Skip to content

Instantly share code, notes, and snippets.

@rechner
Created July 28, 2020 23:49
Show Gist options
  • Save rechner/a176be6ec88432e7d8c5ee2f7ab37ccd to your computer and use it in GitHub Desktop.
Save rechner/a176be6ec88432e7d8c5ee2f7ab37ccd to your computer and use it in GitHub Desktop.
# Setting up Proxmox with a certificate from FreeIPA.
# This assumes you've already joined the machine with ipa-client-install
# Get a ticket as someone that can issue certificates
kinit admin
cat <<EOF > /usr/local/sbin/set-ssl-permissions
#!/bin/bash
FILES=/etc/pve/nodes/proxmox/{pve-ssl.key,pve-ssl.pem}
chown root.www-data $FILES
chmod 640 $FILES
systemctl restart pveproxy
EOF
chmod a+x /usr/local/sbin/set-ssl-permissions
mv /etc/pve/nodes/proxmox/pve-ssl.key /etc/pve/nodes/proxmox/pve-ssl.key.old
mv /etc/pve/nodes/proxmox/pve-ssl.pem /etc/pve/nodes/proxmox/pve-ssl.pem.old
ipa-getcert request -K HTTP/`hostname -f` -k /etc/pve/nodes/proxmox/pve-ssl.key -f /etc/pve/nodes/proxmox/pve-ssl.pem -I pveproxy -C /usr/local/sbin/set-ssl-permissions
ipa-getcert list
# Check that it's not "stuck" and there is no "ca-error" listed
systemctl restart pveproxy
@nonamenonumber
Copy link

I found i needed to set the CN with -N $(hostname -f) to the ipa-getcert request

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment