Antonia Stevens via FreeIPA-devel wrote:
Thanks for the feedback Rob,
I've updated she scripts with your suggestions except for using
certmonger which is probably more work, I've created GitHub issue for
refactoring using certmonger.
Awesome. I wonder if we should link to this on the freeipa wiki. There
is quite a lot of interest in LE certs and being able to handle renewal,
even if via a cronjob, makes if far easier to use.
cheers
rob
- Antonia
On Thu, Oct 12, 2017 at 3:18 AM, Rob Crittenden <rcritten(a)redhat.com
<mailto:rcritten@redhat.com>> wrote:
Antonia Stevens via FreeIPA-devel wrote:
Hi,
Thought I should introduce myself and post a link to some recent
work
which might be relevant for some of you.
My name is Antonia Stevens and I'm a DevOps Engineer and long time
FreeIPA user.
We recently had a need to get proper certs for IPA servers in
AWS which
means they have multiple IPs/DNS Names/Principals, since I could not
find anything I hacked together a couple of bash scripts to make
it a
bit easier.
https://github.com/antevens/letsencrypt-freeipa
<
https://github.com/antevens/letsencrypt-freeipa>
Thanks for all the great work and depending on my schedule I
might try
to contribute a bit more going forward.
This looks very cool. I haven't executed it yet but from reading the
scripts here are a few ideas/suggestions.
- it may be better to get the kerberos realm from /etc/ipa/default.conf
- I have the feeling this requires at least IPA v4.5.0. Probably
worthwhile to document which version(s) are known to work
- A cronjob wouldn't be necessary if certmonger was used to do the
renewal. The script would need to be modified to work as a
certmonger CA but then it could handle restarting the services, etc.
rob
_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-leave(a)lists.fedorahosted.org