TIL, the Mojolicious tag helper can be nested. This
<ul class="navigation">
%= tag 'li', tag 'a', href => "#$_", $_ foreach qw/foo bar baz/
</ul>
becomes
<ul class="navigation">
<li>
<a href="#foo">foo</a>
</li>
<li>
<a href="#bar">bar</a>
</li>
<li>
<a href="#baz">baz</a>
</li>
</ul>
Trying to install a replica on Rocky 9? Failing when setting up CA or KRA with creating installation admin user:
[3/30]: creating ACIs for admin
[4/30]: creating installation admin user
Unable to log in as uid=admin-ipa2.$domain,ou=people,o=ipaca on ldap://ipa1.$domain:389
[hint] tune with replication_wait_timeout
[error] NotFound: uid=admin-ipa2.$domain,ou=people,o=ipaca did not replicate to ldap://ipa1.$domain:389
Seems like there is a problem with password setting/synchronisation.
On the new replica, patch dogtaginstance.py:
--- dogtaginstance.py 2024-09-18 13:07:59.800133397 +0000
+++ /usr/lib/python3.9/site-packages/ipaserver/install/dogtaginstance.py 2024-09-18 13:08:24.763219686 +0000
@@ -676,6 +676,7 @@
# add user
password = ipautil.ipa_generate_password()
+ logger.debug( "FOOBAR " + password )
entry = api.Backend.ldap2.make_entry(
dn,
objectclass=[
Start ipa-replica-install
Watch /var/log/ipareplica-install.log for the FOOBAR line.
On an existing machine, set password:
ldappasswd -D 'cn=Directory Manager' -W -S uid=admin-ipa2.$domain,ou=people,o=ipaca
Needs to be done once for CA and once for KRA.
Trying to get a Kerberos ticket for a user on a master? Getting
kinit: Generic error (see e-text) while getting initial credentials
Log shows
ipa1.$domain krb5kdc... AS_REQ ... HANDLE_AUTHDATA: $user@$realm ... No such file or directory
Did you forget to add SIDs on upgrade/replica install?
This helped:
ipa config-mod --enable-sid --add-sids
Trying to install an additional KRA and getting
KRA connector has already been defined for this CA
Has your KRA transport certificate rolled over since the original installation?
If yes, /etc/pki/pki-tomcat/ca/CS.cfg on the machine you try to sync from
might still have the old certificate in ca.connector.KRA.transportCert.
Since ipa-replica-install ... --setup-kra copies that file, it will try to add
itself with the wrong certificate leading to the above error.
Get the current transport certificate:
pki -u admin ca-kraconnector-show
Host: ipa1.$domain:443
...
Transport Cert:
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
...
On the machine you sync from, replace the base64 encoded value for ca.connector.KRA.transportCert in /etc/pki/pki-tomcat/ca/CS.cfg
reload tomcat.
To generate an install token used in f.e.
pki ca-kraconnector-add --install-token ...
Run
curl -u admin
"https://$( hostname -f )/ca/rest/securityDomain/installToken\
?hostname=$( hostname -f)&subsystem=KRA"
enter the directory manager password, save the content of <token> to a file,
and use that for --install-token.
Trying to debug some early boot failures? Passing systemd.debug-shell=1 to the
kernel command line? Running ip a to inspect network interfaces, and getting
no output? Try
ip a | cat
Useful use of cat.
Is NixOS not creating your bridges on sudo nixos-rebuild switch?
Try running sudo systemctl restart network-setup.service.
Upgraded to bookworm and containers started with podman-compose can no longer resolve names?
Switching to the netavark networkBackend helped, f.e. by reseting:
podman system reset --force
It will delete all your stuff, though.
Looking to dump all properties of a certificate with $SERIAL:
Get-ChildItem -Path Cert: -Recurse `
| Where-Object -Property SerialNumber -Value $SERIAL -eq `
| Select-Object -Property *
Want to list all certificates a server sends?
server=google.com:443
echo \
| openssl s_client -showcerts -connect $server 2>&1 \
| while openssl x509 -noout -subject -issuer; do
echo;
done
Also works with a .pem containing multiple certificates.
Based on this stackexchange answer.