[Freeipa-users] Re: Custom ssl cert for freeipa docker

Fri, 25 Aug 2023 03:55:01 -0700 

I thought I had it running correctly, at the beginning it was working, but 
unfortunately the certificates were not updated/replaced. So I got the expired 
certificate warning when trying to access the freeipa UI.
I’m running on docker based freeipa-server:rocky-9-4.10.0 and tried the 
following setup/files.

1-get-ca-certs.sh file:
#!/bin/bash
mkdir -p /srv/freeipa/ssl/{live,ca}
CERTS=("isrgrootx1.pem" "isrg-root-x2.pem" "lets-encrypt-r3.pem" 
"lets-encrypt-e1.pem" "lets-encrypt-r4.pem" "lets-encrypt-e2.pem")
for CERT in "${CERTS[@]}"
do
  curl -o /srv/freeipa/ssl/ca/$CERT "https://letsencrypt.org/certs/$CERT";
done

Then executed:
. /1-get-ca-certs.sh
podman cp /srv/freeipa/ssl/ freeipa-server:/tmp/


2-install-ca-certs.sh file:
CERTS=("isrgrootx1.pem" "isrg-root-x2.pem" "lets-encrypt-r3.pem" 
"lets-encrypt-e1.pem" "lets-encrypt-r4.pem" "lets-encrypt-e2.pem")
for CERT in "${CERTS[@]}"
do
  podman exec freeipa-server ipa-cacert-manage install /tmp/ssl/ca/$CERT
done


Then executed:
./2-install-ca-certs.sh:
podman exec freeipa-server ipa-certupdate


ipa-server-certinstall.sh file:
#!/bin/bash
runuser -l MYUSER -c 'podman exec -i freeipa-server ipa-server-certinstall -w 
-d /tmp/ssl/live/my-domain.com.key /tmp/ssl/live/my-domain.com.cer'


And an auto expect script, which was used in a cron job to utilise 
ipa-server-certinstall.sh. But obviously “podman cp /srv/freeipa/ssl/ 
freeipa-server:/tmp/“ (copy over ssl files into the container) and 
”/usr/bin/expect /root/ipa-server-certinstall.exp” (execute 
ipa-server-certinstall.sh) wasn’t enough otherwise the cert wouldn’t expire.

When I execute it manually I get: “cannot connect to 
'https://freeipa1.my-domain.com:443/acme/directory': [SSL: 
CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired 
(_ssl.c:1129)
The ipa-server-certinstall command failed.”

How can I renew the expired certificate? 
Thanks, appreciate any help.
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to