[Freeipa-devel] [PATCH] 843 reduce dogtag install time

Adam Young ayoung at redhat.com
Wed Aug 3 13:43:34 UTC 2011


On 08/03/2011 03:02 AM, Petr Vobornik wrote:
> On Mon, 2011-08-01 at 23:03 -0400, Adam Young wrote:
>> On 08/01/2011 10:26 PM, Adam Young wrote:
>>> On 08/01/2011 03:19 PM, Rob Crittenden wrote:
>>>> Ade Lee from the dogtag team looked at our installer and found
>>>> that we restarted the pki-cad process too many times. Re-arranging
>>>> some code allows us to restart it just once. The new config time
>>>> for dogtag is 3 1/2 minutes, down from about 5 1/2.
>>>>
>>>> Ade is working on improvements in pki-silent as well which can
>>>> bring the overall install time to 90 seconds. If we can get a
>>>> change in SELinux policy we're looking at 60 seconds.
>>>>
>>>> This patch just contains the reworked installer part. Once an
>>>> updated dogtag is released we can update the spec file to pull it
>>>> in.
>>>>
>>>> rob
>>>>
>>>> _______________________________________________
>>>> Freeipa-devel mailing list
>>>> Freeipa-devel at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>> Disregard:  same thing seems to be happening without this patch.
>>
>>> Something is wrong.  When I installed this patch, the browser works
>>> fine in a clean mode (never before initiailzied).  Howevr, if the
>>> browser already has a certificate from the server, in the past I was
>>> able to go into  Edit->preferences->advanced->Certificates, and
>>> remove both the server and the CA certificate, and then restart the
>>> browser.  That does not work now.  I just get the message
>>>
>>> Secure Connection Failed
>>>          An error occurred during a connection to
>>> server15.ayoung.boston.devel.redhat.com.
>>>
>>> You have received an invalid certificate.  Please contact the server
>>> administrator or email correspondent and give them the following
>>> information:
>>>
>>> Your certificate contains the same serial number as another
>>> certificate issued by the certificate authority.  Please get a new
>>> certificate containing a unique serial number.
>>>
>>> (Error code: sec_error_reused_issuer_and_serial)
>>>
>>>    The page you are trying to view can not be shown because the
>>> authenticity of the received data could not be verified.
>>>    Please contact the web site owners to inform them of this problem.
>>> Alternatively, use the command found in the help menu to report this
>>> broken site.
>>>
>>>
>>> Restarting IPA made no difference.  The browser does not provide a
>>> lot of info in which to debug this.
>>>
>>>
>>> I'll try again with out the patch and see if there is a difference.
>>>
> In Firefox 5 I also have to clear browser cache along with removing
> certificates to get rid of 'sec_error_reused_issuer_and_serial'.

Thanks.  I've learned that now, too.  I am hoping I can do something 
more targetted, like just removing the entries for my server, but I 
haven't tried it yet.
> Petr
>
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel




More information about the Freeipa-devel mailing list