Antonia Stevens via FreeIPA-devel wrote:
Thanks for the feedback Rob,

I've updated she scripts with your suggestions except for using
certmonger which is probably more work, I've created GitHub issue for
refactoring using certmonger.

Awesome. I wonder if we should link to this on the freeipa wiki. There is quite a lot of interest in LE certs and being able to handle renewal, even if via a cronjob, makes if far easier to use.



- Antonia

On Thu, Oct 12, 2017 at 3:18 AM, Rob Crittenden <
<>> wrote:

    Antonia Stevens via FreeIPA-devel wrote:


        Thought I should introduce myself and post a link to some recent
        which might be relevant for some of you.

        My name is Antonia Stevens and I'm a DevOps Engineer and long time
        FreeIPA user.

        We recently had a need to get proper certs for IPA servers in
        AWS which
        means they have multiple IPs/DNS Names/Principals, since I could not
        find anything I hacked together a couple of bash scripts to make
        it a
        bit easier.

        Thanks for all the great work and depending on my schedule I
        might try
        to contribute a bit more going forward.

    This looks very cool. I haven't executed it yet but from reading the
    scripts here are a few ideas/suggestions.

    - it may be better to get the kerberos realm from /etc/ipa/default.conf
    - I have the feeling this requires at least IPA v4.5.0. Probably
    worthwhile to document which version(s) are known to work
    - A cronjob wouldn't be necessary if certmonger was used to do the
    renewal. The script would need to be modified to work as a
    certmonger CA but then it could handle restarting the services, etc.


FreeIPA-devel mailing list --
To unsubscribe send an email to

FreeIPA-devel mailing list --
To unsubscribe send an email to

Reply via email to