[Freeipa-devel] [PATCH] 843 reduce dogtag install time

Adam Young ayoung at redhat.com
Wed Aug 3 13:46:23 UTC 2011 

On 08/03/2011 03:28 AM, Kashyap Chamarthy wrote:
> On 08/03/2011 12:32 PM, Petr Vobornik wrote:
>> On Mon, 2011-08-01 at 23:03 -0400, Adam Young wrote:
>>> On 08/01/2011 10:26 PM, Adam Young wrote:
>>>> On 08/01/2011 03:19 PM, Rob Crittenden wrote:
>>>>> Ade Lee from the dogtag team looked at our installer and found
>>>>> that we restarted the pki-cad process too many times. Re-arranging
>>>>> some code allows us to restart it just once. The new config time
>>>>> for dogtag is 3 1/2 minutes, down from about 5 1/2.
>>>>>
>>>>> Ade is working on improvements in pki-silent as well which can
>>>>> bring the overall install time to 90 seconds. If we can get a
>>>>> change in SELinux policy we're looking at 60 seconds.
>>>>>
>>>>> This patch just contains the reworked installer part. Once an
>>>>> updated dogtag is released we can update the spec file to pull it
>>>>> in.
>>>>>
>>>>> rob
>>>>>
>>>>> _______________________________________________
>>>>> Freeipa-devel mailing list
>>>>> Freeipa-devel at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>>>
>>>
>>> Disregard:  same thing seems to be happening without this patch.
>>>
>>>>
>>>> Something is wrong.  When I installed this patch, the browser works
>>>> fine in a clean mode (never before initiailzied).  Howevr, if the
>>>> browser already has a certificate from the server, in the past I was
>>>> able to go into  Edit->preferences->advanced->Certificates, and
>>>> remove both the server and the CA certificate, and then restart the
>>>> browser.  That does not work now.  I just get the message
>>>>
>>>> Secure Connection Failed
>>>>          An error occurred during a connection to
>>>> server15.ayoung.boston.devel.redhat.com.
>>>>
>>>> You have received an invalid certificate.  Please contact the server
>>>> administrator or email correspondent and give them the following
>>>> information:
>>>>
>>>> Your certificate contains the same serial number as another
>>>> certificate issued by the certificate authority.  Please get a new
>>>> certificate containing a unique serial number.
>>>>
>>>> (Error code: sec_error_reused_issuer_and_serial)
>>>>
>>>>    The page you are trying to view can not be shown because the
>>>> authenticity of the received data could not be verified.
>>>>    Please contact the web site owners to inform them of this problem.
>>>> Alternatively, use the command found in the help menu to report this
>>>> broken site.
>>>>
>>>>
>>>> Restarting IPA made no difference.  The browser does not provide a
>>>> lot of info in which to debug this.
>>>>
>>>>
>>>> I'll try again with out the patch and see if there is a difference.
>>>>
>>
>> In Firefox 5 I also have to clear browser cache along with removing
>> certificates to get rid of 'sec_error_reused_issuer_and_serial'.
>
>
> Also, while testing multiple instances of dogtag, IMO, it's better to 
> have a clean FF profile (or ensure to have the security domain name be 
> unique for each CA).
>
> Delete the old profile and create a new profile.
> ---
> # firefox -ProfileManager
> ---
>
>
> Or invoke it with a certain new profile..
> ---
> # firefox -P foobar
> ---
Yep, I do that too.

I'm going say that while this is good for certain QA tasks, developers 
cannot and should not expect that end users blow away their profiles.  
We need to make sure the use cases of normal users are the best tested, 
and that means figuring out how to clean up a warped profile.  If you 
always start from clean, you avoid this pain.  So, best to mix it up, by 
reuse an existing profile by default.



>>
>> Petr
>>
>>
>> _______________________________________________
>> Freeipa-devel mailing list
>> Freeipa-devel at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>
>
>

More information about the Freeipa-devel mailing list