John Spooner via FreeIPA-users wrote: > Hello, > I have been tasked with installing FreeIPA in our environment to help manage > certificates for Postgres, NGINX and RabbitMQ. I am completely new to the > administrative side of certificates, so I may have made some incorrect > assumptions. We have decided to use LetsEncrypt as our external CA, so I ran > the FreeIPA install: > > sudo ipa-server-install --realm MYDOMAIN.COM --domain mydomain.com > --setup-dns --auto-forwarders --allow-zone-overlap --external-ca --ca-subject > "CN=mydomain.com" > > This produced a CSR which I have had signed by LetsEncrypt (I also tried to > sign the CSR with with gethttpsforfree, but got the same results): > > sudo certbot --csr /root/ipa.csr --preferred-challenges dns certonly > > As I understand it, it should be as simple at this point to rerun > ipa-server-install with external-cert-file arguments for the signed CSR file > and the existing trust chain. > > sudo ipa-server-install --external-cert-file=/path/to/file/signed_csr.pem > --external-cert-file=/etc/letsencrypt/live/mydomain.com/fullchain.pem > > This results in an error I can't wrap my head around: > > ERROR: CA Certificate CN=mydomain.com in <signed CSR file>, <trust chain > file> is not valid: not a CA certificate. > > After getting this certificate chain in FreeIPA I plan on creating a couple > more layers of intermediate certificates and, eventually, create root > certificates for the individual services. What assumption am I making that is > causing this process to go sideways? I could not really find anything in the > volumes of documentation I have gone through so far.
I'm surprised LE issued a cert at all. It doesn't issue CA subordinate certificates. You are not likely to find a public CA that will issue you a subordinate CA without lots of $$$ and a ton of work due to transparency requirements. What is the ultimate goal for using an external CA? So that clients will already trust the issued certificates without requiring distributing the chain? You can provide your own certificates for HTTP and LDAP, from LE or elsewhere, either during the installation process or after the installation is done. See the ipa-server-install and ipa-server-certinstall man pages. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
