fixed small issue in freeipa-dns (override check not working)

updated README - added clarification on password migration being limited adding first version of freeipa-letsencrypt.sh (fixes #1)
2018-09-30 00:43:02 +02:00
parent 5df784602e
commit 02d0b22561
3 changed files with 189 additions and 2 deletions
--- a/README.md
+++ b/README.md
@@ -24,6 +24,9 @@ This repository contains the following scripts:
  * [freeipa-dns.py](#freeipadns)
    is a script providing functionality not available in FreeIPA itself to
    migrate/synchronize and maintain DNS zones in FreeIPA
+  * [freeipa-letsencrypt.sh](#freeipaletsencrypt)
+    is a script to setup and configure Certbot and FreeIPA to request and renew
+    use publicly verifiable Let's Encrypt certificate(s)


 <a name=users2freeipa>users2freeipa.py</a>
@@ -60,6 +63,14 @@ This will also install the OpenDirectory-specific schema customization, create
 groups and copy group memberships, copy usuable passwords and ensure that all
 users have a password (storing generated passwords to ```passwords.txt```)

+Please note that migrating existing passwords from LDAP has limitations, see
+[this](https://www.freeipa.org/page/NIS_accounts_migration_preserving_Passwords)
+page on migrating NIS passwords and [this](https://pagure.io/freeipa/issue/4732)
+issue reported with it. Bottom line is that (at this moment) password migration
+is flawed and always will require manual action from the user. For this reason
+the better alternative to set a random password and ask the user to reset the
+password using the FreeIPA portal makes more sense.
+
 Before running a production user migration, it is important to have FreeIPA
 setup and configured correctly so that the right defaults are used for new
 users. Best is to start with a single user and add that as a stage user (please
@@ -160,6 +171,54 @@ for available commands run ```freeipa-dns.py -h``` and to get an overview of
 the available options for each commmand run ```freeipa-dns.py <command> -h```


+<a name=freeipaletsencrypt>freeipa-letsencrypt.sh</a>
+----------------------------------------------------------------
+This script will ensure the necessary setup is in place so that Certbot (EFF's
+certificate request script for Let's Encrypt) will work with FreeIPA for DNS
+challenges and and instructs it to deploy new certificates for FreeIPA's web
+interface. Before writing this script I looked at available options, especially
+[freeipa-letsencrypt](https://github.com/freeipa/freeipa-letsencrypt) and [antevens'](https://github.com/antevens/letsencrypt-freeipa) implementation but
+decided to take a slightly different approach where Certbot does all the work
+and the setup script will only ensure that the environment is prepared and that
+Certbot is initially instructed correctly. This allows to fully tie-in with how
+Certbot handles renews and use the Certbot package's provided method to schedule
+these.
+
+The following changes will be made for this:
+  1. Add Let's Encrypt Root and Intermediate CAs as trusted CAs
+  2. Create DNS Administrator role in FreeIPA that can edit any DNS Record
+  3. Create host service: ${SERVICE}
+  4. Allow letsencrypt host service to manage DNS entries
+  5. Register with Let's encrypt as: ${EMAIL}
+  6. Request a Let's Encrypt SSL certificate for: ${CERTNAME}
+     with DNS Alternative names: ${DNSALTNAMES}
+  7. install the Let's Encrypt certificate in apache as host SSL certificate,
+     storing renewal config in: /etc/letsencrypt/renewal/$HOSTNAME.conf
+  8. configure the Fedora Certbot renew timer so that certbot is run daily to
+     renew the certificate when needed.
+
+The script is built to auto-configure but many of the defaults can be overridden
+by setting one of the following environment variables:
+
+| Variable    | Description                        | Default value             |
+|-------------|------------------------------------|---------------------------|
+| CERTNAME    | certificate hostname,              | host's canonicalname  (*) |
+| DNSALTNAMES | certificate DNS names              | host's principalnames (*) |
+| DOMAIN      | Let's Encrypt challenge DNS zone   | {DNS name's domain}  (**) |
+| EMAIL       | administrator's e-mail address     | hostmaster@{domain}       |
+| HOSTNAME    | FreeIPA server's hostname          | `hostname --fqdn`         |
+| KEYTAB      | Let'sEncrypt service's keytab file | /etc/letsencrypt/keytab   |
+| KRB5CCNAME  | Kerberos5 cache to use for tickets | automatically determined  |
+| REPLY       | when 'y' skip user confirmation    | ""                        |
+| SERVICE     | FreeIPA service for Certbot to use | letsencrypt/canonicalname |
+| SUDO        | command to become root (if needed) | sudo                      |
+| TMPDIR      | Directory for temporary files      | /tmp                      |
+
+(*)  obtained from the FreeIPA server record looked up based on ${HOSTNAME}
+(**) this allows to enforce the DNS zone, e.g. host.subdomain in mydomain.tld
+
+When things change, the script can simply be run again.
+
 <a name="license">License</a>
 -----------------------------
 These scripts, documentation & configration examples are free software: you can