Re: [Pki-users] getting NEED_TO_NOTIFY_ISSUED_SAVE_FAILED with dogtag-submit

On Apr 10, 2015, at 8:29 AM, Nalin Dahyabhai <nalin(a)redhat.com&gt; wrote: > Also... when I request a cert using caServerCert and approve it in DogTag, > the certmonger request sits in CA_WORKING status for a while. How long can > I expect it to stay that way? If the server or helper can advise how long the daemon should wait before it polls again, it'll be prepend the amount of time to wait, in seconds, to the output (when using agent creds, the helper advises 0, for no waiting period) and the exit status will be 5. If it doesn't have a value to advise (when it doesn't have agent creds), it'll skip outputting that and will indicate that by using exit status 1. In both cases, if there's a state value that the helper will need to be passed the next time it's called, it then outputs that. Getting a certificate from dogtag is a multi-step process, and the helper uses this to have the certmonger daemon run each step separately, which is intended to make it easier to resume or retry at each individual step if we hit a connectivity problem or the system gets rebooted. > I've always been impatient and done a *getcert refresh *on the request to > force a download but is there a configurable poll interval or anything? I > didn't see anything obvious in the docs. Absent any good idea of how quickly or slowly we can expect a manual approval to happen, the default guess is half of the remaining validity time if we already have a certificate, or a week, whichever is less, with a minimum of five minutes. That's not currently configurable, but the boundaries and the defaults could be made configurable if need be. HTH, Nalin