[Freeipa-devel] [PATCH] 1079 address CA subsystem renewal issues
Nalin Dahyabhai
nalin at redhat.com
Mon Jan 14 22:18:28 UTC 2013
On Fri, Jan 11, 2013 at 06:49:08PM -0500, Rob Crittenden wrote:
> Revised patch that takes advantage of new version of certmonger.
> certmonger-0.65 adds locking from the time renewal begins to the end
> of the post_save_command.
A note: the lock isn't obtained until after we've obtained a
certificate from a CA, and we're ready to save it to the specified
location.
That's why attempting to renew multiple certificates at the same time
can result in transient CA-unreachable errors being encountered for some
of them: while we're attempting to obtain one certificate, we may also
be restarting the CA as part of the process of saving one that we've
already obtained.
In these cases, the daemon will try to contact the CA again later, so it
should all sort itself out in the end.
HTH,
Nalin
More information about the Freeipa-devel
mailing list