On ti, 18 elo 2020, John Spooner via FreeIPA-users wrote:
Hello,
I have been tasked with installing FreeIPA in our environment to help
manage certificates for Postgres, NGINX and RabbitMQ. I am completely
new to the administrative side of certificates, so I may have made some
incorrect assumptions. We have decided to use LetsEncrypt as our
external CA, so I ran the FreeIPA install:
sudo ipa-server-install --realm MYDOMAIN.COM --domain mydomain.com --setup-dns
--auto-forwarders --allow-zone-overlap --external-ca --ca-subject
"CN=mydomain.com"
This produced a CSR which I have had signed by LetsEncrypt (I also
tried to sign the CSR with with gethttpsforfree, but got the same
results):
Let's Encrypt does not sign external CA certificates. It only signs
server certificates.
sudo certbot --csr /root/ipa.csr --preferred-challenges dns certonly
As I understand it, it should be as simple at this point to rerun
ipa-server-install with external-cert-file arguments for the signed CSR
file and the existing trust chain.
sudo ipa-server-install --external-cert-file=/path/to/file/signed_csr.pem
--external-cert-file=/etc/letsencrypt/live/mydomain.com/fullchain.pem
This results in an error I can't wrap my head around:
ERROR: CA Certificate CN=mydomain.com in <signed CSR file>, <trust chain
file> is not valid: not a CA certificate.
That is correct: Let's Encrypt does not produce CA certificates. You
cannot get it working this way.
After getting this certificate chain in FreeIPA I plan on creating a
couple more layers of intermediate certificates and, eventually, create
root certificates for the individual services. What assumption am I
making that is causing this process to go sideways? I could not really
find anything in the volumes of documentation I have gone through so
far.
You cannot use Let's Encrypt to issue CA certificate. It is simply not
possible to do so.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
