Skip to content

Instantly share code, notes, and snippets.

@lijikun

lijikun/letsencrypt-freeipa.md

Last active August 27, 2024 09:47
Show Gist options
  • Save lijikun/8b2b3350bce9aed7df3009e76541929c to your computer and use it in GitHub Desktop.
Save lijikun/8b2b3350bce9aed7df3009e76541929c to your computer and use it in GitHub Desktop.
Download ZIP
Use Let's Encrypt Certificate for FreeIPA Server on CentOS 8
Raw
letsencrypt-freeipa.md

How to Add Let's Encrypt Certificates on a CentOS 8 FreeIPA Server

References

https://certbot.eff.org/lets-encrypt/centosrhel8-apache.html

https://github.com/antevens/letsencrypt-freeipa

https://github.com/antevens/letsencrypt-freeipa

Prequisites

A CentOS 8 server with FreeIPA installed and configured, which implies it also has a working Apache server and a working firewall configuration.

Let's assume its domain name is ipa-server.example.test, which should be replaced with the domain name of your own.

Steps

  • Log into your server and become root with e.g. sudo -i.

  • Install Certbot: dnf install certbot python3-certbot-apache

  • Edit Apache configuration /etc/httpd/conf/httpd.conf to open a listening virtual host at port 80. Add the following to the file:

    Listen 80
<VirtualHost *:80>
        DocumentRoot "/var/www/html"
        ServerName ipaserver.example.test
</VirtualHost>

    Run systemctl restart httpd to restart Apache.

  • Run Certbot to obtain the certificates: certbot certonly --apache

You should get a multiple choice question. Choose the right option including your domain name and hit Enter.

If successful, your certs should be stored at /etc/letsencrypt/live/ipa-server.example.test

  • Add Let's Encrypt CA to FreeIPA:

    cd /root
wget https://letsencrypt.org/certs/isrgrootx1.pem
wget https://letsencrypt.org/certs/letsencryptauthorityx3.pem
ipa-cacert-manage install isrgrootx1.pem -n ISRGRootCAX1 -t C,,
ipa-cacert-manage install letsencryptauthorityx3.pem -n ISRGRootCAX3 -t C,,
ipa-certupdate -v

  • Add your certificates to the FreeIPA web UI and restart FreeIPA:

    echo '' | ipa-server-certinstall -w -d \
"/etc/letsencrypt/live/ipa-server.example.test/fullchain.pem" \
"/etc/letsencrypt/live/ipa-server.example.test/privkey.pem" \
--dirman-password='' --pin=''
ipactl restart

  • Cert renewal:

    • Run certbot renewal (Will not renew if the cert doesn't expire. Add --force-renewal flag to force renewal.)

    • Run commands to install fullchain.pem and privkey.pem again as in previous step and restart IPA server.

    • Certbot will modify root's crontab to automatically renew the Let's Encrypt cert. You should use crontab -e to modify the corresponding line to suit your need. For example, create a script under /root/ to renew the cert and install it to IPA, use chmod +x to make it executable, and execute it in crontab every week or month.

@yadhu621
Copy link

Thanks for the write up! It helped me sort out the certificates on my FreeIPA install in my homelab. By the way, I use certificates from ZeroSSL.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment