[Pki-users] getting NEED_TO_NOTIFY_ISSUED_SAVE_FAILED with dogtag-submit

Steve (st33v) Neuharth steve.neuharth at gmail.com
Sat Apr 11 02:19:53 UTC 2015 

> On Apr 10, 2015, at 8:29 AM, Nalin Dahyabhai <nalin at redhat.com> wrote:
> 
>> Also... when I request a cert using caServerCert and approve it in DogTag,
>> the certmonger request sits in CA_WORKING status for a while. How long can
>> I expect it to stay that way?
> 
> If the server or helper can advise how long the daemon should wait
> before it polls again, it'll be prepend the amount of time to wait, in
> seconds, to the output (when using agent creds, the helper advises 0,
> for no waiting period) and the exit status will be 5.  If it doesn't
> have a value to advise (when it doesn't have agent creds), it'll skip
> outputting that and will indicate that by using exit status 1.  In both
> cases, if there's a state value that the helper will need to be passed
> the next time it's called, it then outputs that.
> 
> Getting a certificate from dogtag is a multi-step process, and the
> helper uses this to have the certmonger daemon run each step separately,
> which is intended to make it easier to resume or retry at each
> individual step if we hit a connectivity problem or the system gets
> rebooted.
> 
>> I've always been impatient and done a *getcert refresh *on the request to
>> force a download but is there a configurable poll interval or anything? I
>> didn't see anything obvious in the docs.
> 
> Absent any good idea of how quickly or slowly we can expect a manual
> approval to happen, the default guess is half of the remaining validity
> time if we already have a certificate, or a week, whichever is less,
> with a minimum of five minutes.  That's not currently configurable, but
> the boundaries and the defaults could be made configurable if need be.
> 
> HTH,
> 
> Nalin

Thanks for the explanation. This definitely helps me understand the expected cert request workfloe when using certmonger.

I was expecting certmonger to poll more actively for certs that it hadn’t yet received but I suppose I can just use `getcert refresh` to force the download when I need to. 

Have a great weekend!
—steve

More information about the Pki-users mailing list