scripts/FreeIPA
Archived
1
0
Fork 0
Code Issues 4 Activity

fixed issue in freeipa-letsencrypt.sh with setting variable defaults

Browse Source 
added set-dns-source.sh
updated README.md accordingly
This commit is contained in:
Frederik Lindenaar
2018-10-01 17:39:42 +02:00
parent 02d0b22561
commit 63e71697e2
3 changed files with 152 additions and 68 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
freeipa-letsencrypt.sh
View File

@@ -36,7 +36,13 @@ else
fi
# Set KRB5CCNAME to ensure the current ticket cache will be used
KRB5CCNAME=${KRB5CCNAME:-$(klist -l | head -3 | tail -1 | cut -d\ -f2-)}
: ${KRB5CCNAME:=$(klist -l | head -3 | tail -1 | cut -d\ -f2-)}
# Set parameters
: ${CERTNAME:=$(ipa host-show $HOSTNAME --raw | fgrep "krbcanonicalname: host/" | cut -d/ -f2 | cut -d@ -f1)}
: ${DNSALTNAMES:=$(ipa host-show $HOSTNAME --raw | fgrep "krbprincipalname: host/" | cut -d/ -f2 | cut -d@ -f1 | paste -sd,)}
: ${EMAIL:=hostmaster@${HOSTNAME#*.}}
: ${SERVICE:=letsencrypt/$(ipa host-show $HOSTNAME --raw | fgrep "krbcanonicalname: host/" | cut -d/ -f2)}
# Ensure the user consents with changing his system.
if tty > /dev/null; then
@@ -46,12 +52,11 @@ use a Let's Encrypt certificate and will automatically renew that when needed.
The following changes will be made for this:
1. Add Let's Encrypt Root and Intermediate CAs as trusted CAs
2. Create DNS Administrator role in FreeIPA that can edit any DNS Record
3. Create host service: ${SERVICE:=letsencrypt/$(
ipa host-show $HOSTNAME --raw | fgrep "krbcanonicalname: host/" | cut -d/ -f2)}
3. Create host service: $SERVICE
4. Allow letsencrypt host service to manage DNS entries
5. Register with Let's encrypt as: ${EMAIL:=hostmaster@${HOSTNAME#*.}}
6. Request a Let's Encrypt SSL certificate for: ${CERTNAME:=$(ipa host-show $HOSTNAME --raw | fgrep "krbcanonicalname: host/" | cut -d/ -f2 | cut -d@ -f1)}
with DNS Alternative names: ${DNSALTNAMES:=$(ipa host-show $HOSTNAME --raw | fgrep "krbprincipalname: host/" | cut -d/ -f2 | cut -d@ -f1 | paste -sd,)}
5. Register with Let's encrypt as: $EMAIL
6. Request a Let's Encrypt SSL certificate for: $CERTNAME
with DNS Alternative names: $DNSALTNAMES
7. install the Let's Encrypt certificate in apache as host SSL certificate,
storing renewal config in: /etc/letsencrypt/renewal/$HOSTNAME.conf
8. configure the Fedora Certbot renew timer so that certbot is run daily to
@@ -121,7 +126,7 @@ $SUDO systemctl enable --now certbot-renew.timer
cat << EOT
FreeIPA was successfully setup to use a Let\'s Encrypt certificate for its web
FreeIPA was successfully setup to use a Let's Encrypt certificate for its web
interface. This certificate will be renewed automatically when needed.
EOT