-
-
Save dmgeurts/767f5fa2c9a52d177bbb6f42de211b26 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Setting up Proxmox with a certificate from FreeIPA. | |
| # This assumes you've already joined the machine with ipa-client-install | |
| # Get a ticket as someone that can issue certificates (if needed. This depends on user permissions | |
| # and I dislike running as root and needing to use non personal admin accounts/privileges.) | |
| #kinit admin | |
| klist -s || kinit | |
| cat <<EOF > /usr/local/sbin/set-ssl-permissions | |
| #!/bin/bash | |
| # Cert files | |
| FILES=/etc/pve/nodes/$(hostname -s)/{pve-ssl.key,pve-ssl.pem} | |
| # Correct ownership | |
| chown root:www-data $FILES | |
| chmod 640 $FILES | |
| # Restart the service | |
| systemctl restart pveproxy | |
| EOF | |
| sudo chmod a+x /usr/local/sbin/set-ssl-permissions | |
| sudo mv /etc/pve/nodes/$(hostname -s)/pve-ssl.key /etc/pve/nodes/$(hostname -s)/pve-ssl.key.old | |
| sudo mv /etc/pve/nodes/$(hostname -s)/pve-ssl.pem /etc/pve/nodes/$(hostname -s)/pve-ssl.pem.old | |
| sudo ipa-getcert request -K HTTP/$(hostname -f) -k /etc/pve/nodes/$(hostname -s)/pve-ssl.key -f /etc/pve/nodes/$(hostname -s)/pve-ssl.pem -D $(hostname -f) -A $(host -t A $(hostname -f) | awk 'NF>1{print $NF}') -I pveproxy -C "/usr/local/sbin/set-ssl-permissions" | |
| sudo ipa-getcert list | |
| # Check that it's not "stuck" and there is no "ca-error" listed | |
| # Restarting the Proxmox GUI is already done by the post-save command, no need to do it again. | |
| #sudo systemctl restart pveproxy |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment