non-public domain for IPA https interface

[j4jes]

I'm on centos7 so I changed dnf to yum in the script and added 'kinit admin' and this is the error I get below. Yes I'm using IPA on a private LAN without any public web server, so obviously I'm using a non-public domain suffix "MEANEY.LAB" I thought maybe your script could help me get around that certbot won't create certs for internal IP's / domains ?

ipa.ipaclient.ipa_certupdate.CertUpdate: DEBUG: modifying certmonger request '20161221203330' ipa: DEBUG: Starting external process ipa: DEBUG: args=/usr/bin/certutil -d /etc/ipa/nssdb -L -n IPA CA -a ipa: DEBUG: Process finished, return code=255 ipa: DEBUG: stdout= ipa: DEBUG: stderr=certutil: Could not find cert: IPA CA : PR_FILE_NOT_FOUND_ERROR: File not found

ipa: DEBUG: Starting external process ipa: DEBUG: args=/usr/bin/certutil -d /etc/ipa/nssdb -L -n External CA cert -a ipa: DEBUG: Process finished, return code=255 ipa: DEBUG: stdout= ipa: DEBUG: stderr=certutil: Could not find cert: External CA cert : PR_FILE_NOT_FOUND_ERROR: File not found

ipa: DEBUG: Starting external process ipa: DEBUG: args=/usr/bin/certutil -d /etc/ipa/nssdb -A -n MEANEY.LAB IPA CA -t CT,C,C ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=/usr/bin/certutil -d /etc/ipa/nssdb -A -n MEANEY.LAB IPA CA -t CT,C,C ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=/usr/bin/certutil -d /etc/ipa/nssdb -A -n DSTRootCAX3 -t C,, ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=/usr/bin/certutil -d /etc/ipa/nssdb -A -n letsencryptx3 -t C,, ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=/usr/bin/update-ca-trust ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: INFO: Systemwide CA database updated. ipa: DEBUG: Starting external process ipa: DEBUG: args=/usr/bin/update-ca-trust ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: INFO: Systemwide CA database updated. ipa.ipaclient.ipa_certupdate.CertUpdate: INFO: The ipa-certupdate command was successful Redirecting to /bin/systemctl stop httpd.service Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator standalone, Installer None Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org An unexpected error occurred: The request message was malformed :: Error creating new authz :: Name does not end in a public suffix Please see the logfiles in /var/log/letsencrypt for more details. root@cortex:~/ipa-le #

[j4jes]

root@cortex:~/ipa-le # cat /var/log/letsencrypt/letsencrypt.log | grep error "type": "urn:acme:error:malformed", Error: urn:acme:error:malformed :: The request message was malformed :: Error creating new authz :: Name does not end in a public suffix root@cortex:~/ipa-le #

[PrimordialKangaroo]

So this won't work the way you have it. You have two problems. First you are using a private FQDN. Second your httpd is not publicly accessible. To solve the first problem you need to go buy a domain. There are plenty of cheap ways to get that for just a few bucks a year, namecheap.com or some others are good options.

Second your httpd server is not publicly accessible. I'm surprised that many people are using IPA with a publicly facing website which you need to use the included script.

To get around this you need to run the certbot line manually from the renew-le.sh script but make a few modifications. Remove "--standalone" and replace it with "--manual". Then add "--preferred-challenges dns". Certbot will eventually prompt you to set a DNS TXT record to prove you own it. At this point go to your domain registrar and add the TXT record in the DNS. Most registrars allow you to do this with no additional costs. It got it to work with namecheap. Hope that helps you or someone else.