edewata
commented
2 years ago If understood correctly you have a single LDAP server shared by 3 CA instances. Unfortunately this is not a supported configuration. Currently each CA instance needs to have its own LDAP server which is connected to other LDAP servers through replication.
We have a CA instance running on 3 different CentOS servers with a common LDAP . Recently we have noticed that when ever we are restarting the CA instance the certificate serial number always starts from value of dbs.beginSerialNumber rather than the serial number of the last issued certificate from the CA instance that is running on that server. Due to this issue the certificate enrollment is not happening as the serial number belongs to an already issued certificate.
Could somebody check this issue as we don´t where exactly the issue. Please note that CA instance is running without any issue and we are able to search certificates on CA without any issue.
dbs.beginReplicaNumber=1 dbs.beginRequestNumber=805306368 dbs.beginSerialNumber=30000000 dbs.enableRandomSerialNumbers=false dbs.enableSerialManagement=false dbs.endReplicaNumber=100 dbs.endRequestNumber=1073741823 dbs.endSerialNumber=3fffffff dbs.ldap=internaldb dbs.newSchemaEntryAdded=true dbs.randomSerialNumberCounter=-1 dbs.replicaCloneTransferNumber=5 dbs.replicaDN=ou=replica dbs.replicaIncrement=100 dbs.replicaLowWaterMark=20 dbs.replicaRangeDN=ou=replica, ou=ranges dbs.requestCloneTransferNumber=10000 dbs.requestDN=ou=ca, ou=requests dbs.requestIncrement=10000000 dbs.requestLowWaterMark=2000000 dbs.requestRangeDN=ou=requests, ou=ranges dbs.serialCloneTransferNumber=10000 dbs.serialDN=ou=certificateRepository, ou=ca dbs.serialIncrement=10000000 dbs.serialLowWaterMark=2000000 dbs.serialRangeDN=ou=certificateRepository, ou=ranges debug.append=true debug.enabled=true