[Pki-users] getting NEED_TO_NOTIFY_ISSUED_SAVE_FAILED with dogtag-submit
Nalin Dahyabhai
nalin at redhat.com
Fri Apr 10 13:29:17 UTC 2015
On Fri, Apr 10, 2015 at 07:44:16AM -0500, Steve Neuharth wrote:
> sure... let me get you a trace. Are there any specific flags I should set
> in strace?
Under strace, I'd tend to use -s256 or larger to try to see more of
messages that are going over the bus or the network (larger values if
messages are still getting truncated), and if there's a core dump, the
backtrace from that, preferably with the certmonger-debuginfo package
installed so that gdb can provide more details about where the crash is
happening.
> Also... when I request a cert using caServerCert and approve it in DogTag,
> the certmonger request sits in CA_WORKING status for a while. How long can
> I expect it to stay that way?
If the server or helper can advise how long the daemon should wait
before it polls again, it'll be prepend the amount of time to wait, in
seconds, to the output (when using agent creds, the helper advises 0,
for no waiting period) and the exit status will be 5. If it doesn't
have a value to advise (when it doesn't have agent creds), it'll skip
outputting that and will indicate that by using exit status 1. In both
cases, if there's a state value that the helper will need to be passed
the next time it's called, it then outputs that.
Getting a certificate from dogtag is a multi-step process, and the
helper uses this to have the certmonger daemon run each step separately,
which is intended to make it easier to resume or retry at each
individual step if we hit a connectivity problem or the system gets
rebooted.
> I've always been impatient and done a *getcert refresh *on the request to
> force a download but is there a configurable poll interval or anything? I
> didn't see anything obvious in the docs.
Absent any good idea of how quickly or slowly we can expect a manual
approval to happen, the default guess is half of the remaining validity
time if we already have a certificate, or a week, whichever is less,
with a minimum of five minutes. That's not currently configurable, but
the boundaries and the defaults could be made configurable if need be.
HTH,
Nalin
More information about the Pki-users
mailing list