Re: [Freeipa-users] Adding FreeIPA to an existing infrastructure

2016-04-18 Thread Jan Cholasta 

On 18.4.2016 12:20, Martin Kosek wrote:

On 04/12/2016 12:14 PM, Remco Kranenburg wrote:

Thanks for all the pointers. I'm tentatively moving forward with a CA-less and
DNS-less IPA server, with Letsencrypt certificates. I think this is also the
setup that is used by the demo at . Is
there some documentation about this setup?


I installed this FreeIPA Demo server with Dogtag CA and then used something
like this to setup the root cert:


# do this once before taking snapshot of the VM
dnf install letsencrypt -y

ipa-cacert-manage install le-root-ca.pem -n le-root-ca -t ,,
ipa-certupdate -v

ipa-cacert-manage install le-authority-x1.pem -n le-authority-x1 -t C,,
ipa-certupdate -v


and then generated LE certificate:


# generate CSR
certutil -R -d /etc/httpd/alias/ -k Server-Cert -f /etc/httpd/alias/pwdfile.txt
-s "CN=$(hostname)" --extSAN "dns:$(hostname)" -a -o /root/httpd-csr.pem
openssl req -in /root/httpd-csr.pem -outform der -out /root/httpd-csr.der

# httpd process prevents letsencrypt from working, stop it
service httpd stop

# get a new cert
letsencrypt certonly --csr /root/httpd-csr.der --email ...@redhat.com 
--agree-tos

# remove old cert
certutil -D -d /etc/httpd/alias/ -n Server-Cert
# add the new cert
certutil -A -d /etc/httpd/alias/ -n Server-Cert -t ,, -a -i /root/_cert.pem

# start httpd with the new cert
service httpd start


but you probably do not want this as you are not installing CA piece.


I'm trying to install a Letsencrypt
certificate into FreeIPA, but when I run the installation:

ipa-server-install --http-cert-file cert.pem --http-cert-file privkey.pem
--dirsrv-cert-file cert.pem --dirsrv-cert-file privkey.pem

It asks for my "Apache Server private key unlock password", even though the key
from Letsencrypt is not encrypted with a passphrase.


Try using empty passphrase: --http-pin= --dirsrv-pin=


When I give a bogus

password, it gives me another error:

ipa.ipapython.install.cli.install_tool(Server): ERRORThe full certificate
chain is not present in cert.pem, privkey.pem

Letsencrypt provides me with a few files: cert.pem, chain.pem, fullchain.pem,
privkey.pem. Even when I also add chain.pem and fullchain.pem, it gives me the
same error.


The error is legit, you have to specify the full CA certificate chain 
using --ca-cert-file.




CCing JanC, he is the man to help with this one.

Martin




--
Jan Cholasta

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Adding FreeIPA to an existing infrastructure

2016-04-18 Thread Martin Kosek 
On 04/12/2016 12:14 PM, Remco Kranenburg wrote:
> Thanks for all the pointers. I'm tentatively moving forward with a CA-less and
> DNS-less IPA server, with Letsencrypt certificates. I think this is also the
> setup that is used by the demo at . Is
> there some documentation about this setup?

I installed this FreeIPA Demo server with Dogtag CA and then used something
like this to setup the root cert:


# do this once before taking snapshot of the VM
dnf install letsencrypt -y

ipa-cacert-manage install le-root-ca.pem -n le-root-ca -t ,,
ipa-certupdate -v

ipa-cacert-manage install le-authority-x1.pem -n le-authority-x1 -t C,,
ipa-certupdate -v


and then generated LE certificate:


# generate CSR
certutil -R -d /etc/httpd/alias/ -k Server-Cert -f /etc/httpd/alias/pwdfile.txt
-s "CN=$(hostname)" --extSAN "dns:$(hostname)" -a -o /root/httpd-csr.pem
openssl req -in /root/httpd-csr.pem -outform der -out /root/httpd-csr.der

# httpd process prevents letsencrypt from working, stop it
service httpd stop

# get a new cert
letsencrypt certonly --csr /root/httpd-csr.der --email ...@redhat.com 
--agree-tos

# remove old cert
certutil -D -d /etc/httpd/alias/ -n Server-Cert
# add the new cert
certutil -A -d /etc/httpd/alias/ -n Server-Cert -t ,, -a -i /root/_cert.pem

# start httpd with the new cert
service httpd start


but you probably do not want this as you are not installing CA piece.

> I'm trying to install a Letsencrypt
> certificate into FreeIPA, but when I run the installation:
> 
> ipa-server-install --http-cert-file cert.pem --http-cert-file privkey.pem
> --dirsrv-cert-file cert.pem --dirsrv-cert-file privkey.pem
> 
> It asks for my "Apache Server private key unlock password", even though the 
> key
> from Letsencrypt is not encrypted with a passphrase. When I give a bogus
> password, it gives me another error:
> 
> ipa.ipapython.install.cli.install_tool(Server): ERRORThe full certificate
> chain is not present in cert.pem, privkey.pem
> 
> Letsencrypt provides me with a few files: cert.pem, chain.pem, fullchain.pem,
> privkey.pem. Even when I also add chain.pem and fullchain.pem, it gives me the
> same error.

CCing JanC, he is the man to help with this one.

Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Adding FreeIPA to an existing infrastructure

2016-04-12 Thread Remco Kranenburg 
Thanks for all the pointers. I'm tentatively moving forward with a 
CA-less and DNS-less IPA server, with Letsencrypt certificates. I think 
this is also the setup that is used by the demo at 
. Is there some documentation 
about this setup? I'm trying to install a Letsencrypt certificate into 
FreeIPA, but when I run the installation:


ipa-server-install --http-cert-file cert.pem --http-cert-file 
privkey.pem --dirsrv-cert-file cert.pem --dirsrv-cert-file privkey.pem


It asks for my "Apache Server private key unlock password", even though 
the key from Letsencrypt is not encrypted with a passphrase. When I 
give a bogus password, it gives me another error:


ipa.ipapython.install.cli.install_tool(Server): ERRORThe full 
certificate chain is not present in cert.pem, privkey.pem


Letsencrypt provides me with a few files: cert.pem, chain.pem, 
fullchain.pem, privkey.pem. Even when I also add chain.pem and 
fullchain.pem, it gives me the same error.


--
Remco

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Adding FreeIPA to an existing infrastructure

2016-04-11 Thread Remco Kranenburg 

Hi all,

At our company, we manage several Ubuntu web servers with SSH, and we 
use ansible scripts to automate some tasks. The web servers are hosted 
by a VPS hosting provider. Until now, we have always managed the user 
accounts manually for each server, but this is becoming increasingly 
cumbersome as we grow. To centralize our identity management, I've been 
looking into FreeIPA, but having no prior experience with this, I am 
overwhelmed by complexity.


So the first question: is FreeIPA too complex for what we are trying to 
accomplish? Should we be looking at a different solution? I do like 
some of the advanced things we can supposedly do with FreeIPA: single 
identity for everything (SSH on our servers, our Bitbucket accounts, 
our Jenkins CI server), but those are currently not hard requirements.


Some technical questions:

We currently manage our TLS certificate manually with a wildcard that 
we install on each server every year, but we will soon be moving to the 
automated system provided by Letsencrypt. Does this mean we can disable 
the Certificate Authority system provided by FreeIPA, or is the CA also 
required for other things?


We currently manage our DNS entries through the web interface of our 
hosting provider. When we introduce a new server, we simply clone a 
special clean 'image' server, change the hostname and add an A and  
record to our ISP's DNS settings. How does this interact with the 
FreeIPA DNS system? Should we disable it, or does it provide advantages?


--
Remco

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project