[Freeipa-devel] Re: Lets Encrypt scripts for multiple principals and Web/LDAP
Hi Rob, Bug reports in github are probably easiest, the good thing about implementing as a Certbot plugin is that hopefully their ACME implementation is correct and up to date. On Wed, Mar 21, 2018 at 9:31 AM, Rob Crittenden wrote: > Antonia Stevens wrote: > > Per previous suggestions I've created a proof of concept implementation > > using Certmonger and Cerbot. > > > > At this stage I have a working prototype that can request certificates > > and thought I'd solicit feedback before doing further work. > > > > The PoC can be found on my github account, I also registered a domain > > (cerlet.com <http://cerlet.com>) to go with it which I intend to set up > > so that it can be used for public testing, is there a public FreeIPA > > test server that could be conveniently set up as an authoritative DNS > > server for the domain and will allow users to sign up and authenticate > > using kerberos? > > > > https://github.com/antevens/cerlet > > I haven't forgotten about this :-) > > I've started reviewing the code but I need to understand certbot and my > knowledge of ACME has atrophied as well so the going has been a bit slow > so far. > > How would you prefer feedback on the code? > > rob > > > > > On Fri, Oct 13, 2017 at 8:41 AM, Rob Crittenden > <mailto:rcrit...@redhat.com>> wrote: > > > > Antonia Stevens via FreeIPA-devel wrote: > > > > Thanks for the feedback Rob, > > > > I've updated she scripts with your suggestions except for using > > certmonger which is probably more work, I've created GitHub > > issue for > > refactoring using certmonger. > > > > > > Awesome. I wonder if we should link to this on the freeipa wiki. > > There is quite a lot of interest in LE certs and being able to > > handle renewal, even if via a cronjob, makes if far easier to use. > > > > cheers > > > > rob > > > > > > - Antonia > > > > > > > > On Thu, Oct 12, 2017 at 3:18 AM, Rob Crittenden > > mailto:rcrit...@redhat.com> > > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>> > wrote: > > > > Antonia Stevens via FreeIPA-devel wrote: > > > > Hi, > > > > Thought I should introduce myself and post a link to > > some recent > > work > > which might be relevant for some of you. > > > > My name is Antonia Stevens and I'm a DevOps Engineer and > > long time > > FreeIPA user. > > > > We recently had a need to get proper certs for IPA > > servers in > > AWS which > > means they have multiple IPs/DNS Names/Principals, since > > I could not > > find anything I hacked together a couple of bash scripts > > to make > > it a > > bit easier. > > > > https://github.com/antevens/letsencrypt-freeipa > > <https://github.com/antevens/letsencrypt-freeipa> > > <https://github.com/antevens/letsencrypt-freeipa > > <https://github.com/antevens/letsencrypt-freeipa>> > > > > Thanks for all the great work and depending on my > schedule I > > might try > > to contribute a bit more going forward. > > > > > > This looks very cool. I haven't executed it yet but from > > reading the > > scripts here are a few ideas/suggestions. > > > > - it may be better to get the kerberos realm from > > /etc/ipa/default.conf > > - I have the feeling this requires at least IPA v4.5.0. > Probably > > worthwhile to document which version(s) are known to work > > - A cronjob wouldn't be necessary if certmonger was used to > > do the > > renewal. The script would need to be modified to work as a > > certmonger CA but then it could handle restarting the > > services, etc. > > > > rob > > > > > > > > > > ___ > > FreeIPA-devel mailing list -- > > freeipa-devel@lists.fedorahosted.org > > <mailto:freeipa-devel@lists.fedorahosted.org> > > To unsubscribe send an email to > > freeipa-devel-le...@lists.fedorahosted.org > > <mailto:freeipa-devel-le...@lists.fedorahosted.org> > > > > > > > > > > > > -- > > Antonia Stevens > > a...@antevens.com <mailto:a...@antevens.com> > > +1 416 888 6908 > > -- Antonia Stevens a...@antevens.com +1 416 888 6908 <+1%20+(416)%20888-6908> ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] Re: Lets Encrypt scripts for multiple principals and Web/LDAP
Per previous suggestions I've created a proof of concept implementation using Certmonger and Cerbot. At this stage I have a working prototype that can request certificates and thought I'd solicit feedback before doing further work. The PoC can be found on my github account, I also registered a domain ( cerlet.com) to go with it which I intend to set up so that it can be used for public testing, is there a public FreeIPA test server that could be conveniently set up as an authoritative DNS server for the domain and will allow users to sign up and authenticate using kerberos? https://github.com/antevens/cerlet On Fri, Oct 13, 2017 at 8:41 AM, Rob Crittenden wrote: > Antonia Stevens via FreeIPA-devel wrote: > >> Thanks for the feedback Rob, >> >> I've updated she scripts with your suggestions except for using >> certmonger which is probably more work, I've created GitHub issue for >> refactoring using certmonger. >> > > Awesome. I wonder if we should link to this on the freeipa wiki. There is > quite a lot of interest in LE certs and being able to handle renewal, even > if via a cronjob, makes if far easier to use. > > cheers > > rob > > >> - Antonia >> >> >> >> On Thu, Oct 12, 2017 at 3:18 AM, Rob Crittenden > <mailto:rcrit...@redhat.com>> wrote: >> >> Antonia Stevens via FreeIPA-devel wrote: >> >> Hi, >> >> Thought I should introduce myself and post a link to some recent >> work >> which might be relevant for some of you. >> >> My name is Antonia Stevens and I'm a DevOps Engineer and long time >> FreeIPA user. >> >> We recently had a need to get proper certs for IPA servers in >> AWS which >> means they have multiple IPs/DNS Names/Principals, since I could >> not >> find anything I hacked together a couple of bash scripts to make >> it a >> bit easier. >> >> https://github.com/antevens/letsencrypt-freeipa >> <https://github.com/antevens/letsencrypt-freeipa> >> >> Thanks for all the great work and depending on my schedule I >> might try >> to contribute a bit more going forward. >> >> >> This looks very cool. I haven't executed it yet but from reading the >> scripts here are a few ideas/suggestions. >> >> - it may be better to get the kerberos realm from >> /etc/ipa/default.conf >> - I have the feeling this requires at least IPA v4.5.0. Probably >> worthwhile to document which version(s) are known to work >> - A cronjob wouldn't be necessary if certmonger was used to do the >> renewal. The script would need to be modified to work as a >> certmonger CA but then it could handle restarting the services, etc. >> >> rob >> >> >> >> >> ___ >> FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org >> To unsubscribe send an email to freeipa-devel-le...@lists.fedo >> rahosted.org >> >> > -- Antonia Stevens a...@antevens.com +1 416 888 6908 <+1%20+(416)%20888-6908> ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] Re: freeIPA certificate with Let’s Encrypt
I actually had Rob Crittenden point that issue out to me and encourage me to work on this after I created the shell scripts as a quick fix to solve our immediate internal need. Now I'm dreaming if a day where I can automatically issue and renew certs signed by a publicly trusted CA across our entire infrastructure, internal and external. I've been playing around with APIs and libraries for a couple of days now and I think the most promising approach is to create one library/project that's both a plugin for CertBot (the official ACME/Let's Encrypt client) and a helper for Certmonger at the same time. This would allow any server with Certbot installed to authenticate using FreeIPA/DNS and allow any server with Certmonger to get Let's Encrypt certs. Any/All suggestions are welcome. On Wed, Jan 3, 2018 at 4:46 AM, Martin Kosek wrote: > On 01/02/2018 12:16 PM, Antonia Stevens via FreeIPA-devel wrote: > > Hey Martin and Paride, > > > > There are also some scripts which use DNS auth and allow multiple DNS > > names/aliases/principals: > > > > https://github.com/antevens/letsencrypt-freeipa > > > > In addition to that I recently started work on a Certmonger helper which > > would allow one to use Let's Encrypt certs for the entire infrastructure > > automatically: > > > > https://github.com/antevens/cerlet > > Cool! Sounds quite interesting! We have thought about supporting Let's > Encrypt/ACME in FreeIPA/certmonger also: > https://pagure.io/freeipa/issue/4751 > but did not get to it yet. > > Martin > -- Antonia Stevens a...@antevens.com +1 416 888 6908 <+1%20+(416)%20888-6908> ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] Re: freeIPA certificate with Let’s Encrypt
Hey Martin and Paride, There are also some scripts which use DNS auth and allow multiple DNS names/aliases/principals: https://github.com/antevens/letsencrypt-freeipa In addition to that I recently started work on a Certmonger helper which would allow one to use Let's Encrypt certs for the entire infrastructure automatically: https://github.com/antevens/cerlet -- Antonia Stevens a...@antevens.com +1 416 888 6908 <+1%20+(416)%20888-6908> On Tue, Jan 2, 2018 at 4:54 AM, Martin Kosek via FreeIPA-devel < freeipa-devel@lists.fedorahosted.org> wrote: > On 12/21/2017 09:27 AM, paride.buetti--- via FreeIPA-devel wrote: > > Here the procedure to use Let’s Encrypt certificate with freeIPA > > > > Download isrgrootx1 certificate: > > > > # wget https://letsencrypt.org/certs/isrgrootx1.pem.txt > > # mv isrgrootx1.pem.txt isrgrootx1.pem > > > > Download letsencryptauthorityx3 certificate: > > > > # wget https://letsencrypt.org/certs/letsencryptauthorityx3.pem.txt > > # mv letsencryptauthorityx3.pem.txt letsencryptauthorityx3.pem > > > > Install CA to freeIPA > > > > # ipa-cacert-manage install isrgrootx1.pem -n ISRGRootX1 -t ,, > > # ipa-cacert-manage install letsencryptauthorityx3.pem -n letsencryptx3 > -t C,, > > > > I added DSTRootCAX3 certificate, but I'm not sure if it's necessary > > > > # crete a file DSTRootCAX3.pem with the content of > https://www.identrust.com/certificates/trustid/root-download-x3.html > > # ipa-cacert-manage install DSTRootCAX3.pem -n DSTRootCAX3 -t ,, > > > > Update certificates > > > > # kinit admin > > # ipa-certupdate > > > > Install Let’s Encrypt certificate (I used a DNS-01 challenge: > http://letsencrypt.readthedocs.io/en/latest/challenges.html) > > > > # ipa-server-certinstall -w -d /etc/letsencrypt/live/your. > doma.in/privkey.pem /etc/letsencrypt/live/your.doma.in/fullchain.pem > --pin= > > > > Restart the system > > > > # systemctl restart httpd.service > > # systemctl restart dirsrv@BLACKPOINTS-CH.service > > > > or > > > > # ipactl restart > > > > That's all > > Thanks for contributing! FreeIPA actually has some shared scripts > already hosted in the team's GitHub repo: > > https://github.com/freeipa/freeipa-letsencrypt > > that look quite similar to what you came up with. Maybe you want to > either use or contribute to these shared scripts? > > Martin > ___ > FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org > To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org > ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] Re: Lets Encrypt scripts for multiple principals and Web/LDAP
Hi Felipe, I believe I would need editor rights to that page to add a link, seeing as I've not contributed to the FreeIPA project before I don't have the permissions needed. Perhaps someone else could add the link or direct me on how to obtain the required permissions. On Sun, Oct 15, 2017 at 6:11 AM, Felipe Barreto Volpone wrote: > I think we could add an item "Lets Encrypt" in the "Additional Resources" > section in page User Guides [1] > Antonia, could you please add a link to your projects/script there? > > > [1] http://www.freeipa.org/page/Documentation#User_Guides > > On Fri, Oct 13, 2017 at 4:45 PM, Antonia Stevens via FreeIPA-devel < > freeipa-devel@lists.fedorahosted.org> wrote: > >> Ultimately it would be really nice to use certmonger in such a way that >> any/all servers registered would be able to get a LE cert for any number of >> principals or possibly even using LE certs for all servers but I think >> that's beyond my scope right now (and should not use bash). >> >> - Antonia >> >> ___ >> FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org >> To unsubscribe send an email to freeipa-devel-le...@lists.fedo >> rahosted.org >> >> > ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] Re: Lets Encrypt scripts for multiple principals and Web/LDAP
Ultimately it would be really nice to use certmonger in such a way that any/all servers registered would be able to get a LE cert for any number of principals or possibly even using LE certs for all servers but I think that's beyond my scope right now (and should not use bash). - Antonia ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] Re: Lets Encrypt scripts for multiple principals and Web/LDAP
Thanks for the feedback Rob, I've updated she scripts with your suggestions except for using certmonger which is probably more work, I've created GitHub issue for refactoring using certmonger. - Antonia On Thu, Oct 12, 2017 at 3:18 AM, Rob Crittenden wrote: > Antonia Stevens via FreeIPA-devel wrote: > >> Hi, >> >> Thought I should introduce myself and post a link to some recent work >> which might be relevant for some of you. >> >> My name is Antonia Stevens and I'm a DevOps Engineer and long time >> FreeIPA user. >> >> We recently had a need to get proper certs for IPA servers in AWS which >> means they have multiple IPs/DNS Names/Principals, since I could not >> find anything I hacked together a couple of bash scripts to make it a >> bit easier. >> >> https://github.com/antevens/letsencrypt-freeipa >> >> Thanks for all the great work and depending on my schedule I might try >> to contribute a bit more going forward. >> > > This looks very cool. I haven't executed it yet but from reading the > scripts here are a few ideas/suggestions. > > - it may be better to get the kerberos realm from /etc/ipa/default.conf > - I have the feeling this requires at least IPA v4.5.0. Probably > worthwhile to document which version(s) are known to work > - A cronjob wouldn't be necessary if certmonger was used to do the > renewal. The script would need to be modified to work as a certmonger CA > but then it could handle restarting the services, etc. > > rob > ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] Lets Encrypt scripts for multiple principals and Web/LDAP
Hi, Thought I should introduce myself and post a link to some recent work which might be relevant for some of you. My name is Antonia Stevens and I'm a DevOps Engineer and long time FreeIPA user. We recently had a need to get proper certs for IPA servers in AWS which means they have multiple IPs/DNS Names/Principals, since I could not find anything I hacked together a couple of bash scripts to make it a bit easier. https://github.com/antevens/letsencrypt-freeipa Thanks for all the great work and depending on my schedule I might try to contribute a bit more going forward. Antonia Stevens @antevens a...@antevens.com https://github.com/antevens/ ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org