#47 certmonger does not automatically recover from CA_UNREACHABLE
Opened 4 years ago by cheimes. Modified 3 years ago

I'm using ipa-getcert to request new certificates for hosts. A race condition in FreeIPA causes HTTP 500 errors under some conditions. FreeIPA ticket https://fedorahosted.org/freeipa/ticket/5653 has more information on the topic.

In case of an error ipa-getcert list shows this error message:

Request ID '20160415131851':
        status: CA_UNREACHABLE
        ca-error: Server at https://master.ipa.example/ipa/xml failed request, will retry: -504 (HTTP response code is 500, not 200).

It seems like certmonger does not recovery from the error in a timely fashion. I'm restarting certmonger as workaround. A restart of certmonger.service usually triggers a successful cert request on the first attempt.

Metadata Update from @cheimes:
- Issue set to the milestone: 0.0 NEEDS_TRIAGE

3 years ago

Login to comment on this ticket.