Setting up IPA with a specific CA cert subject

If you are doing experiments with IPA where you install and reinstall IPA servers, you may notice SSL certificate errors when connecting to an IPA server using Firefox. The reason is that always the same Organization and serial is used when the CA cert is created.

Normal users are usually only affected when using the same Realm and DNS subdomain for the test and production environment which is not recommended anyway.

Reproducing the issue
1. Set up IPA with ipa-server-install.
2. Connect to the WebUI using Firefox.
3. Unconfigure IPA with ipa-server-install –uninstall.
4. Configure IPA again with ipa-server-install.
5. Connect to the WebUI using Firefox again and figure out its not working and trows an error message like “An error occurred during a connection to ipa1.example.com. You have received an invalid certificate”.

See also FreeIPA Ticket #2016.

Unfortunately it is not trivial to fix this behavior as different components need to be changed.

Workaround
There is an easy workaround for this issue. Just provide the –subject when configuring IPA.

[root@ipa1 ~]# ipa-server-install --subject="O=EXAMPLE.COM 201511291216" --more-options-as-you-need

The O=EXAMPLE.COM should be replaced with the Realm you plan to set up, the number should be something like <year><month><day><hour><minute>

Unfortunately I dont know if there is an easy way to change already set up servers as the CA cert would need to be recreated.

Updating Fedora to version 23 – how to workaround some issues

After upgrading two machines from Fedora 22 to 23 I stumbled upon some severe issues. Most of them are easy to solve.

This weekend I’ve found some time to upgrade my headless router and one of my workstations. Unfortunately is did not went that smooth like the past few upgrades.

No initrd created and grub config lacks initrd reference
This seems to be connected to the Plymouth issue as described here: Common F23 bugs. On my headless machine I only had “details” and “text” themes installed, the result is that the machine can not access the root fs and the Kernel panics.

Solution: before upgrading, ensure you have the Plymouth theme “charge” active.

plymouth-set-default-theme charge && dracut -f && reboot

If you already upgraded and the machine fails to boot, select the Fedora 22 Kernel to boot from, create a new initrd and update the grub config as follows:

dracut /boot/initramfs-4.2.5-300.fc23.$(uname -i).img 4.2.5-300.fc23.$(uname -i)
grub2-mkconfig -o /boot/grub2/grub.cfg
reboot

Renamed network interfaces
On one machine I ended up having no network connectivity at all because both interfaces got a new name. I.e. “p135p1” was now known as “enp2s0”. If you do not use NetworkManager, just rename your ifcfg scripts in /etc/sysconfig/network-scripts/ and edit it them accordingly (DEVICE=new-interface-name). No clue how to manage that issue with NetworkManager, probably in a similar way.

No keyboard and mouse available
After the upgrading the machine I’m using as a workstation, keyboard and mouse have not been working anymore which makes the usage as a Workstation “a bit” problematic. The reason is a missing package due to a broken dependency.

dnf -y install  xorg-x11-drv-evdev
# Restart X11
systemctl isolate multi-user.target
systemctl isolate graphical.target

See also Bugzilla #1212833

KDM does not show any user
Since I do not have any local users (I’m using IPA for centralized identity management), its unclear if this is reason. I was not able to enter a username manually. I was also unable to track down the problem.

Solution: Switch to GDM:

system-switch-displaymanager GDM
# Restart X11
systemctl isolate multi-user.target
systemctl isolate graphical.target

KDE Plasma 5 garbled graphics
When I logged in to Plasma, the desktop was quite odd. All graphic stuff (the whole desktop) was garbled. No clue why, in a virtual machine this is working (somehow). Can not be the Nouveau driver because then also XFCE and Gnome would be affected as well.

Solution: Switch to XFCE (or Gnome if you like)

Conclusion
While the major part of the upgrade went really smooth, there are some issues which I did not expected to see. From my point of view the Plymouth issue and the keyboard/mouse issue should have been a blocker for the release. The rest of the issues I’ve stumbled on was probably just bad luck.

A word to KDE Plasma: Its available in the KDE spin since Fedora 22 but it is still not yet usable for daily work. I personally consider Plasma be a pre-alpha software. KDE repeats the same mistake they made when switching from KDE3 to KDE4. This will cause more users to switch away from KDE which is a petty.

Have fun 🙂