Antonia Stevens wrote:
> Per previous suggestions I've created a proof of concept implementation
> using Certmonger and Cerbot.
> 
> At this stage I have a working prototype that can request certificates
> and thought I'd solicit feedback before doing further work.
> 
> The PoC can be found on my github account, I also registered a domain
> (cerlet.com <http://cerlet.com>) to go with it which I intend to set up
> so that it can be used for public testing, is there a public FreeIPA
> test server that could be conveniently set up as an authoritative DNS
> server for the domain and will allow users to sign up and authenticate
> using kerberos?
> 
> https://github.com/antevens/cerlet

This is great news! I'll try to take a look at it soon.

rob

> 
> On Fri, Oct 13, 2017 at 8:41 AM, Rob Crittenden <rcrit...@redhat.com
> <mailto:rcrit...@redhat.com>> wrote:
> 
>     Antonia Stevens via FreeIPA-devel wrote:
> 
>         Thanks for the feedback Rob,
> 
>         I've updated she scripts with your suggestions except for using
>         certmonger which is probably more work, I've created GitHub
>         issue for
>         refactoring using certmonger.
> 
> 
>     Awesome. I wonder if we should link to this on the freeipa wiki.
>     There is quite a lot of interest in LE certs and being able to
>     handle renewal, even if via a cronjob, makes if far easier to use.
> 
>     cheers
> 
>     rob
> 
> 
>         - Antonia
> 
> 
> 
>         On Thu, Oct 12, 2017 at 3:18 AM, Rob Crittenden
>         <rcrit...@redhat.com <mailto:rcrit...@redhat.com>
>         <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>> wrote:
> 
>             Antonia Stevens via FreeIPA-devel wrote:
> 
>                 Hi,
> 
>                 Thought I should introduce myself and post a link to
>         some recent
>                 work
>                 which might be relevant for some of you.
> 
>                 My name is Antonia Stevens and I'm a DevOps Engineer and
>         long time
>                 FreeIPA user.
> 
>                 We recently had a need to get proper certs for IPA
>         servers in
>                 AWS which
>                 means they have multiple IPs/DNS Names/Principals, since
>         I could not
>                 find anything I hacked together a couple of bash scripts
>         to make
>                 it a
>                 bit easier.
> 
>                 https://github.com/antevens/letsencrypt-freeipa
>         <https://github.com/antevens/letsencrypt-freeipa>
>                 <https://github.com/antevens/letsencrypt-freeipa
>         <https://github.com/antevens/letsencrypt-freeipa>>
> 
>                 Thanks for all the great work and depending on my schedule I
>                 might try
>                 to contribute a bit more going forward.
> 
> 
>             This looks very cool. I haven't executed it yet but from
>         reading the
>             scripts here are a few ideas/suggestions.
> 
>             - it may be better to get the kerberos realm from
>         /etc/ipa/default.conf
>             - I have the feeling this requires at least IPA v4.5.0. Probably
>             worthwhile to document which version(s) are known to work
>             - A cronjob wouldn't be necessary if certmonger was used to
>         do the
>             renewal. The script would need to be modified to work as a
>             certmonger CA but then it could handle restarting the
>         services, etc.
> 
>             rob
> 
> 
> 
> 
>         _______________________________________________
>         FreeIPA-devel mailing list --
>         freeipa-devel@lists.fedorahosted.org
>         <mailto:freeipa-devel@lists.fedorahosted.org>
>         To unsubscribe send an email to
>         freeipa-devel-le...@lists.fedorahosted.org
>         <mailto:freeipa-devel-le...@lists.fedorahosted.org>
> 
> 
> 
> 
> 
> -- 
> Antonia Stevens
> a...@antevens.com <mailto:a...@antevens.com>
> +1 416 888 6908 <tel:+1%20+(416)%20888-6908>
_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

Reply via email to