freeipa-proxmox.sh

# Setting up Proxmox with a certificate from FreeIPA.
# This assumes you've already joined the machine with ipa-client-install

# Get a ticket as someone that can issue certificates
kinit admin

cat <<EOF > /usr/local/sbin/set-ssl-permissions
#!/bin/bash

FILES=/etc/pve/nodes/proxmox/{pve-ssl.key,pve-ssl.pem}
chown root.www-data $FILES
chmod 640 $FILES
systemctl restart pveproxy
EOF

chmod a+x /usr/local/sbin/set-ssl-permissions

mv /etc/pve/nodes/proxmox/pve-ssl.key /etc/pve/nodes/proxmox/pve-ssl.key.old
mv /etc/pve/nodes/proxmox/pve-ssl.pem /etc/pve/nodes/proxmox/pve-ssl.pem.old

ipa-getcert request -K HTTP/`hostname -f` -k /etc/pve/nodes/proxmox/pve-ssl.key -f /etc/pve/nodes/proxmox/pve-ssl.pem -I pveproxy -C /usr/local/sbin/set-ssl-permissions

ipa-getcert list

# Check that it's not "stuck" and there is no "ca-error" listed

systemctl restart pveproxy

I was wondering if you have any recent experience with your script . I have made the modifications to get it to submit a request but it seems that there is an error in the formatting of the request:
ipa-getcert list
Number of certificates and requests being tracked: 1.
Request ID 'pveproxy':
status: CA_REJECTED
ca-error: Server at https://<ca_hostname>/ipa/json denied our request, giving up: 3009 (invalid 'csr': hostname in subject of request 'kvmh2' does not match name or aliases of principal 'HTTP/[email protected]').
stuck: yes
key pair storage: type=FILE,location='/etc/pve/nodes/kvmh2/pve-ssl.key'
certificate: type=FILE,location='/etc/pve/nodes/kvmh2/pve-ssl.pem'
CA: IPA
issuer:
subject:
expires: unknown
pre-save command:
post-save command: /usr/local/sbin/set-ssl-permissions
track: yes
auto-renew: yes

I found i needed to set the CN with -N $(hostname -f) to the ipa-getcert request