[Freeipa-devel] [PATCH] 843 reduce dogtag install time
Martin Kosek
mkosek at redhat.com
Thu Aug 4 15:24:45 UTC 2011
On Thu, 2011-08-04 at 17:02 +0200, Jan Cholasta wrote:
> On 2.8.2011 13:49, Martin Kosek wrote:
> > On Mon, 2011-08-01 at 15:19 -0400, Rob Crittenden wrote:
> >> Ade Lee from the dogtag team looked at our installer and found that we
> >> restarted the pki-cad process too many times. Re-arranging some code
> >> allows us to restart it just once. The new config time for dogtag is 3
> >> 1/2 minutes, down from about 5 1/2.
> >>
> >> Ade is working on improvements in pki-silent as well which can bring the
> >> overall install time to 90 seconds. If we can get a change in SELinux
> >> policy we're looking at 60 seconds.
> >>
> >> This patch just contains the reworked installer part. Once an updated
> >> dogtag is released we can update the spec file to pull it in.
> >>
> >> rob
> >
> > This worked fine for standard dogtag installation + CA on a replica, but
> > it failed with external CA:
> >
> > /var/log/ipaserver-install.log:
> > ...
> > <response>
> > <panel>admin/console/config/backupkeycertpanel.vm</panel>
> > <res/>
> > <pwdagain/>
> > <dobackup>checked</dobackup>
> > <errorString>Failed to create pkcs12 file.</errorString>
> > <size>19</size>
> > <pwd/>
> > <title>Export Keys and Certificates</title>
> > <panels>
> > <Vector>
> > <Panel>
> > ....
> > 2011-08-02 07:45:38,276 CRITICAL failed to configure ca instance Command
> > '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname
> > vm-059.idm.lab.bos.redhat.com -cs_port 9445
> > -client_certdb_dir /tmp/tmp-GS6wzH -client_certdb_pwd 'XXXXXXXX'
> > -preop_pin BbkK9wJ7vD9UEzL4kBcO -domain_name IPA -admin_user admin
> > -admin_email root at localhost -admin_password 'XXXXXXXX' -agent_name
> > ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa
> > -agent_cert_subject "CN=ipa-ca-agent,O=IDM.LAB.BOS.REDHAT.COM"
> > -ldap_host vm-059.idm.lab.bos.redhat.com -ldap_port 7389 -bind_dn
> > "cn=Directory Manager" -bind_password 'XXXXXXXX' -base_dn o=ipaca
> > -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA
> > -save_p12 true -backup_pwd 'XXXXXXXX' -subsystem_name pki-cad
> > -token_name internal -ca_subsystem_cert_subject_name "CN=CA
> > Subsystem,O=IDM.LAB.BOS.REDHAT.COM" -ca_ocsp_cert_subject_name "CN=OCSP
> > Subsystem,O=IDM.LAB.BOS.REDHAT.COM" -ca_server_cert_subject_name
> > "CN=vm-059.idm.lab.bos.redhat.com,O=IDM.LAB.BOS.REDHAT.COM"
> > -ca_audit_signing_cert_subject_name "CN=CA
> > Audit,O=IDM.LAB.BOS.REDHAT.COM" -ca_sign_cert_subject_name
> > "CN=Certificate Authority,O=IDM.LAB.BOS.REDHAT.COM" -external true
> > -ext_ca_cert_file /home/mkosek/cadb_f15/external-ca.crt
> > -ext_ca_cert_chain_file /home/mkosek/cadb_f15/ipa.crt -clone false'
> > returned non-zero exit status 255
> > 2011-08-02 07:45:38,302 DEBUG Configuration of CA failed
> > ...
> >
>
> Works for me.
>
> It's just a guess, but didn't you happen to swap --external_cert_file
> and --external_ca_file?
>
> Honza
>
That's a good bet. I managed to find CRTs used in my installation and
displayed their contents and they were indeed wrong. So the problem was
only my side.
ACK for Rob's patch then.
Martin
More information about the Freeipa-devel
mailing list