Per previous suggestions I've created a proof of concept implementation
using Certmonger and Cerbot.
At this stage I have a working prototype that can request certificates and
thought I'd solicit feedback before doing further work.
The PoC can be found on my github account, I also registered a domain (
cerlet.com) to go with it which I intend to set up so that it can be used
for public testing, is there a public FreeIPA test server that could be
conveniently set up as an authoritative DNS server for the domain and will
allow users to sign up and authenticate using kerberos?
https://github.com/antevens/cerlet
On Fri, Oct 13, 2017 at 8:41 AM, Rob Crittenden <rcritten(a)redhat.com> wrote:
Antonia Stevens via FreeIPA-devel wrote:
> Thanks for the feedback Rob,
>
> I've updated she scripts with your suggestions except for using
> certmonger which is probably more work, I've created GitHub issue for
> refactoring using certmonger.
>
Awesome. I wonder if we should link to this on the freeipa wiki. There is
quite a lot of interest in LE certs and being able to handle renewal, even
if via a cronjob, makes if far easier to use.
cheers
rob
> - Antonia
>
>
>
> On Thu, Oct 12, 2017 at 3:18 AM, Rob Crittenden <rcritten(a)redhat.com
> <mailto:rcritten@redhat.com>> wrote:
>
> Antonia Stevens via FreeIPA-devel wrote:
>
> Hi,
>
> Thought I should introduce myself and post a link to some recent
> work
> which might be relevant for some of you.
>
> My name is Antonia Stevens and I'm a DevOps Engineer and long time
> FreeIPA user.
>
> We recently had a need to get proper certs for IPA servers in
> AWS which
> means they have multiple IPs/DNS Names/Principals, since I could
> not
> find anything I hacked together a couple of bash scripts to make
> it a
> bit easier.
>
>
https://github.com/antevens/letsencrypt-freeipa
> <
https://github.com/antevens/letsencrypt-freeipa>
>
> Thanks for all the great work and depending on my schedule I
> might try
> to contribute a bit more going forward.
>
>
> This looks very cool. I haven't executed it yet but from reading the
> scripts here are a few ideas/suggestions.
>
> - it may be better to get the kerberos realm from
> /etc/ipa/default.conf
> - I have the feeling this requires at least IPA v4.5.0. Probably
> worthwhile to document which version(s) are known to work
> - A cronjob wouldn't be necessary if certmonger was used to do the
> renewal. The script would need to be modified to work as a
> certmonger CA but then it could handle restarting the services, etc.
>
> rob
>
>
>
>
> _______________________________________________
> FreeIPA-devel mailing list -- freeipa-devel(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-devel-leave(a)lists.fedo
>
rahosted.org
>
>
--
Antonia Stevens
a(a)antevens.com
+1 416 888 6908 <+1%20+(416)%20888-6908>