On 18.4.2016 12:20, Martin Kosek wrote:
On 04/12/2016 12:14 PM, Remco Kranenburg wrote:
Thanks for all the pointers. I'm tentatively moving forward with a CA-less and
DNS-less IPA server, with Letsencrypt certificates. I think this is also the
setup that is used by the demo at <https://ipa.demo1.freeipa.org/ipa/ui/>. Is
there some documentation about this setup?

I installed this FreeIPA Demo server with Dogtag CA and then used something
like this to setup the root cert:

# do this once before taking snapshot of the VM
dnf install letsencrypt -y

ipa-cacert-manage install le-root-ca.pem -n le-root-ca -t ,,
ipa-certupdate -v

ipa-cacert-manage install le-authority-x1.pem -n le-authority-x1 -t C,,
ipa-certupdate -v

and then generated LE certificate:

# generate CSR
certutil -R -d /etc/httpd/alias/ -k Server-Cert -f /etc/httpd/alias/pwdfile.txt
-s "CN=$(hostname)" --extSAN "dns:$(hostname)" -a -o /root/httpd-csr.pem
openssl req -in /root/httpd-csr.pem -outform der -out /root/httpd-csr.der

# httpd process prevents letsencrypt from working, stop it
service httpd stop

# get a new cert
letsencrypt certonly --csr /root/httpd-csr.der --email ...@redhat.com 

# remove old cert
certutil -D -d /etc/httpd/alias/ -n Server-Cert
# add the new cert
certutil -A -d /etc/httpd/alias/ -n Server-Cert -t ,, -a -i /root/0000_cert.pem

# start httpd with the new cert
service httpd start

but you probably do not want this as you are not installing CA piece.

I'm trying to install a Letsencrypt
certificate into FreeIPA, but when I run the installation:

ipa-server-install --http-cert-file cert.pem --http-cert-file privkey.pem
--dirsrv-cert-file cert.pem --dirsrv-cert-file privkey.pem

It asks for my "Apache Server private key unlock password", even though the key
from Letsencrypt is not encrypted with a passphrase.

Try using empty passphrase: --http-pin= --dirsrv-pin=

When I give a bogus
password, it gives me another error:

ipa.ipapython.install.cli.install_tool(Server): ERROR    The full certificate
chain is not present in cert.pem, privkey.pem

Letsencrypt provides me with a few files: cert.pem, chain.pem, fullchain.pem,
privkey.pem. Even when I also add chain.pem and fullchain.pem, it gives me the
same error.

The error is legit, you have to specify the full CA certificate chain using --ca-cert-file.

CCing JanC, he is the man to help with this one.


Jan Cholasta

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to