Trying to install an additional KRA and getting

KRA connector has already been defined for this CA

Has your KRA transport certificate rolled over since the original installation? If yes, /etc/pki/pki-tomcat/ca/CS.cfg on the machine you try to sync from might still have the old certificate in ca.connector.KRA.transportCert.

Since ipa-replica-install ... --setup-kra copies that file, it will try to add itself with the wrong certificate leading to the above error.

• Get the current transport certificate:

    pki -u admin ca-kraconnector-show
  
    Host: ipa1.$domain:443
        ...
        Transport Cert:
  
        XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
        XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
        ...
  

• On the machine you sync from, replace the base64 encoded value for ca.connector.KRA.transportCert in /etc/pki/pki-tomcat/ca/CS.cfg

• reload tomcat.

To generate an install token used in f.e.

pki ca-kraconnector-add --install-token ...

Run

curl -u admin
    "https://$( hostname -f )/ca/rest/securityDomain/installToken\
    ?hostname=$( hostname -f)&subsystem=KRA"

enter the directory manager password, save the content of <token> to a file, and use that for --install-token.

Trying to debug some early boot failures? Passing systemd.debug-shell=1 to the kernel command line? Running ip a to inspect network interfaces, and getting no output? Try

ip a | cat

Useful use of cat.

Is NixOS not creating your bridges on sudo nixos-rebuild switch?

Try running sudo systemctl restart network-setup.service.

Also, see #50208 and #42828.

Upgraded to bookworm and containers started with podman-compose can no longer resolve names?

Switching to the netavark networkBackend helped, f.e. by reseting:

podman system reset --force

It will delete all your stuff, though.

Looking to dump all properties of a certificate with $SERIAL:

Get-ChildItem -Path Cert: -Recurse `
| Where-Object -Property SerialNumber -Value $SERIAL -eq `
| Select-Object -Property *

Want to list all certificates a server sends?

server=google.com:443

echo \
	| openssl s_client -showcerts -connect $server 2>&1 \
	| while openssl x509 -noout -subject -issuer; do
		echo;
	done

Also works with a .pem containing multiple certificates.

Based on this stackexchange answer.

Getting

error: failed to download from ...

Caused by:
  [2] Failed initialization ([CONN-1-0] send: no filter connected)

Disabling mutliplexing helped, e.g

CARGO_HTTP_MULTIPLEXING=false cargo run

Also possible in .cargo/config

Want to test timeout handling of your code?

#!/usr/bin/python
# vim: set fileencoding=utf-8 shiftwidth=4 tabstop=4 expandtab textwidth=78:

import requests

if __name__ == '__main__':
    exit( main() )

# test by running 'python3 -m unittest test.py'
import unittest
import unittest.mock as mock

class Test(unittest.TestCase):
    def test_one( self ):
	self.assertFalse( False )

    @mock.patch( 'requests.get', side_effect=requests.exceptions.Timeout() )
    def test_timeout( self, mock_get ):
	with self.assertRaises( requests.exceptions.Timeout ):
	    mock_get()

	self.assertTrue( True )

Want to use curl to talk to a kerberos enabled jenkins?

#!/bin/bash
set -o errexit -o errtrace -o nounset -o pipefail

cleanup() {
	[ -n "${COOKIES-}" ] && unlink "${COOKIES}"
}

trap cleanup EXIT

export COOKIES=$( mktemp )

HOST=$1

curl -c "$COOKIES" --negotiate -u : https://$HOST/login -I

export CURL="curl -b $COOKIES -c $COOKIES"
export URL="https://$HOST"
echo "I: spawing shell with session cookie for '$HOST'"
echo 'I: cookie jar available via $CURL: '$CURL
echo 'I: hostname via $URL: '$URL
bash