Created
April 9, 2023 00:37
-
-
Save SnailShea/736ac2cab495bef833869b7194e5db8d to your computer and use it in GitHub Desktop.
Script to use certificates from a FreeIPA CA in the Proxmox web interface
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Adapted from https://gist.github.com/rechner/a176be6ec88432e7d8c5ee2f7ab37ccd | |
| # This script assumes the local machine has already been joined to your FreeIPA domain with ipa-client-install | |
| # DOMAIN should be set to your FreeIPA-controlled domain, not the FQDN of the FreeIPA server | |
| # NODE should be the short hostname of your Proxmox node, not a FQDN | |
| DOMAIN=domain.tld | |
| NODE=pve1 | |
| KEY=/etc/pve/nodes/$NODE/pve-ssl.key | |
| PEM=/etc/pve/nodes/$NODE/pve-ssl.pem | |
| # Get Kerberos Ticket | |
| kinit admin | |
| # Backup old certificates | |
| mv -v $KEY $KEY.old; mv -v $PEM $PEM.old | |
| # Request certificate from FreeIPA CA | |
| ipa-getcert request -K HTTP/$NODE.$DOMAIN -N "CN=$NODE.$DOMAIN" -k $KEY -f $PEM -I pveproxy | |
| # List FreeIPA certificates tracked on this system | |
| ipa-getcert list | |
| # Set file ownership/permissions | |
| chown -v root:www-data {$KEY,$PEM}; chmod -v 640 {$KEY,$PEM} | |
| # Restart pveproxy to use new certificates | |
| systemctl restart pveproxy |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment