Antonia Stevens wrote:
> Per previous suggestions I've created a proof of concept implementation
> using Certmonger and Cerbot.
>
> At this stage I have a working prototype that can request certificates
> and thought I'd solicit feedback before doing further work.
>
> The PoC can be found on my github account, I also registered a domain
> (cerlet.com <http://cerlet.com>) to go with it which I intend to set up
> so that it can be used for public testing, is there a public FreeIPA
> test server that could be conveniently set up as an authoritative DNS
> server for the domain and will allow users to sign up and authenticate
> using kerberos?
>
> https://github.com/antevens/cerlet
I haven't forgotten about this :-)
I've started reviewing the code but I need to understand certbot and my
knowledge of ACME has atrophied as well so the going has been a bit slow
so far.
How would you prefer feedback on the code?
rob
>
> On Fri, Oct 13, 2017 at 8:41 AM, Rob Crittenden <rcritten@redhat.com
> <mailto:rcritten@redhat.com>> wrote:
>
> Antonia Stevens via FreeIPA-devel wrote:
>
> Thanks for the feedback Rob,
>
> I've updated she scripts with your suggestions except for using
> certmonger which is probably more work, I've created GitHub
> issue for
> refactoring using certmonger.
>
>
> Awesome. I wonder if we should link to this on the freeipa wiki.
> There is quite a lot of interest in LE certs and being able to
> handle renewal, even if via a cronjob, makes if far easier to use.
>
> cheers
>
> rob
>
>
> - Antonia
>
>
>
> On Thu, Oct 12, 2017 at 3:18 AM, Rob Crittenden
> <rcritten@redhat.com <mailto:rcritten@redhat.com>
> <mailto:freeipa-devel@lists.> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>> wrote:
>
> Antonia Stevens via FreeIPA-devel wrote:
>
> Hi,
>
> Thought I should introduce myself and post a link to
> some recent
> work
> which might be relevant for some of you.
>
> My name is Antonia Stevens and I'm a DevOps Engineer and
> long time
> FreeIPA user.
>
> We recently had a need to get proper certs for IPA
> servers in
> AWS which
> means they have multiple IPs/DNS Names/Principals, since
> I could not
> find anything I hacked together a couple of bash scripts
> to make
> it a
> bit easier.
>
> https://github.com/antevens/letsencrypt-freeipa
> <https://github.com/antevens/letsencrypt-freeipa >
> <https://github.com/antevens/letsencrypt-freeipa
> <https://github.com/antevens/letsencrypt-freeipa >>
>
> Thanks for all the great work and depending on my schedule I
> might try
> to contribute a bit more going forward.
>
>
> This looks very cool. I haven't executed it yet but from
> reading the
> scripts here are a few ideas/suggestions.
>
> - it may be better to get the kerberos realm from
> /etc/ipa/default.conf
> - I have the feeling this requires at least IPA v4.5.0. Probably
> worthwhile to document which version(s) are known to work
> - A cronjob wouldn't be necessary if certmonger was used to
> do the
> renewal. The script would need to be modified to work as a
> certmonger CA but then it could handle restarting the
> services, etc.
>
> rob
>
>
>
>
> _______________________________________________
> FreeIPA-devel mailing list --
> freeipa-devel@lists.fedorahosted.org
fedorahosted.org >
> To unsubscribe send an email to
> freeipa-devel-leave@lists.fedorahosted.org
> <mailto:freeipa-devel-leave@lists.fedorahosted.org >
>
>
>
>
>
> --
> Antonia Stevens
> a@antevens.com <mailto:a@antevens.com>
> +1 416 888 6908 <tel:+1%20+(416)%20888-6908>