use httpd password file if one exists

[senare]

https://github.com/freeipa/freeipa-letsencrypt/issues/18

Hi, this seams to do the trick at least for me ! So I would like to se that change merged ?

I am not sure how to go about that but seams I can create a PR ? Hope thats is fine with @thinkmassive ?

(Centos8 btw ..)

[thinkmassive]

Fine by me, thanks for opening the PR

[tomzu]

Shouldn't that be "-passin" instead of "-passout"?

[senare]

Shouldn't that be "-passin" instead of "-passout"?

Idk, I tested using it as is and seams to work. But I will have a look and see if can answer that !

[senare]

No i believe it's correct. It's just really confusing named arguments ...

But we are referring to the password (file) i.e "/var/lib/ipa/passwds/$HOSTNAME-443-RSA" for the out i.e "httpd-csr.der"

REF =>> man

Pass Phrase Options

Several commands accept password arguments, typically using -passin and -passout for input and output passwords respectively. These allow the password to be obtained from a variety of sources. Both of these options take a single argument whose format is described below. If no password argument is given and a password is required then the user is prompted to enter one: this will typically be read from the current terminal with echoing turned off.

[tomzu]

Well, when I used the command I was prompted for input of a password (which I could not provide as it was automatically generated during setup of the freeipa-server) so I had to abort the generation. But using the -passin option the password for the private key was read from the existing password file and the generation succeded.

[zachdnvn]

Interestingly enough, I'm running into issues using both -passin and -passout. While deploying a LE cert using this branch, it fails at this point

ipapython.admintool: INFO: The ipa-certupdate command was successful
/root/freeipa-letsencrypt/renew-le.sh: line 29: OPENSSL_EXTRA_ARGS: unbound variable

[thinkmassive]

Interestingly enough, I'm running into issues using both -passin and -passout. While deploying a LE cert using this branch, it fails at this point

ipapython.admintool: INFO: The ipa-certupdate command was successful
/root/freeipa-letsencrypt/renew-le.sh: line 29: OPENSSL_EXTRA_ARGS: unbound variable

This will happen when running bash with set -u and the file doesn't exist, as described here: https://www.gnu.org/software/bash/manual/html_node/The-Set-Builtin.html

I changed the bash conditional to handle this properly. Please pull and try again if this is still blocking you @Striploin

[thinkmassive]

I think this ready to merge, @mkosek would you mind taking a look whenever you have a chance?

[abbra]

Please use git rebase -i master and fold these two commits into the same one.

[thinkmassive]

Please use git rebase -i master and fold these two commits into the same one.

Thanks for the quick response. Rebase is complete.

[abbra]

LGTM.

[PrimordialKangaroo]

Just ran the current master with "-passout" option and was still prompted for a password. I found this MR and changed the renew-le.sh file to be "-passin" instead and it worked. My guess is the openssl command needs to use the httpd.key file to create the CSR and it needs the passwd file as an input to access the httpd.key.

[abbra]

@PrimordialKangaroo please submit a separate PR with your change.

[gugarosa]

I confirm that it should be -passin in CentOS 8. Just ran into this problem today.