[Freeipa-devel] [PATCH] 843 reduce dogtag install time
Rob Crittenden
rcritten at redhat.com
Thu Aug 4 15:38:34 UTC 2011
Martin Kosek wrote:
> On Thu, 2011-08-04 at 17:02 +0200, Jan Cholasta wrote:
>> On 2.8.2011 13:49, Martin Kosek wrote:
>>> On Mon, 2011-08-01 at 15:19 -0400, Rob Crittenden wrote:
>>>> Ade Lee from the dogtag team looked at our installer and found that we
>>>> restarted the pki-cad process too many times. Re-arranging some code
>>>> allows us to restart it just once. The new config time for dogtag is 3
>>>> 1/2 minutes, down from about 5 1/2.
>>>>
>>>> Ade is working on improvements in pki-silent as well which can bring the
>>>> overall install time to 90 seconds. If we can get a change in SELinux
>>>> policy we're looking at 60 seconds.
>>>>
>>>> This patch just contains the reworked installer part. Once an updated
>>>> dogtag is released we can update the spec file to pull it in.
>>>>
>>>> rob
>>>
>>> This worked fine for standard dogtag installation + CA on a replica, but
>>> it failed with external CA:
>>>
>>> /var/log/ipaserver-install.log:
>>> ...
>>> <response>
>>> <panel>admin/console/config/backupkeycertpanel.vm</panel>
>>> <res/>
>>> <pwdagain/>
>>> <dobackup>checked</dobackup>
>>> <errorString>Failed to create pkcs12 file.</errorString>
>>> <size>19</size>
>>> <pwd/>
>>> <title>Export Keys and Certificates</title>
>>> <panels>
>>> <Vector>
>>> <Panel>
>>> ....
>>> 2011-08-02 07:45:38,276 CRITICAL failed to configure ca instance Command
>>> '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname
>>> vm-059.idm.lab.bos.redhat.com -cs_port 9445
>>> -client_certdb_dir /tmp/tmp-GS6wzH -client_certdb_pwd 'XXXXXXXX'
>>> -preop_pin BbkK9wJ7vD9UEzL4kBcO -domain_name IPA -admin_user admin
>>> -admin_email root at localhost -admin_password 'XXXXXXXX' -agent_name
>>> ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa
>>> -agent_cert_subject "CN=ipa-ca-agent,O=IDM.LAB.BOS.REDHAT.COM"
>>> -ldap_host vm-059.idm.lab.bos.redhat.com -ldap_port 7389 -bind_dn
>>> "cn=Directory Manager" -bind_password 'XXXXXXXX' -base_dn o=ipaca
>>> -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA
>>> -save_p12 true -backup_pwd 'XXXXXXXX' -subsystem_name pki-cad
>>> -token_name internal -ca_subsystem_cert_subject_name "CN=CA
>>> Subsystem,O=IDM.LAB.BOS.REDHAT.COM" -ca_ocsp_cert_subject_name "CN=OCSP
>>> Subsystem,O=IDM.LAB.BOS.REDHAT.COM" -ca_server_cert_subject_name
>>> "CN=vm-059.idm.lab.bos.redhat.com,O=IDM.LAB.BOS.REDHAT.COM"
>>> -ca_audit_signing_cert_subject_name "CN=CA
>>> Audit,O=IDM.LAB.BOS.REDHAT.COM" -ca_sign_cert_subject_name
>>> "CN=Certificate Authority,O=IDM.LAB.BOS.REDHAT.COM" -external true
>>> -ext_ca_cert_file /home/mkosek/cadb_f15/external-ca.crt
>>> -ext_ca_cert_chain_file /home/mkosek/cadb_f15/ipa.crt -clone false'
>>> returned non-zero exit status 255
>>> 2011-08-02 07:45:38,302 DEBUG Configuration of CA failed
>>> ...
>>>
>>
>> Works for me.
>>
>> It's just a guess, but didn't you happen to swap --external_cert_file
>> and --external_ca_file?
>>
>> Honza
>>
>
> That's a good bet. I managed to find CRTs used in my installation and
> displayed their contents and they were indeed wrong. So the problem was
> only my side.
>
> ACK for Rob's patch then.
>
> Martin
>
Pushed to master and ipa-2-0
More information about the Freeipa-devel
mailing list