Dear Group/Maintainers, i had some work getting FreeIPA to work with Letsencyrpt Certificates behind an ACME enabled Proxy (here Caddy).
Finally i got it working :) Maybe someone would write the hints in some Docs for others to learn how to get this working. Or maybe someone has a trick to do it better. Its worth to mention, that if the Certificates get outdated NO UPDATE OF THE CERTS are working any more. I had it once and i needed to manually fake the hosts date to get it working again. So its important to have the script running straight when the letsencrypts certs are renewed. This is my script i run every day to ensure that imports are done: #!/bin/bash # FQDN="ipa.domain.com" # or: FQDN=$(hostname -f) # This is the path of the caddy- acme client: cd /etc/letsencrypt/caddy/certificates/acme-v02.api.letsencrypt.org-directory/$FQDN # ## letsencrypt- rootcertificate (only needed the first time or when expired, see https://letsencrypt.org/certificates/) #curl https://letsencrypt.org/certs/isrgrootx1.pem> isrgrootx1.pem # # Install RootCA to FreeIPA ipa-cacert-manage install isrgrootx1.pem # Split certificates into containing parts, as the commands do only support one certificate at a time csplit -f cert ${FQDN}.crt '/-----BEGIN CERTIFICATE-----/' '{*}' # The second part (cert02) should be the CA signing the Key (intermediate) - so its the right one: ipa-cacert-manage -p 'IPAPASSWORD' -t C,, install cert02 ipa-certupdate # Not important: Full keychain #cat /etc/letsencrypt/caddy/certificates/acme-v02.api.letsencrypt.org-directory/$DOMAIN/$DOMAIN.crt isrgrootx1.pem> fullchain.pem # # Finally import Certifictae and Key into FreeIPA ipa-server-certinstall -d -w $FQDN.crt $FQDN.key --pin='WEBSERVERPIN' -p 'IPAPASSWORD' && ipactl restart -- Mit freundlichen Grüßen Daniel Pätzold -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
