FreeIPA with letsencrypt

[farazbyk]

Hi Team,

I've been trying to set up letsencrypt with your FreeIPA but its getting failed when I run ipa-certupdate

Can you update your FreeIPA project with letsencrypt like --setup-ca with letsencrypt ?

[dawud]

FreeIPA can be configured in three modes:

• Self-signed: the default option, PKI uses a self-signed CA certificate
• External CA: when --external-ca option is used, ipa-server-install produces a certificate certificate request for it's CA certificate so that it can be properly chained in existing PKI infrastructure.
• CA-less: FreeIPA with CA-less configuration does not set up PKI server at all and only accepts signed certificates for the Web Server and Directory Server components.

In the first case above, Let's Encrypt is not involved.

In the second, you would need LE to support issuing sub CAs, which is not the case.

You can configure FreeIPA in CA-less mode, for the HTTP and LDAP services.

That said, LE certificates are short lived on purpose, what is the motivation to use them in FreeIPA?

[farazbyk]

Thanks for your reply Dawud The reason to install letsencrypt is to have free certificates which will not give https warning. For CA-Less environment we cant manage failover like promote replica to master if something happens to master. is that true ?

[flo-renaud]

Hi @farazbyk there is no difference between CA-less and CA-full environment from a failover point of view. In a CA-less env, the replicas and master contain the same data and they are functionally equivalent (if you install DNS, AD controller etc on all replicas). What made you think that failover would not work in CA-less env?

I've been trying to set up letsencrypt with your FreeIPA but its getting failed when I run ipa-certupdate

Could you provide your installation steps and the ipa-certupdate error?

[farazbyk]

@flo-renaud check below link in which it shows replica promotion to master using CA role https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/moving-crl-gen-old note sure in CA-Less case, this promotion is dependent on CA role for Replica

[flo-renaud]

Hi @farazbyk These steps need to be run only if the topology has an embedded CA. For CA-less env, all the servers are equivalent and failover does not require to set a master CA server. I opened doc bugs in order to clarify this point (RHEL8: 1784281 and 1784284, RHEL7: 1784286).

[farazbyk]

Thanks @flo-renaud really appreciate your replies & saw you opened bugs at redhat, however I still have some questions :( If failover does not need in CA-Less because of equivalent servers , so is it good to have on board ? Also what about is it a secure way have CA-Less ? what about letsencrypt with CA-Less is it doable ?

[flo-renaud]

Hi @farazbyk I'm not sure I got your question correctly:

If failover does not need in CA-Less because of equivalent servers , so is it good to have on board ?

In a CA-less env, you need to make sure that the replicas provide the same roles. For instance if you installed the DNS on master1 and on master2, and master1 crashes, master2 will be able to provide the same services without any intervention. The important thing is that the clients need to be installed without fixed server (see the section "The Failover Mechanism" in ipa-client-install man page).

Regarding the 2nd point:

Also what about is it a secure way have CA-Less ?

Yes, the only difference is that your IdM won't provide CA services, meaning it won't be able to issue certificates for users/hosts/services and won't automatically renew the LDAP HTTPd and PKINIT certs.

what about letsencrypt with CA-Less is it doable ?

In CA-less you need to provide LDAP/HTTPd/PKINIT server certificates. They can be issued by let's encrypt, provided they contain all the expected extensions. You can find an example at https://github.com/freeipa/freeipa-letsencrypt that is replacing the HTTPd cert with a let's encrypt cert.

[farazbyk]

@flo-renaud Thanks again for the reply.

In my case setup-dns=no , So DNS will not be used in my case then how it behaves with no dns ?

You can find an example at https://github.com/freeipa/freeipa-letsencrypt that is replacing the HTTPd cert with a let's encrypt cert.

I tried this and this is the one who's failing when updating the certificates for freeipa (LDAP/HTTPd/PKINIT)

[flo-renaud]

@farazbyk

In my case setup-dns=no , So DNS will not be used in my case then how it behaves with no dns ?

I may not have been clear enough. If the master is installed with services A,B,C and the replica also has A,B,C then failover is working. In your case, you have no CA, no DNS on the master, meaning you need no CA, no DNS on replica. Failover of the other services will work with no problem (LDAP, Kerberos, HTTP, NTP or chronyd if configured, etc...)

I tried this and this is the one who's failing when updating the certificates for freeipa (LDAP/HTTPd/PKINIT)

Then I would advise to ask for help on the freeipa-users mailing list (freeipa-users@lists.fedorahosted.org). Please provide the exact commands that you ran and their output.

[farazbyk]

Thanks @flo-renaud for answering my queries , will get back to you with exact commands on which I got errors

[farazbyk]

I have one more question , I deleted my master server and now I'm getting error when adding users & groups and host. Any help in this regards ? Operations error: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed."

ipa config-show Maximum username length: 32 Home directory base: /home Default shell: /bin/sh Default users group: ipausers Default e-mail domain: xyz.com Search time limit: 2 Search size limit: 100 User search fields: uid,givenname,sn,telephonenumber,ou,title Group search fields: cn,description Enable migration mode: FALSE Certificate Subject base: O=XYZ.COM Password Expiration Notification (days): 4 Password plugin features: AllowNThash, KDC:Disable Last Success SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$sysadm_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 Default SELinux user: unconfined_u:s0-s0:c0.c1023 Default PAC types: MS-PAC, nfs:NONE IPA masters: ipatest2.xyz.com, ipatest3.xyz.com IPA master capable of PKINIT: ipatest2.xyz.com, ipatest3.xyz.com IPA CA servers: ipatest2.xyz.com, ipatest3.xyz.com IPA CA renewal master: ipatest3.xyz.com

Deleted Master Server: ipatest1.xyz.com

[flo-renaud]

Hi @farazbyk this is a known issue, please check ticket 5070. The ticket contains a link to a blog post from @rcritten that explains how to fix the problem: freeipa and no dna range

[farazbyk]

Thanks @flo-renaud issue fixed , can you share what other cases can be raised if master gets halted or terminated ?

[farazbyk]

I'm also in process to setup SNI with AWS application load balancer, I'm getting permission denied 403 when accessing URL for freeipa through ALB. I've uploaded letsencrypt certificates to setup host based load balancing, can you share how your freeipa project can be integrated with SNI ?

[flo-renaud]

Thanks @flo-renaud issue fixed , can you share what other cases can be raised if master gets halted or terminated ?

It is recommended to always install a replica hosting the same services as the svcs configured on the master: CA, KRA, DNS, AD trust controller/agent. This way, it your initial master fails, at least another node is able to take over. There are 2 specific roles that cannot be enabled to 2 nodes at the same time: the CA renewal master and the CRL generation master. If the master was hosting those roles and fails, you need to manually switch the roles to another replica. Please see https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_identity_management/ipa-ca-renewal_configuring-and-managing-idm and https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_identity_management/generating-crl-on-the-idm-ca-server_configuring-and-managing-idm.

[farazbyk]

In my case I'm not using DNS setup-dns=no , yes CA renewal process is manual which is currently I'm doing to promote replica to master. I'm stuck now at load balancing i'm getting 403 on load balancer due to kerbros authentication , how it can be fixed ?

[flo-renaud]

Hi @farazbyk there are a few blog posts explaining the challenges and limitations related to load balancers and IdM. For instance:

• https://www.redhat.com/en/blog/identity-management-and-load-balancing-red-hat-enterprise-linux
• https://ssimo.org/blog/id_019.html
• https://www.adelton.com/freeipa/freeipa-behind-load-balancer

[farazbyk]

Thanks @flo-renaud for the such help, we are not using the load balancer but i'm installing letsencrypt certificates on master its giving me below error using ansible openssl module:

• name: Change PKCS#12 file permission openssl_pkcs12: action: export path: /etc/ssl/{{ domain_letsencrypt }}/{{ domain_letsencrypt }}.p12 friendly_name: "{{ domain_letsencrypt }}" privatekey_path: /etc/ssl/{{ domain_letsencrypt }}/{{ domain_letsencrypt }}.key certificate_path: /etc/ssl/{{ domain_letsencrypt }}/{{ domain_letsencrypt }}.crt other_certificates: /etc/ssl/{{ domain_letsencrypt }}/ansible_full_ca.crt passphrase: "{{ freeipa_adm_pass_vault }}" state: present mode: '0600'

ipa-server-certinstall -w -d ipa.abc.com.p12 --pin=123 -p 123 The full certificate chain is not present in ipa.abc.com.p12 The ipa-server-certinstall command failed.

And when running directly through command line using below openssl pkcs12 -export -chain -CAfile ansible_full_ca.crt -in ipa.abc.com.crt -inkey ipa.abc.com.key -name ipa.abc.com -out 1-ipa.abc.com.p12 -passout pass:123

ipa-server-certinstall -w -d ipa.abc.com.p12 --pin=123 -p 123 Peer's certificate issuer is not trusted (certutil: certificate is invalid: Peer's Certificate issuer is not recognized. ). Please run ipa-cacert-manage install and ipa-certupdate to install the CA certificate. The ipa-server-certinstall command failed.

I'm using intermediate and DSTRootCAX3 certificate for full certificate chain, would help me to fix above errors ?

[farazbyk]

same module worked on other public facing ec2 instances, but now I'm using private subnet on ec2 with NAT gateway

[flo-renaud]

@farazbyk as the error message hints, you need to use ipa-cacert-manage install.

1. Install DSTRootCAX3 cert with ipa-cacert-manage install -t CT,C,C <path/to/X3cert>
2. Install the intermediate cert with ipa-cacert-manage instal -t CT,C,C </path/to/intermediatecert>
3. run ipa-certupdate on all IdM nodes (master/replicas/clients)
4. retry ipa-server-certinstall

I believe it's already well documented in https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/linux_domain_identity_authentication_and_policy_guide/index#third-party-certs-http-ldap in the "Prerequisite" note.

[farazbyk]

Thanks @flo-renaud I found that already and issue is fixed (y)

[farazbyk]

It was fixed but now it got successful on ipa-certupdate but failing the ldap.

[root@ipa7 ipa7.abc.com]#ipa-cacert-manage -p abc123 install ipa7.abc_full_ca.crt -t C,, Installing CA certificate, please wait Verified CN=DST Root CA X3,O=Digital Signature Trust Co. Verified CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US CA certificate successfully installed The ipa-cacert-manage command was successful

[root@ipa7 ipa7.abc.com]#ipa-certupdate -v

papython.ipautil: DEBUG: stderr= ipaplatform.redhat.tasks: INFO: Systemwide CA database updated. ipalib.backend: DEBUG: Destroyed connection context.rpcclient_140511430563088 ipapython.admintool: INFO: The ipa-certupdate command was successful

[root@ipa7 ipa7.abc.com]# ipactl restart Failed to read data from Directory Service: Unknown error when retrieving list of services from LDAP: need more than 1 value to unpack Shutting down

[flo-renaud]

Hi @farazbyk as your most recent issue is different from the initial one, I suggest to move this conversation to freeipa-users mailing list (freeipa-users@lists.fedorahosted.org). You can run "ipactl restart -d" to have more information and provide the output in your e-mail to freeipa-users.