Puppet Version: 6.x
Puppet Server Version: 6.x
OS Name/Version: EL 7
Puppetserver cli 1.3.1 will convert the serial file from a hex number to an integer when running puppetserver ca generate --certname testing --ca-client. Unfortunately, this will cause duplicate serials to be used in new certificates. The issue we saw this with reverted 0x686B to 0x0678, so new certificates used already provisioned serials, some of which were revoked. Thousands of more would have been reused.
This looks to be caused by converting the hex to an int here: https://github.com/puppetlabs/puppetserver-ca-cli/blob/master/lib/puppetserver/ca/local_certificate_authority.rb#L96 instead of to_i(16) and then when it is written at https://github.com/puppetlabs/puppetserver-ca-cli/blob/master/lib/puppetserver/ca/local_certificate_authority.rb#L262 instead of serial.to_s(16)
Running puppetserver ca generate --certname testing --ca-client should increment the serial file.
Running puppetserver ca generate --certname testing --ca-client converts the hex serial file into a decimal which can be lower than the hex value, causing it to reuse serial numbers on future certificate generation.