For the past couple of months, I’ve been heads down working on the UI for the FreeIPA project.  Since FreeIPA is designed to be the cornerstone of a companies security management infrastructure, it is designed to do everything “right” as far as cryptography, certificates, Kerberos, SELinux and the like go.  If something is not configured correctly, it shuts down, doesn’t start, breaks, and so on.  We, the developers, deal with the pain of getting it configured correctly so that, hopefully, the end users get an experience that is both smooth and secure.  So, if you are sharing some of that pain, here’s an analgesic:

Much of the pain comes from dealing with Certificates in Firefox.  When installing FreeIPA server, you have the option to create a self signed certificate.  This means a faster install, but often you will get a certificate with an identical serial number to  the one that your browser currently knows about.  When that happens, you see this screen:

secure connection failed dialogIf

How to fix it:

First, open Firefox preferences, and navigate to the advanced area, and within that, the encryption tab:

Firefox Preferences

You probably only need to delete the servers certificate, which you can see here:

Certificate Manager

and then, and this is important enough to make it big

restart firefox.

Yes, I know that you should not have to.  This is a bug.  If you don’t restart Firefox, you will be back at this page, but the certificate will be listed under Others.  Usually, I flip through all the tabs and make sure that IPA is exorcised from the browser.

Other troubleshooting tips:

Uninstall and reinstall of the Directory server can fail.  look in:

/var/log/ipaserver-install.log

And if you see something about a socket already in use, what has happened is that an old Directory server install caused the creation of a Unix socket file in /var/run/dirsrv that you will have to delete, and then kick off the install again.  This last is quite useful if kinit fails.  This is based on a current bug in 389, and will probably be a distant memory  by the time FreeIPA goes 2.0.

Because I need my laptop to talk to a the company  Kerberos install for company administrative tasks , I find that I don’t want to mess around with changing my laptop’s  Kerberos settings, and instead do most of my development on a virtual machine.  While I can connect to the ipadev machine via

ssh -X ipadev

Just running Firefox with the default options doesn’t work./  Firefox tries to be smart, and pulls up the setting s on the machine running the X Server, not the X -Client.  To work around this, run

firefox –no-remote

and configure Kerberos as per the users manual.