Use Let's Encrypt Certificate for FreeIPA Server on CentOS 8

letsencrypt-freeipa.md

How to Add Let's Encrypt Certificates on a CentOS 8 FreeIPA Server

References

https://certbot.eff.org/lets-encrypt/centosrhel8-apache.html

https://github.com/antevens/letsencrypt-freeipa

https://github.com/antevens/letsencrypt-freeipa

Prequisites

A CentOS 8 server with FreeIPA installed and configured, which implies it also has a working Apache server and a working firewall configuration.

Let's assume its domain name is ipa-server.example.test, which should be replaced with the domain name of your own.

Steps

• Log into your server and become root with e.g. sudo -i.

• Install Certbot: dnf install certbot python3-certbot-apache

• Edit Apache configuration /etc/httpd/conf/httpd.conf to open a listening virtual host at port 80. Add the following to the file:

  Listen 80
  <VirtualHost *:80>
          DocumentRoot "/var/www/html"
          ServerName ipaserver.example.test
  </VirtualHost>

  Run systemctl restart httpd to restart Apache.

• Run Certbot to obtain the certificates: certbot certonly --apache

You should get a multiple choice question. Choose the right option including your domain name and hit Enter.

If successful, your certs should be stored at /etc/letsencrypt/live/ipa-server.example.test

• Add Let's Encrypt CA to FreeIPA:

  cd /root
  wget https://letsencrypt.org/certs/isrgrootx1.pem
  wget https://letsencrypt.org/certs/letsencryptauthorityx3.pem
  ipa-cacert-manage install isrgrootx1.pem -n ISRGRootCAX1 -t C,,
  ipa-cacert-manage install letsencryptauthorityx3.pem -n ISRGRootCAX3 -t C,,
  ipa-certupdate -v

• Add your certificates to the FreeIPA web UI and restart FreeIPA:

  echo '' | ipa-server-certinstall -w -d \
  "/etc/letsencrypt/live/ipa-server.example.test/fullchain.pem" \
  "/etc/letsencrypt/live/ipa-server.example.test/privkey.pem" \
  --dirman-password='' --pin=''
  ipactl restart

• Cert renewal:

  • Run certbot renewal (Will not renew if the cert doesn't expire. Add --force-renewal flag to force renewal.)

  • Run commands to install fullchain.pem and privkey.pem again as in previous step and restart IPA server.

  • Certbot will modify root's crontab to automatically renew the Let's Encrypt cert. You should use crontab -e to modify the corresponding line to suit your need. For example, create a script under /root/ to renew the cert and install it to IPA, use chmod +x to make it executable, and execute it in crontab every week or month.

Dear sir.
First, thank you for this marvelous write up.
I thought to see if you could help. Upon running the final command which installs the keys, I get the following error;
The full certificate chain is not present in /etc/letsencrypt/live/somedomain/fullchain.pem /etc/letsencrypt/live/somedomain/privkey.pem
The ipa-server-certinstall command failed.

Would you happen to know why?

Dear sir.
First, thank you for this marvelous write up.
I thought to see if you could help. Upon running the final command which installs the keys, I get the following error;
The full certificate chain is not present in /etc/letsencrypt/live/somedomain/fullchain.pem /etc/letsencrypt/live/somedomain/privkey.pem The ipa-server-certinstall command failed.

Would you happen to know why?

I am not sure. Can you check if your cert is working correctly? Create a html file /var/www/html/filename.html, put something in it, and try to open it in a browser using https://your-domain-name/filename.html. See if the browser recognizes the certificate as legitimate.

If not, read about how to use certbot (linked at the beginning of the gist) and fix any issue. It seems that the certbot installation process has changed a lot since I first wrote the gist.

If the cert is working correctly, perhaps you can read about the ipa-server-certinstall command and see if you need to supply alternative parameters.

Thanks for the reply, very much appreciated.

I did just that (test the certs) modifying ssl.conf to simply point to the letscrypt issued fromage;
SSLCertificateFile /etc/letsencrypt/live/somedomain/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/somedomain/privkey.pem

And bayam, it worked! Browsers no longer complain about the cert.

So, can I assume that letscrypt renewal certs will always land in the /etc/letsencrypt/live/somedomain/?

Perhaps better to decipher the ipa-server-certinstall stuff so I'll do that.

BTW the ipa-server-certinstall command does ask for a pin but I leave it blank. I thought that the letscrypt stuff doesn't have a pin so perhaps thats it? Or it doesn't like pem format?

At the end of the day, for best practice I always prefer automating simple commands like copy/download files around rather then automating complex commands like ipa-server-certinstall. So perhaps I'll just automate the certbot stuff while keeping the SSLCertificateFile and SSLCertificateKeyFile with my mods.

Thanks for the write up! It helped me sort out the certificates on my FreeIPA install in my homelab. By the way, I use certificates from ZeroSSL.