[Freeipa-devel] [PATCH] 843 reduce dogtag install time
Rob Crittenden
rcritten at redhat.com
Thu Aug 4 15:36:33 UTC 2011
Jan Cholasta wrote:
> On 4.8.2011 17:24, Martin Kosek wrote:
>> On Thu, 2011-08-04 at 17:02 +0200, Jan Cholasta wrote:
>>> On 2.8.2011 13:49, Martin Kosek wrote:
>>>> On Mon, 2011-08-01 at 15:19 -0400, Rob Crittenden wrote:
>>>>> Ade Lee from the dogtag team looked at our installer and found that we
>>>>> restarted the pki-cad process too many times. Re-arranging some code
>>>>> allows us to restart it just once. The new config time for dogtag is 3
>>>>> 1/2 minutes, down from about 5 1/2.
>>>>>
>>>>> Ade is working on improvements in pki-silent as well which can
>>>>> bring the
>>>>> overall install time to 90 seconds. If we can get a change in SELinux
>>>>> policy we're looking at 60 seconds.
>>>>>
>>>>> This patch just contains the reworked installer part. Once an updated
>>>>> dogtag is released we can update the spec file to pull it in.
>>>>>
>>>>> rob
>>>>
>>>> This worked fine for standard dogtag installation + CA on a replica,
>>>> but
>>>> it failed with external CA:
>>>>
>>>> /var/log/ipaserver-install.log:
>>>> ...
>>>> <response>
>>>> <panel>admin/console/config/backupkeycertpanel.vm</panel>
>>>> <res/>
>>>> <pwdagain/>
>>>> <dobackup>checked</dobackup>
>>>> <errorString>Failed to create pkcs12 file.</errorString>
>>>> <size>19</size>
>>>> <pwd/>
>>>> <title>Export Keys and Certificates</title>
>>>> <panels>
>>>> <Vector>
>>>> <Panel>
>>>> ....
>>>> 2011-08-02 07:45:38,276 CRITICAL failed to configure ca instance
>>>> Command
>>>> '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname
>>>> vm-059.idm.lab.bos.redhat.com -cs_port 9445
>>>> -client_certdb_dir /tmp/tmp-GS6wzH -client_certdb_pwd 'XXXXXXXX'
>>>> -preop_pin BbkK9wJ7vD9UEzL4kBcO -domain_name IPA -admin_user admin
>>>> -admin_email root at localhost -admin_password 'XXXXXXXX' -agent_name
>>>> ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa
>>>> -agent_cert_subject "CN=ipa-ca-agent,O=IDM.LAB.BOS.REDHAT.COM"
>>>> -ldap_host vm-059.idm.lab.bos.redhat.com -ldap_port 7389 -bind_dn
>>>> "cn=Directory Manager" -bind_password 'XXXXXXXX' -base_dn o=ipaca
>>>> -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm
>>>> SHA256withRSA
>>>> -save_p12 true -backup_pwd 'XXXXXXXX' -subsystem_name pki-cad
>>>> -token_name internal -ca_subsystem_cert_subject_name "CN=CA
>>>> Subsystem,O=IDM.LAB.BOS.REDHAT.COM" -ca_ocsp_cert_subject_name "CN=OCSP
>>>> Subsystem,O=IDM.LAB.BOS.REDHAT.COM" -ca_server_cert_subject_name
>>>> "CN=vm-059.idm.lab.bos.redhat.com,O=IDM.LAB.BOS.REDHAT.COM"
>>>> -ca_audit_signing_cert_subject_name "CN=CA
>>>> Audit,O=IDM.LAB.BOS.REDHAT.COM" -ca_sign_cert_subject_name
>>>> "CN=Certificate Authority,O=IDM.LAB.BOS.REDHAT.COM" -external true
>>>> -ext_ca_cert_file /home/mkosek/cadb_f15/external-ca.crt
>>>> -ext_ca_cert_chain_file /home/mkosek/cadb_f15/ipa.crt -clone false'
>>>> returned non-zero exit status 255
>>>> 2011-08-02 07:45:38,302 DEBUG Configuration of CA failed
>>>> ...
>>>>
>>>
>>> Works for me.
>>>
>>> It's just a guess, but didn't you happen to swap --external_cert_file
>>> and --external_ca_file?
>>>
>>> Honza
>>>
>>
>> That's a good bet. I managed to find CRTs used in my installation and
>> displayed their contents and they were indeed wrong. So the problem was
>> only my side.
>>
>> ACK for Rob's patch then.
>>
>> Martin
>>
>
> It would be nice to add some sanity checks (verify that
> --external_cert_file's subject name is correct and that its issuer name
> matches --external_ca_file's subject name) to prevent this kind of
> problem in the future.
>
> Honza
>
https://fedorahosted.org/freeipa/ticket/1572
More information about the Freeipa-devel
mailing list