On 4.8.2011 17:24, Martin Kosek wrote:
On Thu, 2011-08-04 at 17:02 +0200, Jan Cholasta wrote:
On 2.8.2011 13:49, Martin Kosek wrote:
On Mon, 2011-08-01 at 15:19 -0400, Rob Crittenden wrote:
Ade Lee from the dogtag team looked at our installer and found that we
restarted the pki-cad process too many times. Re-arranging some code
allows us to restart it just once. The new config time for dogtag is 3
1/2 minutes, down from about 5 1/2.

Ade is working on improvements in pki-silent as well which can bring the
overall install time to 90 seconds. If we can get a change in SELinux
policy we're looking at 60 seconds.

This patch just contains the reworked installer part. Once an updated
dogtag is released we can update the spec file to pull it in.

rob

This worked fine for standard dogtag installation + CA on a replica, but
it failed with external CA:

/var/log/ipaserver-install.log:
...
<response>
    <panel>admin/console/config/backupkeycertpanel.vm</panel>
    <res/>
    <pwdagain/>
    <dobackup>checked</dobackup>
    <errorString>Failed to create pkcs12 file.</errorString>
    <size>19</size>
    <pwd/>
    <title>Export Keys and Certificates</title>
    <panels>
      <Vector>
        <Panel>
....
2011-08-02 07:45:38,276 CRITICAL failed to configure ca instance Command
'/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname
vm-059.idm.lab.bos.redhat.com -cs_port 9445
-client_certdb_dir /tmp/tmp-GS6wzH -client_certdb_pwd 'XXXXXXXX'
-preop_pin BbkK9wJ7vD9UEzL4kBcO -domain_name IPA -admin_user admin
-admin_email root@localhost -admin_password 'XXXXXXXX' -agent_name
ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa
-agent_cert_subject "CN=ipa-ca-agent,O=IDM.LAB.BOS.REDHAT.COM"
-ldap_host vm-059.idm.lab.bos.redhat.com -ldap_port 7389 -bind_dn
"cn=Directory Manager" -bind_password 'XXXXXXXX' -base_dn o=ipaca
-db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA
-save_p12 true -backup_pwd 'XXXXXXXX' -subsystem_name pki-cad
-token_name internal -ca_subsystem_cert_subject_name "CN=CA
Subsystem,O=IDM.LAB.BOS.REDHAT.COM" -ca_ocsp_cert_subject_name "CN=OCSP
Subsystem,O=IDM.LAB.BOS.REDHAT.COM" -ca_server_cert_subject_name
"CN=vm-059.idm.lab.bos.redhat.com,O=IDM.LAB.BOS.REDHAT.COM"
-ca_audit_signing_cert_subject_name "CN=CA
Audit,O=IDM.LAB.BOS.REDHAT.COM" -ca_sign_cert_subject_name
"CN=Certificate Authority,O=IDM.LAB.BOS.REDHAT.COM" -external true
-ext_ca_cert_file /home/mkosek/cadb_f15/external-ca.crt
-ext_ca_cert_chain_file /home/mkosek/cadb_f15/ipa.crt -clone false'
returned non-zero exit status 255
2011-08-02 07:45:38,302 DEBUG Configuration of CA failed
...


Works for me.

It's just a guess, but didn't you happen to swap --external_cert_file
and --external_ca_file?

Honza


That's a good bet. I managed to find CRTs used in my installation and
displayed their contents and they were indeed wrong. So the problem was
only my side.

ACK for Rob's patch then.

Martin


It would be nice to add some sanity checks (verify that --external_cert_file's subject name is correct and that its issuer name matches --external_ca_file's subject name) to prevent this kind of problem in the future.

Honza

--
Jan Cholasta

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to