search

freeipa / freeipa-letsencrypt

A quick hack allowing to use Let's Encrypt certificates for FreeIPA web interface.
140 stars 71 forks source link

Letsencrypt easy way #44

Open atol71 opened 2 years ago

atol71 commented 2 years ago

Hi,

One can use Letsencrypt deploy script for this:

  1. make folder for certs in some folder ipa can use (docker:/data/etc/letsencrypt_certs, i have /data/scripts. Requires mount from disk to ipa docker)
  2. Install CA certs with script
  3. get certs for ipa with letsencrypt In (/etc/letsencrypt/renewal-hooks/deploy/renew.sh) script one can:
#!/bin/bash
echo "Letsencrypt renewal hook running..."
echo "RENEWED_DOMAINS=$RENEWED_DOMAINS"
echo "RENEWED_LINEAGE=$RENEWED_LINEAGE"
if grep --quiet ">ipa_host_fqdn>" <<< "$RENEWED_DOMAINS"; then
  cp $RENEWED_LINEAGE/cert.pem /<path_to_ipa_accessable_folde>/cert.pem
  cp $RENEWED_LINEAGE/privkey.pem  /<path_to_ipa_accessable_folde>/privkey.pem
****
//  inside docker a script to update certs for ipa:
  docker exec -it freeipa-serv /data/scripts/installCertsforHttp.sh
//  if not in docker restart ipa with: 
  ipactl restart
****
  echo "ipa certs updated and ipa restarted"
fi

If docker then (installCertsforHttp.sh):

#!/bin/bash
ipa-server-certinstall -w -d /<path_to_docker_inside_folder>/privkey.pem /<path_to_docker_inside_folder>/cert.pem --pin='' --dirman-password=<pwd_to_prevent_query>
ipactl restart

And this way letsencrypt certmonger do the work for renewal when needed.