Hi Rob, Bug reports in github are probably easiest, the good thing about implementing as a Certbot plugin is that hopefully their ACME implementation is correct and up to date.
On Wed, Mar 21, 2018 at 9:31 AM, Rob Crittenden <rcrit...@redhat.com> wrote: > Antonia Stevens wrote: > > Per previous suggestions I've created a proof of concept implementation > > using Certmonger and Cerbot. > > > > At this stage I have a working prototype that can request certificates > > and thought I'd solicit feedback before doing further work. > > > > The PoC can be found on my github account, I also registered a domain > > (cerlet.com <http://cerlet.com>) to go with it which I intend to set up > > so that it can be used for public testing, is there a public FreeIPA > > test server that could be conveniently set up as an authoritative DNS > > server for the domain and will allow users to sign up and authenticate > > using kerberos? > > > > https://github.com/antevens/cerlet > > I haven't forgotten about this :-) > > I've started reviewing the code but I need to understand certbot and my > knowledge of ACME has atrophied as well so the going has been a bit slow > so far. > > How would you prefer feedback on the code? > > rob > > > > > On Fri, Oct 13, 2017 at 8:41 AM, Rob Crittenden <rcrit...@redhat.com > > <mailto:rcrit...@redhat.com>> wrote: > > > > Antonia Stevens via FreeIPA-devel wrote: > > > > Thanks for the feedback Rob, > > > > I've updated she scripts with your suggestions except for using > > certmonger which is probably more work, I've created GitHub > > issue for > > refactoring using certmonger. > > > > > > Awesome. I wonder if we should link to this on the freeipa wiki. > > There is quite a lot of interest in LE certs and being able to > > handle renewal, even if via a cronjob, makes if far easier to use. > > > > cheers > > > > rob > > > > > > - Antonia > > > > > > > > On Thu, Oct 12, 2017 at 3:18 AM, Rob Crittenden > > <rcrit...@redhat.com <mailto:rcrit...@redhat.com> > > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>> > wrote: > > > > Antonia Stevens via FreeIPA-devel wrote: > > > > Hi, > > > > Thought I should introduce myself and post a link to > > some recent > > work > > which might be relevant for some of you. > > > > My name is Antonia Stevens and I'm a DevOps Engineer and > > long time > > FreeIPA user. > > > > We recently had a need to get proper certs for IPA > > servers in > > AWS which > > means they have multiple IPs/DNS Names/Principals, since > > I could not > > find anything I hacked together a couple of bash scripts > > to make > > it a > > bit easier. > > > > https://github.com/antevens/letsencrypt-freeipa > > <https://github.com/antevens/letsencrypt-freeipa> > > <https://github.com/antevens/letsencrypt-freeipa > > <https://github.com/antevens/letsencrypt-freeipa>> > > > > Thanks for all the great work and depending on my > schedule I > > might try > > to contribute a bit more going forward. > > > > > > This looks very cool. I haven't executed it yet but from > > reading the > > scripts here are a few ideas/suggestions. > > > > - it may be better to get the kerberos realm from > > /etc/ipa/default.conf > > - I have the feeling this requires at least IPA v4.5.0. > Probably > > worthwhile to document which version(s) are known to work > > - A cronjob wouldn't be necessary if certmonger was used to > > do the > > renewal. The script would need to be modified to work as a > > certmonger CA but then it could handle restarting the > > services, etc. > > > > rob > > > > > > > > > > _______________________________________________ > > FreeIPA-devel mailing list -- > > freeipa-devel@lists.fedorahosted.org > > <mailto:freeipa-devel@lists.fedorahosted.org> > > To unsubscribe send an email to > > freeipa-devel-le...@lists.fedorahosted.org > > <mailto:freeipa-devel-le...@lists.fedorahosted.org> > > > > > > > > > > > > -- > > Antonia Stevens > > a...@antevens.com <mailto:a...@antevens.com> > > +1 416 888 6908 <tel:+1%20+(416)%20888-6908> > > -- Antonia Stevens a...@antevens.com +1 416 888 6908 <+1%20+(416)%20888-6908>
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org