On Tue, Mar 20, 2012 at 04:10:19PM -0400, Jimmy wrote: > I restarted certmonger and it seems to be working. Is there some way > to change the renewal interval so we can simulate this in the lab? I'd > like to see it go through a number of renewals to make sure we don't > keep having this problem.
Attempts to re-enroll are triggered as the not-valid-after date approaches and you cross a threshold time-left value. The default ("2419200, 604800, 259200, 172800, 86400", which works out to 28, 7, 3, 2, and 1 day, when you convert from seconds to days) can be modified by setting the "ttls" value in the [defaults] section of /etc/certmonger/certmonger.conf. To avoid going nuts, the daemon will actually hold off on certificates with a not-before value that's not at least an hour in the past, so adding a really high "ttls" value (say, longer than the certificate's entire validity period) should force frequent re-enrollments, though I haven't done this myself. HTH, Nalin _______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users