Leo O via FreeIPA-users wrote: > Hello Guys, > > I'm would like to use custom ssl certificates for http and ldap, I saw the > following: > https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP > > But I wonder how would this be done when using freeipa in a docker/podman > container. I mean the container is started with "--read-only" flag. So it's > not clear to me what the correct approach here would be. I hope it's not that > you have to re-build an own image with the ssl certificates every time? > > Background Info: I'm using acme.sh in a VM, which creates my wildcard > letsencrypt certificates and puts them on an nfs share. Freeipa should simply > use that certificates for http and ldap and that's it. No renewing as this is > done by the acme.sh VM itself.
It isn't that simple. ipa-server-certinstall exists for a reason. The Apache cert is in PEM files so that should be fairly straightforward to replace, but the 389 certificate needs to be imported into its NSS database. Since it's from PEM files you'd need to create a PKCS#12 file to import them. If you are re-using your key then this is a one-time operation and the new cert can be added to the NSS database using certutil. It obviously requires write access. There is also the matter of the certificate chain. You can do this in advance of adding the LE certs by importing the chain using ipa-cacert-manage and running ipa-certupdate. You'll miss out on ipa-server-certinstall checking that the chain was actually imported properly though, along with validation of the certificates themselves. rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue