Replace replication_wait_timeout with certmonger_wait_timeout

The variable is intended to control the timeout for replication events. If someone had significantly reduced it via configuration then it could have caused certmogner requests to fail due to timeouts. Add replication_wait_timeout, certmonger_wait_timeout and http_timeout to the default.conf man page. Related: https://pagure.io/freeipa/issue/7971 Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2025-02-25 18:55:28 -06:00 · 2019-07-05 13:31:32 -04:00
parent 0d7eb0a972
commit faf34fcdfd
9 changed files with 27 additions and 8 deletions
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -173,6 +173,8 @@ DEFAULT_CONFIG = (
    ('http_timeout', 30),
    # How long to wait for an entry to appear on a replica
    ('replication_wait_timeout', 300),
+    # How long to wait for a certmonger request to finish
+    ('certmonger_wait_timeout', 300),

    # Web Application mount points
    ('mount_ipa', '/ipa/'),
--- a/ipalib/install/certmonger.py
+++ b/ipalib/install/certmonger.py
@@ -326,7 +326,11 @@ def request_and_wait_for_cert(

    deadline = time.time() + resubmit_timeout
    while True:  # until success, timeout, or error
-        state = wait_for_request(req_id, api.env.replication_wait_timeout)
+        try:
+            state = wait_for_request(req_id, api.env.http_timeout)
+        except RuntimeError as e:
+            logger.debug("wait_for_request raised %s", e)
+            state = 'TIMEOUT'
        ca_error = get_request_value(req_id, 'ca-error')
        if state == 'MONITORING' and ca_error is None:
            # we got a winner, exiting
@@ -336,7 +340,7 @@ def request_and_wait_for_cert(
        logger.debug(
            "Cert request %s failed: %s (%s)", req_id, state, ca_error
        )
-        if state not in {'CA_REJECTED', 'CA_UNREACHABLE'}:
+        if state in {'CA_REJECTED', 'CA_UNREACHABLE'}:
            # probably unrecoverable error
            logger.debug("Giving up on cert request %s", req_id)
            break
@@ -344,8 +348,11 @@ def request_and_wait_for_cert(
            # no resubmit
            break
        elif time.time() > deadline:
-            logger.debug("Request %s reached resubmit dead line", req_id)
+            logger.debug("Request %s reached resubmit deadline", req_id)
            break
+        elif state == 'TIMEOUT':
+            logger.debug("%s not in final state, continue waiting", req_id)
+            time.sleep(10)
        else:
            # sleep and resubmit
            logger.debug("Sleep and resubmit cert request %s", req_id)