[Freeipa-users] Adding FreeIPA to an existing infrastructure

Jan Cholasta jcholast at redhat.com
Tue Apr 19 05:34:34 UTC 2016 

On 18.4.2016 12:20, Martin Kosek wrote:
> On 04/12/2016 12:14 PM, Remco Kranenburg wrote:
>> Thanks for all the pointers. I'm tentatively moving forward with a CA-less and
>> DNS-less IPA server, with Letsencrypt certificates. I think this is also the
>> setup that is used by the demo at <https://ipa.demo1.freeipa.org/ipa/ui/>. Is
>> there some documentation about this setup?
>
> I installed this FreeIPA Demo server with Dogtag CA and then used something
> like this to setup the root cert:
>
> ~~~~~~~~~~~~~~~~~~~~~~~~
> # do this once before taking snapshot of the VM
> dnf install letsencrypt -y
>
> ipa-cacert-manage install le-root-ca.pem -n le-root-ca -t ,,
> ipa-certupdate -v
>
> ipa-cacert-manage install le-authority-x1.pem -n le-authority-x1 -t C,,
> ipa-certupdate -v
> ~~~~~~~~~~~~~~~~~~~~~~~~
>
> and then generated LE certificate:
>
> ~~~~~~~~~~~~~~~~~~~~~~~~
> # generate CSR
> certutil -R -d /etc/httpd/alias/ -k Server-Cert -f /etc/httpd/alias/pwdfile.txt
> -s "CN=$(hostname)" --extSAN "dns:$(hostname)" -a -o /root/httpd-csr.pem
> openssl req -in /root/httpd-csr.pem -outform der -out /root/httpd-csr.der
>
> # httpd process prevents letsencrypt from working, stop it
> service httpd stop
>
> # get a new cert
> letsencrypt certonly --csr /root/httpd-csr.der --email ... at redhat.com --agree-tos
>
> # remove old cert
> certutil -D -d /etc/httpd/alias/ -n Server-Cert
> # add the new cert
> certutil -A -d /etc/httpd/alias/ -n Server-Cert -t ,, -a -i /root/0000_cert.pem
>
> # start httpd with the new cert
> service httpd start
> ~~~~~~~~~~~~~~~~~~~~~~~~
>
> but you probably do not want this as you are not installing CA piece.
>
>> I'm trying to install a Letsencrypt
>> certificate into FreeIPA, but when I run the installation:
>>
>> ipa-server-install --http-cert-file cert.pem --http-cert-file privkey.pem
>> --dirsrv-cert-file cert.pem --dirsrv-cert-file privkey.pem
>>
>> It asks for my "Apache Server private key unlock password", even though the key
>> from Letsencrypt is not encrypted with a passphrase.

Try using empty passphrase: --http-pin= --dirsrv-pin=

> When I give a bogus
>> password, it gives me another error:
>>
>> ipa.ipapython.install.cli.install_tool(Server): ERROR    The full certificate
>> chain is not present in cert.pem, privkey.pem
>>
>> Letsencrypt provides me with a few files: cert.pem, chain.pem, fullchain.pem,
>> privkey.pem. Even when I also add chain.pem and fullchain.pem, it gives me the
>> same error.

The error is legit, you have to specify the full CA certificate chain 
using --ca-cert-file.

>
> CCing JanC, he is the man to help with this one.
>
> Martin
>


-- 
Jan Cholasta

More information about the Freeipa-users mailing list