Last active
February 18, 2024 21:36
-
-
Save markallenpark/dc111bafb9ba83bc2399dfe61db85d70 to your computer and use it in GitHub Desktop.
Have cockpit use CA certificates from FreeIPA on Fedora 28+ or RHEL 8+
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| ## | |
| # Simple script to get cockpit to use certs issued by FreeIPA, rather than | |
| # self-signed certificates. | |
| # | |
| # This script is for distributions compatible with RHEL 8 or newer, and Fedora 28 or newer. | |
| # Older versions will require extra steps. I don't run anything older than RHEL 9 or | |
| # Fedora 39, so I didn't bother with those. | |
| # | |
| # Thanks to Maxim Bergerhout and this blog post: | |
| # <https://100things.wzzrd.com/2021/06/10/Proper-SSL-certs-in-cockpit.html> | |
| # | |
| echo "Cockpit IPA CA Integration" | |
| if [ $EUID -ne 0 ] | |
| then | |
| echo "This script requires root privileges to work correctly" | |
| else | |
| echo "Updating SELinux Contexts for Cockpit to give permissions to certmonger." | |
| semanage fcontext -a -t cert_t "/etc/cockpit/ws-certs.d(/.*)?" | |
| restorecon -FvR /etc/cockpit/ws-certs.d | |
| echo "Requesting certificate from IPA." | |
| ipa-getcert request -f /etc/cockpit/ws-certs.d/$(hostname -f).cert -k /etc/cockpit/ws-certs.d/$(hostname -f).key -D $(hostname -f) -K host/$(hostname -f) -m 0640 -o root:cockpit-ws -O root:root -M 0644 | |
| echo "Cockpit enrolled, certificate assigned!" | |
| fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment