On Fri, Jun 27, 2014 at 06:19:25PM -0400, Rob Crittenden wrote: > How it is monitoring with a ca-error I don't know.
If there's a previously-issued certificate present, the state machine goes back to "monitoring" rather than the dead-end "rejected" state, so that it'll try again later when certificate crosses the next enroll_ttl threshold. It's mainly a guess at the right thing to do in that situation (in case the CA rejected the request for a transient reason that gets remedied at the server at some point), so I'm not firmly wedded to it, and remain open to changing it. Now that I'm writing this, I'm thinking rejected requests should probably be re-attempted, eventually, though it risks annoying the CA. Cheers, Nalin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel