Daniel Pätzold via FreeIPA-users wrote: > Dear Group/Maintainers, i had some work getting FreeIPA to work with > Letsencyrpt Certificates behind an ACME enabled Proxy (here Caddy). > > Finally i got it working :) > > Maybe someone would write the hints in some Docs for others to learn how > to get this working. Or maybe someone has a trick to do it better. > > Its worth to mention, that if the Certificates get outdated NO UPDATE OF > THE CERTS are working any more. I had it once and i needed to manually > fake the hosts date to get it working again. So its important to have > the script running straight when the letsencrypts certs are renewed. > > This is my script i run every day to ensure that imports are done: > > #!/bin/bash > # FQDN="ipa.domain.com" > # or: > FQDN=$(hostname -f) > # This is the path of the caddy- acme client: > cd > /etc/letsencrypt/caddy/certificates/acme-v02.api.letsencrypt.org-directory/$FQDN > > # > ## letsencrypt- rootcertificate (only needed the first time or when > expired, see https://letsencrypt.org/certificates/) > #curl https://letsencrypt.org/certs/isrgrootx1.pem> isrgrootx1.pem > # > > # Install RootCA to FreeIPA > ipa-cacert-manage install isrgrootx1.pem > # Split certificates into containing parts, as the commands do only > support one certificate at a time > csplit -f cert ${FQDN}.crt '/-----BEGIN CERTIFICATE-----/' '{*}' > # The second part (cert02) should be the CA signing the Key > (intermediate) - so its the right one: > ipa-cacert-manage -p 'IPAPASSWORD' -t C,, install cert02 > ipa-certupdate > > # Not important: Full keychain > #cat > /etc/letsencrypt/caddy/certificates/acme-v02.api.letsencrypt.org-directory/$DOMAIN/$DOMAIN.crt > > isrgrootx1.pem> fullchain.pem > # > # Finally import Certifictae and Key into FreeIPA > ipa-server-certinstall -d -w $FQDN.crt $FQDN.key --pin='WEBSERVERPIN' -p > 'IPAPASSWORD' && ipactl restart
For what it's worth you're doing essentially the same we do with certs for our demo site, code at https://github.com/freeipa/freeipa-letsencrypt Both have a pretty significant downside in that the roots, and in our case the intermediates, are hardcoded. This is less than ideal. A user submitted a patch, https://github.com/freeipa/freeipa-letsencrypt/pull/49 but we haven't merged it yet. This is a project we work on in our spare time, which is rather rare, so it doesn't see a lot of love unless it affects the demo site. It's unfortunate but time is a commodity. rob -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
