginRequestNumber=1 dbs.beginSerialNumber=536870913 dbs.enableSerialManagement=true dbs.endReplicaNumber=95 dbs.endRequestNumber=9990000 dbs.endSerialNumber=805306369 dbs.ldap=internaldb dbs.newSchemaEntryAdded=true dbs.replicaCloneTransferNumber=5 dbs.replicaDN=ou=replica dbs.replicaIncrement=100 dbs.replicaLowWaterMark=20 dbs.replicaRangeDN=ou=replica, ou=ranges dbs.requestCloneTransferNumber=10000 dbs.requestDN=ou=ca, ou=requests dbs.requestIncrement=10000000 dbs.requestLowWaterMark=2000000 dbs.requestRangeDN=ou=requests, ou=ranges dbs.serialCloneTransferNumber=10000 dbs.serialDN=ou=certificateRepository, ou=ca dbs.serialIncrement=10000000 dbs.serialLowWaterMark=2000000 dbs.serialRangeDN=ou=certificateRepository, ou=ranges
Above issue can be solved by the following patch:
@@ -409,8 +475,8 @@ public abstract class Repository implements IRepository { } // persist the changes - mDB.setMinSerialConfig(mRepo, mMinSerialNo.toString()); - mDB.setMaxSerialConfig(mRepo, mMaxSerialNo.toString()); + mDB.setMinSerialConfig(mRepo, mMinSerialNo.toString(mRadix)); + mDB.setMaxSerialConfig(mRepo, mMaxSerialNo.toString(mRadix)); mDB.setNextMinSerialConfig(mRepo, null); mDB.setNextMaxSerialConfig(mRepo, null); } else {
Metadata Update from @awnuk: - Issue assigned to awnuk - Issue set to the milestone: Random Serial Numbers Effort
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/1066
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.