Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Using ipa-server-certinstall, including automatic backup mechanism and removing local cert store #28

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Using ipa-server-certinstall, including automatic backup mechanism and removing local cert store #28

wants to merge 3 commits into from

Conversation

tosoikea
Copy link

Description

With the changes included in the scripts, the setup script is going to download the necessary certificates from the official Let's Encrypt website. This could be extended to always download the most current version.
Additionally, and most importantly the official ipa-server-certinstall command is used for registering the third party certificate. This method should be preferred over manually copying files into the corresponding directories (and also includes directory server certificate). Lastly, a very simple copy mechanism is included for saving the most current certificates.

How has this been tested?

The renewal script runs weekly on IPA servers on top of RHEL 8.
Multiple renewals were successfully done.

Further improvements

  • Safely store password used for the command
  • Improve backup mechanism
  • Improve error handling and assure service status

@rcritten
Copy link

Can you rebase this? A similar remove local CA change was made in PR #30 along with dynamically retrieving the chain. Your changes to renew-le.sh are still relevant.

@tosoikea
Copy link
Author

tosoikea commented Feb 9, 2021

@rcritten Should be done now, i also added a small change to the renew-le.sh to only restart the required services instead of the complete ipa service (source : https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP).

@rcritten
Copy link

rcritten commented Feb 9, 2021

github is still reporting this as having conflicts. Can you also remove the merge commit to make the changes cleaner?

For the dirsrv restart it will fail without an instance name. dirsrv.target works IIRC.

@AdessoTorbenSoenneckenTest
[-] Removed static CA content
f50a655 
[~] Changed certificate installation to use proper commands
@AdessoTorbenSoenneckenTest
[+] Added some debug messages to renewal script
1f9202e 
[f] Fixed setup-le.sh to use -O (output) and not -o (log)
@AdessoTorbenSoenneckenTest
[~] Rebase
1dfa2c8
@tosoikea tosoikea force-pushed the master branch 2 times, most recently from a136f9a to 1dfa2c8 Compare February 12, 2021 16:54
@tosoikea
Copy link
Author

@rcritten Seems good to go. I tested the restart of the directory service locally with the wildcard and it worked. However, as I can not guarantee that the same applies for other versions, i reverted to the ipactl restart. Feel free to change it, if desired.

@rcritten
Copy link

I guess I would characterize this change to:

  • Always generate a new private key when renewing the LE certificate
  • By using ipa-server-certinstall with the -d option this is also going to always replace the LDAP certificate with the LE certificate with no equivalent cleanup.

@tosoikea
Copy link
Author

I could optionally base the replacing of the certificates based upon a configuration variable e.g. only replace webserver certificate.
Personally, I do not see a problem with the generation of new private keys when renewing the LE certificate as it should have no impact on the functionality of the system.

@jekader
Copy link

jekader commented Mar 19, 2021

Thanks for the PR, I think using ipa-server-certinstall is the way to go here instead of manually putting files into locations.

I have one question though - why are we still generating our own CSR in this case? Can't certbot just do it for us instead? The patch seems to regenerate the private key at each renewal anyways and we're just re-implementing certbot features in bash.

Ideally I'd want this to shrink renewal to a normal certbot run with IPA-specific steps executed as hooks.This PR is definitely a step in the right direction.

I tested the normal certbot workflow and it seems to work fine:

  1. systemctl stop httpd (can be run via certbot --pre-hook option)
  2. certbot --text --agree-tos certonly --standalone --keep-until-expiring -d IPA_HOSTNAME
  3. ipa-server-certinstall -w -d /etc/letsencrypt/live/IPA_HOSTNAME/privkey.pem /etc/letsencrypt/live/IPA_HOSTNAME/cert.pem (can be run via certbot --deploy-hook option)
  4. ipactl restart (can be run via certbot --post-hook option)

I'm not very familiar with IPA so may be missing something, that's why I'm asking if these custom steps are even needed.

@jekader
Copy link

jekader commented Mar 23, 2021

Another useful certbot option in this context is --reuse-key which does not use a new private key on each renewal. That's the only reason in my understanding of having to use custom CSR generation flows.

I'll try to test the whole process once I have some time to deploy a test FreeIPA instance. It should allow us to shrink the script to just a few lines of bash.

@tosoikea
Copy link
Author

@jekader This all sounds very sensible and promising. Unfortunately I currently have no time for changes, but am lookin forward to your results! :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@tosoikea @rcritten @jekader @AdessoTorbenSoenneckenTest