Mojolicious, TagHelpers and nesting

TIL, the Mojolicious tag helper can be nested. This

<ul class="navigation">
%= tag 'li', tag 'a', href => "#$_", $_ foreach qw/foo bar baz/
</ul>

becomes

<ul class="navigation">
  <li>
    <a href="#foo">foo</a>
  </li>
  <li>
    <a href="#bar">bar</a>
  </li>
  <li>
    <a href="#baz">baz</a>
  </li>
</ul>

FreeIPA, dogtag, Rocky 9 and ipa-replica-install

Trying to install a replica on Rocky 9? Failing when setting up CA or KRA with creating installation admin user:

[3/30]: creating ACIs for admin
[4/30]: creating installation admin user
Unable to log in as uid=admin-ipa2.$domain,ou=people,o=ipaca on ldap://ipa1.$domain:389
[hint] tune with replication_wait_timeout
[error] NotFound: uid=admin-ipa2.$domain,ou=people,o=ipaca did not replicate to ldap://ipa1.$domain:389

Seems like there is a problem with password setting/synchronisation.

On the new replica, patch dogtaginstance.py:

--- dogtaginstance.py   2024-09-18 13:07:59.800133397 +0000
+++ /usr/lib/python3.9/site-packages/ipaserver/install/dogtaginstance.py        2024-09-18 13:08:24.763219686 +0000
@@ -676,6 +676,7 @@

         # add user
         password = ipautil.ipa_generate_password()
+        logger.debug( "FOOBAR " + password )
         entry = api.Backend.ldap2.make_entry(
             dn,
             objectclass=[

Start ipa-replica-install

Watch /var/log/ipareplica-install.log for the FOOBAR line.

On an existing machine, set password:

ldappasswd -D 'cn=Directory Manager' -W -S uid=admin-ipa2.$domain,ou=people,o=ipaca

Needs to be done once for CA and once for KRA.

FreeIPA, kinit, e-text and ENOSUCH

Trying to get a Kerberos ticket for a user on a master? Getting

kinit: Generic error (see e-text) while getting initial credentials

Log shows

ipa1.$domain krb5kdc... AS_REQ ... HANDLE_AUTHDATA: $user@$realm ... No such file or directory

Did you forget to add SIDs on upgrade/replica install?

This helped:

ipa config-mod --enable-sid --add-sids

FreeIPA and KRA connector has already been defined for this CA

Trying to install an additional KRA and getting

KRA connector has already been defined for this CA

Has your KRA transport certificate rolled over since the original installation? If yes, /etc/pki/pki-tomcat/ca/CS.cfg on the machine you try to sync from might still have the old certificate in ca.connector.KRA.transportCert.

Since ipa-replica-install ... --setup-kra copies that file, it will try to add itself with the wrong certificate leading to the above error.

  • Get the current transport certificate:

      pki -u admin ca-kraconnector-show
    
      Host: ipa1.$domain:443
          ...
          Transport Cert:
    
          XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
          XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
          ...
    
  • On the machine you sync from, replace the base64 encoded value for ca.connector.KRA.transportCert in /etc/pki/pki-tomcat/ca/CS.cfg

  • reload tomcat.

FreeIPA, dogtag, KRA and and install token

To generate an install token used in f.e.

pki ca-kraconnector-add --install-token ...

Run

curl -u admin
    "https://$( hostname -f )/ca/rest/securityDomain/installToken\
    ?hostname=$( hostname -f)&subsystem=KRA"

enter the directory manager password, save the content of <token> to a file, and use that for --install-token.

systemd.debug-shell, ip a and cat

Trying to debug some early boot failures? Passing systemd.debug-shell=1 to the kernel command line? Running ip a to inspect network interfaces, and getting no output? Try

ip a | cat

Useful use of cat.

Nixos and Bridges

Is NixOS not creating your bridges on sudo nixos-rebuild switch?

Try running sudo systemctl restart network-setup.service.

Also, see #50208 and #42828.

Debian Bookworm, podman-compose and dns

Upgraded to bookworm and containers started with podman-compose can no longer resolve names?

Switching to the netavark networkBackend helped, f.e. by reseting:

podman system reset --force

It will delete all your stuff, though.

Powershell and Certificates

Looking to dump all properties of a certificate with $SERIAL:

Get-ChildItem -Path Cert: -Recurse `
| Where-Object -Property SerialNumber -Value $SERIAL -eq `
| Select-Object -Property *

Configured Certificates

Want to list all certificates a server sends?

server=google.com:443

echo \
	| openssl s_client -showcerts -connect $server 2>&1 \
	| while openssl x509 -noout -subject -issuer; do
		echo;
	done

Also works with a .pem containing multiple certificates.

Based on this stackexchange answer.