[Freeipa-users] Re: CentOS 7 Letsencrypt CA
On Thu, May 25, 2017 at 01:39:46PM +0200, Günther J. Niederwimmer via FreeIPA-users wrote: > Hello, > > after the mistake with Startcom CA (Class 3), now I look for a new > Certificate.. > > Is it possible and functional to install a Letsencrypt CA on a IPA-Server? > > I have found a script on "github" to install a Letsencript CA for FreeIPA > (fedora), but can any tell me is this working with CentOS 7.(3). > > Thanks for a answer, > Hi, Let's Encrypt is a trusted public CA; you can only acquire leaf certificates for TLS servers from Let's Encrypt. You cannot acquire a CA certificate from Let's Encrypt. The script you found must be for acquiring service certificates from Let's Encrypt, for IPA-enrolled hosts/services. I do not know if it works with CentOS 7, but if it works with FreeIPA 4.x on Fedora, it will probably work with ipa-4.x on CentOS 7. Thanks, Fraser ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: CentOS 7 Letsencrypt CA
Günther, The script from github works fine (https://github.com/freeipa/freeipa-letsencrypt). We use it in production on CentOS 7. Keep in mind the script by will only configure the certificate for the web ui, and not LDAP/s. You will need a separate process for that. Chris On May 25, 2017 7:40:25 AM "Günther J. Niederwimmer via FreeIPA-users"wrote: Hello, after the mistake with Startcom CA (Class 3), now I look for a new Certificate.. Is it possible and functional to install a Letsencrypt CA on a IPA-Server? I have found a script on "github" to install a Letsencript CA for FreeIPA (fedora), but can any tell me is this working with CentOS 7.(3). Thanks for a answer, -- mit freundlichen Grüssen / best regards Günther J. Niederwimmer ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: CentOS 7 Letsencrypt CA
Hi, Instead of using the Let’s Encrypt thing on the IPA server itself, I often just use it on a reverse proxy. This way the end-users see the verified CA and FreeIPA can keep doing it’s business. I tried to use ACME on the IPA server in the past, but it wasn’t very well integrated and caused problems. Since only web-facing elements benefit from external CA signed certificates (for users that access it but don’t have the CA on their machine), it doesn’t actually need to be integrated with the rest of IPA. John > On 25 May 2017, at 13:39, Günther J. Niederwimmer via FreeIPA-users >wrote: > > Hello, > > after the mistake with Startcom CA (Class 3), now I look for a new > Certificate.. > > Is it possible and functional to install a Letsencrypt CA on a IPA-Server? > > I have found a script on "github" to install a Letsencript CA for FreeIPA > (fedora), but can any tell me is this working with CentOS 7.(3). > > Thanks for a answer, > > -- > mit freundlichen Grüssen / best regards > > Günther J. Niederwimmer > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org