I'm using ipa-getcert to request new certificates for hosts. A race condition in FreeIPA causes HTTP 500 errors under some conditions. FreeIPA ticket https://fedorahosted.org/freeipa/ticket/5653 has more information on the topic.
In case of an error ipa-getcert list shows this error message:
Request ID '20160415131851':
ca-error: Server at https://master.ipa.example/ipa/xml failed request, will retry: -504 (HTTP response code is 500, not 200).
It seems like certmonger does not recovery from the error in a timely fashion. I'm restarting certmonger as workaround. A restart of certmonger.service usually triggers a successful cert request on the first attempt.
Metadata Update from @cheimes:
- Issue set to the milestone: 0.0 NEEDS_TRIAGE
to comment on this ticket.