Hello Guys,
I'm would like to use custom ssl certificates for http and ldap, I saw the following: https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
But I wonder how would this be done when using freeipa in a docker/podman container. I mean the container is started with "--read-only" flag. So it's not clear to me what the correct approach here would be. I hope it's not that you have to re-build an own image with the ssl certificates every time?
Background Info: I'm using acme.sh in a VM, which creates my wildcard letsencrypt certificates and puts them on an nfs share. Freeipa should simply use that certificates for http and ldap and that's it. No renewing as this is done by the acme.sh VM itself.
On Thu, Jan 05, 2023 at 03:22:25AM -0000, Leo O via FreeIPA-users wrote:
Hello Guys,
I'm would like to use custom ssl certificates for http and ldap, I saw the following: https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
But I wonder how would this be done when using freeipa in a docker/podman container.
You should be able to copy (docker cp / podman cp) the certificates to the container (to /tmp or /data) and then docker exec / podman exec into the container and run the commands shown on the page.
Leo O via FreeIPA-users wrote:
Hello Guys,
I'm would like to use custom ssl certificates for http and ldap, I saw the following: https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
But I wonder how would this be done when using freeipa in a docker/podman container. I mean the container is started with "--read-only" flag. So it's not clear to me what the correct approach here would be. I hope it's not that you have to re-build an own image with the ssl certificates every time?
Background Info: I'm using acme.sh in a VM, which creates my wildcard letsencrypt certificates and puts them on an nfs share. Freeipa should simply use that certificates for http and ldap and that's it. No renewing as this is done by the acme.sh VM itself.
It isn't that simple. ipa-server-certinstall exists for a reason.
The Apache cert is in PEM files so that should be fairly straightforward to replace, but the 389 certificate needs to be imported into its NSS database. Since it's from PEM files you'd need to create a PKCS#12 file to import them. If you are re-using your key then this is a one-time operation and the new cert can be added to the NSS database using certutil. It obviously requires write access.
There is also the matter of the certificate chain. You can do this in advance of adding the LE certs by importing the chain using ipa-cacert-manage and running ipa-certupdate. You'll miss out on ipa-server-certinstall checking that the chain was actually imported properly though, along with validation of the certificates themselves.
rob
I'm a bit confused by the time stamps of the messages, is @Jan's approach working, was the "it isn't that simple..." for me only? As for now If @Jan is right, I would copy the certificates into the container via "/tmp" or "/data" and then go into the container and execute only "ipa-server-certinstall -w -d mysite.key mysite.crt" and restart the container. That's should be all right, I don't need the other commands?
On Fri, Jan 27, 2023 at 03:39:01PM -0000, Leo O via FreeIPA-users wrote:
I'm a bit confused by the time stamps of the messages, is @Jan's approach working, was the "it isn't that simple..." for me only? As for now If @Jan is right, I would copy the certificates into the container via "/tmp" or "/data" and then go into the container and execute only "ipa-server-certinstall -w -d mysite.key mysite.crt" and restart the container. That's should be all right, I don't need the other commands?
My reply focused on your question "how would this be done when using freeipa in a docker/podman container".
Rob focused on your plan of integrating acme.sh / LE to your setup and implications thereof.
Ideally you'd have your acme.sh / LE setup done and verified and working on a non-containerized FreeIPA setup (on a host or in a VM) first, ironing out all the aspects Rob points out, before adding another layer of complexity of doing the same with the FreeIPA server running in a container.
I thought I had it running correctly, at the beginning it was working, but unfortunately the certificates were not updated/replaced. So I got the expired certificate warning when trying to access the freeipa UI. I’m running on docker based freeipa-server:rocky-9-4.10.0 and tried the following setup/files.
1-get-ca-certs.sh file: #!/bin/bash mkdir -p /srv/freeipa/ssl/{live,ca} CERTS=("isrgrootx1.pem" "isrg-root-x2.pem" "lets-encrypt-r3.pem" "lets-encrypt-e1.pem" "lets-encrypt-r4.pem" "lets-encrypt-e2.pem") for CERT in "${CERTS[@]}" do curl -o /srv/freeipa/ssl/ca/$CERT "https://letsencrypt.org/certs/$CERT" done
Then executed: . /1-get-ca-certs.sh podman cp /srv/freeipa/ssl/ freeipa-server:/tmp/
2-install-ca-certs.sh file: CERTS=("isrgrootx1.pem" "isrg-root-x2.pem" "lets-encrypt-r3.pem" "lets-encrypt-e1.pem" "lets-encrypt-r4.pem" "lets-encrypt-e2.pem") for CERT in "${CERTS[@]}" do podman exec freeipa-server ipa-cacert-manage install /tmp/ssl/ca/$CERT done
Then executed: ./2-install-ca-certs.sh: podman exec freeipa-server ipa-certupdate
ipa-server-certinstall.sh file: #!/bin/bash runuser -l MYUSER -c 'podman exec -i freeipa-server ipa-server-certinstall -w -d /tmp/ssl/live/my-domain.com.key /tmp/ssl/live/my-domain.com.cer'
And an auto expect script, which was used in a cron job to utilise ipa-server-certinstall.sh. But obviously “podman cp /srv/freeipa/ssl/ freeipa-server:/tmp/“ (copy over ssl files into the container) and ”/usr/bin/expect /root/ipa-server-certinstall.exp” (execute ipa-server-certinstall.sh) wasn’t enough otherwise the cert wouldn’t expire.
When I execute it manually I get: “cannot connect to 'https://freeipa1.my-domain.com:443/acme/directory': [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1129) The ipa-server-certinstall command failed.”
How can I renew the expired certificate? Thanks, appreciate any help.
On Fri, Aug 25, 2023 at 10:54:45AM -0000, Leo O via FreeIPA-users wrote:
I thought I had it running correctly, at the beginning it was working, but unfortunately the certificates were not updated/replaced. So I got the expired certificate warning when trying to access the freeipa UI. I’m running on docker based freeipa-server:rocky-9-4.10.0 and tried the following setup/files.
1-get-ca-certs.sh file: #!/bin/bash mkdir -p /srv/freeipa/ssl/{live,ca} CERTS=("isrgrootx1.pem" "isrg-root-x2.pem" "lets-encrypt-r3.pem" "lets-encrypt-e1.pem" "lets-encrypt-r4.pem" "lets-encrypt-e2.pem") for CERT in "${CERTS[@]}" do curl -o /srv/freeipa/ssl/ca/$CERT "https://letsencrypt.org/certs/$CERT" done
Then executed: . /1-get-ca-certs.sh podman cp /srv/freeipa/ssl/ freeipa-server:/tmp/
2-install-ca-certs.sh file: CERTS=("isrgrootx1.pem" "isrg-root-x2.pem" "lets-encrypt-r3.pem" "lets-encrypt-e1.pem" "lets-encrypt-r4.pem" "lets-encrypt-e2.pem") for CERT in "${CERTS[@]}" do podman exec freeipa-server ipa-cacert-manage install /tmp/ssl/ca/$CERT done
Then executed: ./2-install-ca-certs.sh: podman exec freeipa-server ipa-certupdate
ipa-server-certinstall.sh file: #!/bin/bash runuser -l MYUSER -c 'podman exec -i freeipa-server ipa-server-certinstall -w -d /tmp/ssl/live/my-domain.com.key /tmp/ssl/live/my-domain.com.cer'
And an auto expect script, which was used in a cron job to utilise ipa-server-certinstall.sh. But obviously “podman cp /srv/freeipa/ssl/ freeipa-server:/tmp/“ (copy over ssl files into the container) and ”/usr/bin/expect /root/ipa-server-certinstall.exp” (execute ipa-server-certinstall.sh) wasn’t enough otherwise the cert wouldn’t expire.
When I execute it manually I get: “cannot connect to 'https://freeipa1.my-domain.com:443/acme/directory': [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1129) The ipa-server-certinstall command failed.”
How can I renew the expired certificate?
Having googled around a bit, the debugging steps from
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost...
might be applicable for your case as well.
I was googling too, but couldn't really find anything helpful. To me, it looks like a big pain in the ass, this custom certificate handling in freeipa, especially when using freeipa inside docker. I haven't even updated it in a while, who knows what other issues I will face when trying that. Do you know, how (if even possible) to revert all that ssl cert stuff back to the default behaviour, I think it was with freeipa self signed certificates? I added Keycloak some weeks ago, so maybe I just switch all the apps which were using ldaps to openID connect via Keycloak.
Leo O via FreeIPA-users wrote:
I was googling too, but couldn't really find anything helpful. To me, it looks like a big pain in the ass, this custom certificate handling in freeipa, especially when using freeipa inside docker. I haven't even updated it in a while, who knows what other issues I will face when trying that.
It is only a pain if you don't renew them on time. It's a manual thing. With the IPA CA it is more (or less) automatic.
Do you know, how (if even possible) to revert all that ssl cert stuff back to the default behaviour, I think it was with freeipa self signed certificates?
You'd need to set the system time back to when the certificates are valid. You can do this to install the new certs as well.
If the keys didn't change you can also just replace the existing certificates with the new ones. Also possible if the private keys changed but it'd require conversion to PKCS#12 first.
rob
hm okay, changing the system time to replace my custom lets encrypt cert and what about a revert to default cert? Is there something without messing with the system time, idk maybe somehow removing the let's encrypt CA (ipa-cacert-manage) and revert how it was at the beginning? I can't even log in into freeipa anymore, I tried with the admin account and get "Login failed due to an unknown reason".
So setting the system time, I could simply "ipa-server-certinstall" the new ssl cert, nevertheless I still would like to revert to default CA behavior. Are there any commands or settings inside freeipa for that? If that isn't easily achievable, what about "ipa-backup --data" delete the docker volume, re-install/re-deploy the docker container and then "ipa-restore ..." only this data? Will this work, will it contain all users and groups? That's basically all I'm using in freeipa, used it only for ldap login.
freeipa-users@lists.fedorahosted.org
-
Jan Pazdziora -
Leo O -
Rob Crittenden