[Freeipa-devel] [PATCHES] 295-299 Allow changing chaining of the IPA CA certificate
Nalin Dahyabhai
nalin at redhat.com
Mon Jun 30 19:16:53 UTC 2014
On Fri, Jun 27, 2014 at 06:19:25PM -0400, Rob Crittenden wrote:
> How it is monitoring with a ca-error I don't know.
If there's a previously-issued certificate present, the state machine
goes back to "monitoring" rather than the dead-end "rejected" state, so
that it'll try again later when certificate crosses the next enroll_ttl
threshold.
It's mainly a guess at the right thing to do in that situation (in case
the CA rejected the request for a transient reason that gets remedied at
the server at some point), so I'm not firmly wedded to it, and remain
open to changing it.
Now that I'm writing this, I'm thinking rejected requests should
probably be re-attempted, eventually, though it risks annoying the CA.
Cheers,
Nalin
More information about the Freeipa-devel
mailing list