On 04/12/2016 12:14 PM, Remco Kranenburg wrote: > Thanks for all the pointers. I'm tentatively moving forward with a CA-less and > DNS-less IPA server, with Letsencrypt certificates. I think this is also the > setup that is used by the demo at <https://ipa.demo1.freeipa.org/ipa/ui/>. Is > there some documentation about this setup?
I installed this FreeIPA Demo server with Dogtag CA and then used something like this to setup the root cert: ~~~~~~~~~~~~~~~~~~~~~~~~ # do this once before taking snapshot of the VM dnf install letsencrypt -y ipa-cacert-manage install le-root-ca.pem -n le-root-ca -t ,, ipa-certupdate -v ipa-cacert-manage install le-authority-x1.pem -n le-authority-x1 -t C,, ipa-certupdate -v ~~~~~~~~~~~~~~~~~~~~~~~~ and then generated LE certificate: ~~~~~~~~~~~~~~~~~~~~~~~~ # generate CSR certutil -R -d /etc/httpd/alias/ -k Server-Cert -f /etc/httpd/alias/pwdfile.txt -s "CN=$(hostname)" --extSAN "dns:$(hostname)" -a -o /root/httpd-csr.pem openssl req -in /root/httpd-csr.pem -outform der -out /root/httpd-csr.der # httpd process prevents letsencrypt from working, stop it service httpd stop # get a new cert letsencrypt certonly --csr /root/httpd-csr.der --email [email protected] --agree-tos # remove old cert certutil -D -d /etc/httpd/alias/ -n Server-Cert # add the new cert certutil -A -d /etc/httpd/alias/ -n Server-Cert -t ,, -a -i /root/0000_cert.pem # start httpd with the new cert service httpd start ~~~~~~~~~~~~~~~~~~~~~~~~ but you probably do not want this as you are not installing CA piece. > I'm trying to install a Letsencrypt > certificate into FreeIPA, but when I run the installation: > > ipa-server-install --http-cert-file cert.pem --http-cert-file privkey.pem > --dirsrv-cert-file cert.pem --dirsrv-cert-file privkey.pem > > It asks for my "Apache Server private key unlock password", even though the > key > from Letsencrypt is not encrypted with a passphrase. When I give a bogus > password, it gives me another error: > > ipa.ipapython.install.cli.install_tool(Server): ERROR The full certificate > chain is not present in cert.pem, privkey.pem > > Letsencrypt provides me with a few files: cert.pem, chain.pem, fullchain.pem, > privkey.pem. Even when I also add chain.pem and fullchain.pem, it gives me the > same error. CCing JanC, he is the man to help with this one. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
