[Freeipa-users] Adding FreeIPA to an existing infrastructure

Martin Kosek mkosek at redhat.com
Mon Apr 18 10:20:41 UTC 2016 

On 04/12/2016 12:14 PM, Remco Kranenburg wrote:
> Thanks for all the pointers. I'm tentatively moving forward with a CA-less and
> DNS-less IPA server, with Letsencrypt certificates. I think this is also the
> setup that is used by the demo at <https://ipa.demo1.freeipa.org/ipa/ui/>. Is
> there some documentation about this setup?

I installed this FreeIPA Demo server with Dogtag CA and then used something
like this to setup the root cert:

~~~~~~~~~~~~~~~~~~~~~~~~
# do this once before taking snapshot of the VM
dnf install letsencrypt -y

ipa-cacert-manage install le-root-ca.pem -n le-root-ca -t ,,
ipa-certupdate -v

ipa-cacert-manage install le-authority-x1.pem -n le-authority-x1 -t C,,
ipa-certupdate -v
~~~~~~~~~~~~~~~~~~~~~~~~

and then generated LE certificate:

~~~~~~~~~~~~~~~~~~~~~~~~
# generate CSR
certutil -R -d /etc/httpd/alias/ -k Server-Cert -f /etc/httpd/alias/pwdfile.txt
-s "CN=$(hostname)" --extSAN "dns:$(hostname)" -a -o /root/httpd-csr.pem
openssl req -in /root/httpd-csr.pem -outform der -out /root/httpd-csr.der

# httpd process prevents letsencrypt from working, stop it
service httpd stop

# get a new cert
letsencrypt certonly --csr /root/httpd-csr.der --email ... at redhat.com --agree-tos

# remove old cert
certutil -D -d /etc/httpd/alias/ -n Server-Cert
# add the new cert
certutil -A -d /etc/httpd/alias/ -n Server-Cert -t ,, -a -i /root/0000_cert.pem

# start httpd with the new cert
service httpd start
~~~~~~~~~~~~~~~~~~~~~~~~

but you probably do not want this as you are not installing CA piece.

> I'm trying to install a Letsencrypt
> certificate into FreeIPA, but when I run the installation:
> 
> ipa-server-install --http-cert-file cert.pem --http-cert-file privkey.pem
> --dirsrv-cert-file cert.pem --dirsrv-cert-file privkey.pem
> 
> It asks for my "Apache Server private key unlock password", even though the key
> from Letsencrypt is not encrypted with a passphrase. When I give a bogus
> password, it gives me another error:
> 
> ipa.ipapython.install.cli.install_tool(Server): ERROR    The full certificate
> chain is not present in cert.pem, privkey.pem
> 
> Letsencrypt provides me with a few files: cert.pem, chain.pem, fullchain.pem,
> privkey.pem. Even when I also add chain.pem and fullchain.pem, it gives me the
> same error.

CCing JanC, he is the man to help with this one.

Martin

More information about the Freeipa-users mailing list