[Pki-users] getting NEED_TO_NOTIFY_ISSUED_SAVE_FAILED with dogtag-submit
Steve (st33v) Neuharth
steve.neuharth at gmail.com
Sat Apr 11 02:19:53 UTC 2015
> On Apr 10, 2015, at 8:29 AM, Nalin Dahyabhai <nalin at redhat.com> wrote:
>
>> Also... when I request a cert using caServerCert and approve it in DogTag,
>> the certmonger request sits in CA_WORKING status for a while. How long can
>> I expect it to stay that way?
>
> If the server or helper can advise how long the daemon should wait
> before it polls again, it'll be prepend the amount of time to wait, in
> seconds, to the output (when using agent creds, the helper advises 0,
> for no waiting period) and the exit status will be 5. If it doesn't
> have a value to advise (when it doesn't have agent creds), it'll skip
> outputting that and will indicate that by using exit status 1. In both
> cases, if there's a state value that the helper will need to be passed
> the next time it's called, it then outputs that.
>
> Getting a certificate from dogtag is a multi-step process, and the
> helper uses this to have the certmonger daemon run each step separately,
> which is intended to make it easier to resume or retry at each
> individual step if we hit a connectivity problem or the system gets
> rebooted.
>
>> I've always been impatient and done a *getcert refresh *on the request to
>> force a download but is there a configurable poll interval or anything? I
>> didn't see anything obvious in the docs.
>
> Absent any good idea of how quickly or slowly we can expect a manual
> approval to happen, the default guess is half of the remaining validity
> time if we already have a certificate, or a week, whichever is less,
> with a minimum of five minutes. That's not currently configurable, but
> the boundaries and the defaults could be made configurable if need be.
>
> HTH,
>
> Nalin
Thanks for the explanation. This definitely helps me understand the expected cert request workfloe when using certmonger.
I was expecting certmonger to poll more actively for certs that it hadn’t yet received but I suppose I can just use `getcert refresh` to force the download when I need to.
Have a great weekend!
—steve
More information about the Pki-users
mailing list