[Freeipa-devel] [PATCH] 843 reduce dogtag install time

Wed Aug 3 07:02:40 UTC 2011

On Mon, 2011-08-01 at 23:03 -0400, Adam Young wrote:
> On 08/01/2011 10:26 PM, Adam Young wrote: 
> > On 08/01/2011 03:19 PM, Rob Crittenden wrote: 
> > > Ade Lee from the dogtag team looked at our installer and found
> > > that we restarted the pki-cad process too many times. Re-arranging
> > > some code allows us to restart it just once. The new config time
> > > for dogtag is 3 1/2 minutes, down from about 5 1/2. 
> > > 
> > > Ade is working on improvements in pki-silent as well which can
> > > bring the overall install time to 90 seconds. If we can get a
> > > change in SELinux policy we're looking at 60 seconds. 
> > > 
> > > This patch just contains the reworked installer part. Once an
> > > updated dogtag is released we can update the spec file to pull it
> > > in. 
> > > 
> > > rob 
> > > 
> > > _______________________________________________
> > > Freeipa-devel mailing list
> > > Freeipa-devel at redhat.com
> > > https://www.redhat.com/mailman/listinfo/freeipa-devel
> > 
> 
> Disregard:  same thing seems to be happening without this patch.
> 
> > 
> > Something is wrong.  When I installed this patch, the browser works
> > fine in a clean mode (never before initiailzied).  Howevr, if the
> > browser already has a certificate from the server, in the past I was
> > able to go into  Edit->preferences->advanced->Certificates, and
> > remove both the server and the CA certificate, and then restart the
> > browser.  That does not work now.  I just get the message
> > 
> > Secure Connection Failed
> >         An error occurred during a connection to
> > server15.ayoung.boston.devel.redhat.com.
> > 
> > You have received an invalid certificate.  Please contact the server
> > administrator or email correspondent and give them the following
> > information:
> > 
> > Your certificate contains the same serial number as another
> > certificate issued by the certificate authority.  Please get a new
> > certificate containing a unique serial number.
> > 
> > (Error code: sec_error_reused_issuer_and_serial)  
> > 
> >   The page you are trying to view can not be shown because the
> > authenticity of the received data could not be verified.
> >   Please contact the web site owners to inform them of this problem.
> > Alternatively, use the command found in the help menu to report this
> > broken site.
> > 
> > 
> > Restarting IPA made no difference.  The browser does not provide a
> > lot of info in which to debug this.
> > 
> > 
> > I'll try again with out the patch and see if there is a difference.
> > 

In Firefox 5 I also have to clear browser cache along with removing
certificates to get rid of 'sec_error_reused_issuer_and_serial'.

Petr