cweiland · July 11, 2025 22:09
diff --git a/freeipa-proxmox.sh b/freeipa-proxmox.sh
 # Setting up Proxmox with a certificate from FreeIPA.
 # This assumes you've already joined the machine with ipa-client-install

 # Get a ticket as someone that can issue certificates
 kinit admin

 cat <<EOF > /usr/local/sbin/set-ssl-permissions
 #!/bin/bash

 FILES=(/etc/pve/nodes/$(hostname)/{pve-ssl.key,pve-ssl.pem})
 chown root:www-data "\${FILES[@]}"
 chmod 640 "\${FILES[@]}"
 systemctl restart pveproxy
 EOF

 chmod a+x /usr/local/sbin/set-ssl-permissions

 mv /etc/pve/nodes/$(hostname)/pve-ssl.key{,.old}
 mv /etc/pve/nodes/$(hostname)/pve-ssl.pem{,.old}

 ipa-getcert request -N $(hostname -f)  -K HTTP/$(hostname -f) -k /etc/pve/nodes/$(hostname)/pve-ssl.key -f /etc/pve/nodes/$(hostname)/pve-ssl.pem -I pveproxy -C /usr/local/sbin/set-ssl-permissions

 ipa-getcert list

 # Check that it's not "stuck" and there is no "ca-error" listed

 systemctl restart pveproxy
	# Setting up Proxmox with a certificate from FreeIPA.
	# This assumes you've already joined the machine with ipa-client-install

	# Get a ticket as someone that can issue certificates
	kinit admin

	cat <<EOF > /usr/local/sbin/set-ssl-permissions
	#!/bin/bash

	FILES=(/etc/pve/nodes/$(hostname)/{pve-ssl.key,pve-ssl.pem})
	chown root:www-data "\${FILES[@]}"
	chmod 640 "\${FILES[@]}"
	systemctl restart pveproxy
	EOF

	chmod a+x /usr/local/sbin/set-ssl-permissions

	mv /etc/pve/nodes/$(hostname)/pve-ssl.key{,.old}
	mv /etc/pve/nodes/$(hostname)/pve-ssl.pem{,.old}

	ipa-getcert request -N $(hostname -f) -K HTTP/$(hostname -f) -k /etc/pve/nodes/$(hostname)/pve-ssl.key -f /etc/pve/nodes/$(hostname)/pve-ssl.pem -I pveproxy -C /usr/local/sbin/set-ssl-permissions

	ipa-getcert list

	# Check that it's not "stuck" and there is no "ca-error" listed

	systemctl restart pveproxy