[Freeipa-devel] Re: freeIPA certificate with Let’s Encrypt
I actually had Rob Crittenden point that issue out to me and encourage me to work on this after I created the shell scripts as a quick fix to solve our immediate internal need. Now I'm dreaming if a day where I can automatically issue and renew certs signed by a publicly trusted CA across our entire infrastructure, internal and external. I've been playing around with APIs and libraries for a couple of days now and I think the most promising approach is to create one library/project that's both a plugin for CertBot (the official ACME/Let's Encrypt client) and a helper for Certmonger at the same time. This would allow any server with Certbot installed to authenticate using FreeIPA/DNS and allow any server with Certmonger to get Let's Encrypt certs. Any/All suggestions are welcome. On Wed, Jan 3, 2018 at 4:46 AM, Martin Kosek wrote: > On 01/02/2018 12:16 PM, Antonia Stevens via FreeIPA-devel wrote: > > Hey Martin and Paride, > > > > There are also some scripts which use DNS auth and allow multiple DNS > > names/aliases/principals: > > > > https://github.com/antevens/letsencrypt-freeipa > > > > In addition to that I recently started work on a Certmonger helper which > > would allow one to use Let's Encrypt certs for the entire infrastructure > > automatically: > > > > https://github.com/antevens/cerlet > > Cool! Sounds quite interesting! We have thought about supporting Let's > Encrypt/ACME in FreeIPA/certmonger also: > https://pagure.io/freeipa/issue/4751 > but did not get to it yet. > > Martin > -- Antonia Stevens a...@antevens.com +1 416 888 6908 <+1%20+(416)%20888-6908> ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] Re: freeIPA certificate with Let’s Encrypt
On 01/02/2018 12:16 PM, Antonia Stevens via FreeIPA-devel wrote: > Hey Martin and Paride, > > There are also some scripts which use DNS auth and allow multiple DNS > names/aliases/principals: > > https://github.com/antevens/letsencrypt-freeipa > > In addition to that I recently started work on a Certmonger helper which > would allow one to use Let's Encrypt certs for the entire infrastructure > automatically: > > https://github.com/antevens/cerlet Cool! Sounds quite interesting! We have thought about supporting Let's Encrypt/ACME in FreeIPA/certmonger also: https://pagure.io/freeipa/issue/4751 but did not get to it yet. Martin ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] Re: freeIPA certificate with Let’s Encrypt
Hey Martin and Paride, There are also some scripts which use DNS auth and allow multiple DNS names/aliases/principals: https://github.com/antevens/letsencrypt-freeipa In addition to that I recently started work on a Certmonger helper which would allow one to use Let's Encrypt certs for the entire infrastructure automatically: https://github.com/antevens/cerlet -- Antonia Stevens a...@antevens.com +1 416 888 6908 <+1%20+(416)%20888-6908> On Tue, Jan 2, 2018 at 4:54 AM, Martin Kosek via FreeIPA-devel < freeipa-devel@lists.fedorahosted.org> wrote: > On 12/21/2017 09:27 AM, paride.buetti--- via FreeIPA-devel wrote: > > Here the procedure to use Let’s Encrypt certificate with freeIPA > > > > Download isrgrootx1 certificate: > > > > # wget https://letsencrypt.org/certs/isrgrootx1.pem.txt > > # mv isrgrootx1.pem.txt isrgrootx1.pem > > > > Download letsencryptauthorityx3 certificate: > > > > # wget https://letsencrypt.org/certs/letsencryptauthorityx3.pem.txt > > # mv letsencryptauthorityx3.pem.txt letsencryptauthorityx3.pem > > > > Install CA to freeIPA > > > > # ipa-cacert-manage install isrgrootx1.pem -n ISRGRootX1 -t ,, > > # ipa-cacert-manage install letsencryptauthorityx3.pem -n letsencryptx3 > -t C,, > > > > I added DSTRootCAX3 certificate, but I'm not sure if it's necessary > > > > # crete a file DSTRootCAX3.pem with the content of > https://www.identrust.com/certificates/trustid/root-download-x3.html > > # ipa-cacert-manage install DSTRootCAX3.pem -n DSTRootCAX3 -t ,, > > > > Update certificates > > > > # kinit admin > > # ipa-certupdate > > > > Install Let’s Encrypt certificate (I used a DNS-01 challenge: > http://letsencrypt.readthedocs.io/en/latest/challenges.html) > > > > # ipa-server-certinstall -w -d /etc/letsencrypt/live/your. > doma.in/privkey.pem /etc/letsencrypt/live/your.doma.in/fullchain.pem > --pin= > > > > Restart the system > > > > # systemctl restart httpd.service > > # systemctl restart dirsrv@BLACKPOINTS-CH.service > > > > or > > > > # ipactl restart > > > > That's all > > Thanks for contributing! FreeIPA actually has some shared scripts > already hosted in the team's GitHub repo: > > https://github.com/freeipa/freeipa-letsencrypt > > that look quite similar to what you came up with. Maybe you want to > either use or contribute to these shared scripts? > > Martin > ___ > FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org > To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org > ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] Re: freeIPA certificate with Let’s Encrypt
On 12/21/2017 09:27 AM, paride.buetti--- via FreeIPA-devel wrote: > Here the procedure to use Let’s Encrypt certificate with freeIPA > > Download isrgrootx1 certificate: > > # wget https://letsencrypt.org/certs/isrgrootx1.pem.txt > # mv isrgrootx1.pem.txt isrgrootx1.pem > > Download letsencryptauthorityx3 certificate: > > # wget https://letsencrypt.org/certs/letsencryptauthorityx3.pem.txt > # mv letsencryptauthorityx3.pem.txt letsencryptauthorityx3.pem > > Install CA to freeIPA > > # ipa-cacert-manage install isrgrootx1.pem -n ISRGRootX1 -t ,, > # ipa-cacert-manage install letsencryptauthorityx3.pem -n letsencryptx3 -t C,, > > I added DSTRootCAX3 certificate, but I'm not sure if it's necessary > > # crete a file DSTRootCAX3.pem with the content of > https://www.identrust.com/certificates/trustid/root-download-x3.html > # ipa-cacert-manage install DSTRootCAX3.pem -n DSTRootCAX3 -t ,, > > Update certificates > > # kinit admin > # ipa-certupdate > > Install Let’s Encrypt certificate (I used a DNS-01 challenge: > http://letsencrypt.readthedocs.io/en/latest/challenges.html) > > # ipa-server-certinstall -w -d /etc/letsencrypt/live/your.doma.in/privkey.pem > /etc/letsencrypt/live/your.doma.in/fullchain.pem --pin= > > Restart the system > > # systemctl restart httpd.service > # systemctl restart dirsrv@BLACKPOINTS-CH.service > > or > > # ipactl restart > > That's all Thanks for contributing! FreeIPA actually has some shared scripts already hosted in the team's GitHub repo: https://github.com/freeipa/freeipa-letsencrypt that look quite similar to what you came up with. Maybe you want to either use or contribute to these shared scripts? Martin ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org