Ssh key and invalid format
Is ssh reporting Load key ... invalid format
when trying to use a private key?
The file might be missing a newline at EOF.
Is ssh reporting Load key ... invalid format
when trying to use a private key?
The file might be missing a newline at EOF.
TIL, the Mojolicious tag helper can be nested. This
<ul class="navigation">
%= tag 'li', tag 'a', href => "#$_", $_ foreach qw/foo bar baz/
</ul>
becomes
<ul class="navigation">
<li>
<a href="#foo">foo</a>
</li>
<li>
<a href="#bar">bar</a>
</li>
<li>
<a href="#baz">baz</a>
</li>
</ul>
Trying to install a replica on Rocky 9? Failing when setting up CA or KRA with creating installation admin user:
[3/30]: creating ACIs for admin
[4/30]: creating installation admin user
Unable to log in as uid=admin-ipa2.$domain,ou=people,o=ipaca on ldap://ipa1.$domain:389
[hint] tune with replication_wait_timeout
[error] NotFound: uid=admin-ipa2.$domain,ou=people,o=ipaca did not replicate to ldap://ipa1.$domain:389
Seems like there is a problem with password setting/synchronisation.
On the new replica, patch dogtaginstance.py
:
--- dogtaginstance.py 2024-09-18 13:07:59.800133397 +0000
+++ /usr/lib/python3.9/site-packages/ipaserver/install/dogtaginstance.py 2024-09-18 13:08:24.763219686 +0000
@@ -676,6 +676,7 @@
# add user
password = ipautil.ipa_generate_password()
+ logger.debug( "FOOBAR " + password )
entry = api.Backend.ldap2.make_entry(
dn,
objectclass=[
Start ipa-replica-install
Watch /var/log/ipareplica-install.log
for the FOOBAR
line.
On an existing machine, set password:
ldappasswd -D 'cn=Directory Manager' -W -S uid=admin-ipa2.$domain,ou=people,o=ipaca
Needs to be done once for CA and once for KRA.
Trying to get a Kerberos ticket for a user on a master? Getting
kinit: Generic error (see e-text) while getting initial credentials
Log shows
ipa1.$domain krb5kdc... AS_REQ ... HANDLE_AUTHDATA: $user@$realm ... No such file or directory
Did you forget to add SIDs on upgrade/replica install?
This helped:
ipa config-mod --enable-sid --add-sids
Trying to install an additional KRA and getting
KRA connector has already been defined for this CA
Has your KRA transport certificate rolled over since the original installation?
If yes, /etc/pki/pki-tomcat/ca/CS.cfg
on the machine you try to sync from
might still have the old certificate in ca.connector.KRA.transportCert
.
Since ipa-replica-install ... --setup-kra
copies that file, it will try to add
itself with the wrong certificate leading to the above error.
Get the current transport certificate:
pki -u admin ca-kraconnector-show
Host: ipa1.$domain:443
...
Transport Cert:
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
...
On the machine you sync from, replace the base64 encoded value for ca.connector.KRA.transportCert
in /etc/pki/pki-tomcat/ca/CS.cfg
reload tomcat.
To generate an install token used in f.e.
pki ca-kraconnector-add --install-token ...
Run
curl -u admin
"https://$( hostname -f )/ca/rest/securityDomain/installToken\
?hostname=$( hostname -f)&subsystem=KRA"
enter the directory manager password, save the content of <token>
to a file,
and use that for --install-token
.
Trying to debug some early boot failures? Passing systemd.debug-shell=1
to the
kernel command line? Running ip a
to inspect network interfaces, and getting
no output? Try
ip a | cat
Useful use of cat.
Is NixOS not creating your bridges on sudo nixos-rebuild switch
?
Try running sudo systemctl restart network-setup.service
.
Upgraded to bookworm and containers started with podman-compose can no longer resolve names?
Switching to the netavark networkBackend helped, f.e. by reseting:
podman system reset --force
It will delete all your stuff, though.
Looking to dump all properties of a certificate with $SERIAL:
Get-ChildItem -Path Cert: -Recurse `
| Where-Object -Property SerialNumber -Value $SERIAL -eq `
| Select-Object -Property *