rcritten
commented
3 years ago Can you rebase this? A similar remove local CA change was made in PR #30 along with dynamically retrieving the chain. Your changes to renew-le.sh are still relevant.
Open tosoikea opened 3 years ago
rcritten
commented
3 years ago Can you rebase this? A similar remove local CA change was made in PR #30 along with dynamically retrieving the chain. Your changes to renew-le.sh are still relevant.
tosoikea
commented
3 years ago @rcritten Should be done now, i also added a small change to the renew-le.sh to only restart the required services instead of the complete ipa service (source : https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP).
rcritten
commented
3 years ago github is still reporting this as having conflicts. Can you also remove the merge commit to make the changes cleaner?
For the dirsrv restart it will fail without an instance name. dirsrv.target works IIRC.
tosoikea
commented
3 years ago @rcritten Seems good to go. I tested the restart of the directory service locally with the wildcard and it worked. However, as I can not guarantee that the same applies for other versions, i reverted to the ipactl restart. Feel free to change it, if desired.
rcritten
commented
3 years ago I guess I would characterize this change to:
tosoikea
commented
3 years ago I could optionally base the replacing of the certificates based upon a configuration variable e.g. only replace webserver certificate. Personally, I do not see a problem with the generation of new private keys when renewing the LE certificate as it should have no impact on the functionality of the system.
jekader
commented
3 years ago Thanks for the PR, I think using ipa-server-certinstall is the way to go here instead of manually putting files into locations.
I have one question though - why are we still generating our own CSR in this case? Can't certbot just do it for us instead? The patch seems to regenerate the private key at each renewal anyways and we're just re-implementing certbot features in bash.
Ideally I'd want this to shrink renewal to a normal certbot run with IPA-specific steps executed as hooks.This PR is definitely a step in the right direction.
I tested the normal certbot workflow and it seems to work fine:
1) systemctl stop httpd (can be run via certbot --pre-hook option)
2) certbot --text --agree-tos certonly --standalone --keep-until-expiring -d IPA_HOSTNAME
3) ipa-server-certinstall -w -d /etc/letsencrypt/live/IPA_HOSTNAME/privkey.pem /etc/letsencrypt/live/IPA_HOSTNAME/cert.pem (can be run via certbot --deploy-hook option)
3) ipactl restart (can be run via certbot --post-hook option)
I'm not very familiar with IPA so may be missing something, that's why I'm asking if these custom steps are even needed.
jekader
commented
3 years ago Another useful certbot option in this context is --reuse-key which does not use a new private key on each renewal. That's the only reason in my understanding of having to use custom CSR generation flows.
I'll try to test the whole process once I have some time to deploy a test FreeIPA instance. It should allow us to shrink the script to just a few lines of bash.
tosoikea
commented
3 years ago @jekader This all sounds very sensible and promising. Unfortunately I currently have no time for changes, but am lookin forward to your results! :)
Description
With the changes included in the scripts, the setup script is going to download the necessary certificates from the official Let's Encrypt website. This could be extended to always download the most current version. Additionally, and most importantly the official ipa-server-certinstall command is used for registering the third party certificate. This method should be preferred over manually copying files into the corresponding directories (and also includes directory server certificate). Lastly, a very simple copy mechanism is included for saving the most current certificates.
How has this been tested?
The renewal script runs weekly on IPA servers on top of RHEL 8. Multiple renewals were successfully done.
Further improvements