search

freeipa / freeipa-letsencrypt

A quick hack allowing to use Let's Encrypt certificates for FreeIPA web interface.
140 stars 71 forks source link

Issue with the renew cert script #42

Open lakici opened 2 years ago

lakici commented 2 years ago

Hello guys,

I had an issues with the renew certificate script renew-le.sh, step that generates csr always asks me for password:

OPENSSL_PASSWD_FILE="/var/lib/ipa/passwds/$HOSTNAME-443-RSA"
[ -f "$OPENSSL_PASSWD_FILE" ] && OPENSSL_EXTRA_ARGS="-passout file:$OPENSSL_PASSWD_FILE" || OPENSSL_EXTRA_ARGS=""
openssl req -new -sha256 -config "$WORKDIR/ipa-httpd.cnf"  -key /var/lib/ipa/private/httpd.key -out "$WORKDIR/httpd-csr.der" $OPENSSL_EXTRA_ARGS

I managed to fix the issue by updating OPENSSL_EXTRA_ARGS from -passout to -passin:

OPENSSL_PASSWD_FILE="/var/lib/ipa/passwds/$HOSTNAME-443-RSA"
[ -f "$OPENSSL_PASSWD_FILE" ] && OPENSSL_EXTRA_ARGS="-passin file:$OPENSSL_PASSWD_FILE" || OPENSSL_EXTRA_ARGS=""
openssl req -new -sha256 -config "$WORKDIR/ipa-httpd.cnf"  -key /var/lib/ipa/private/httpd.key -out "$WORKDIR/httpd-csr.der" $OPENSSL_EXTRA_ARGS
MatthewBehnke commented 2 years ago

Can confirm changing "passout" to "passin" works as expected

pubyun commented 2 years ago

confirmed on centos 8