Secure FreeIPA Server With Let's Encrypt SSL Certificate | ComputingForGeeks
source link: https://computingforgeeks.com/secure-freeipa-server-with-lets-encrypt-ssl-certificate/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
FreeIPA is a powerful open source solution created to provide a centralized way of managing authentication, identity stores, policies, and authorization policies in a Linux-based domain. We have a number of articles discussing on the installation of FreeIPA Server on varying Linux distributions. In this guide we will discuss on how you can secure the web interface of FreeIPA server using free Let’s Encrypt SSL certificates.
As a pre-requisite you’ll need a working installation of FreeIPA Server on your system. You can refer our guides in the links below:
Once FreeIPA Server is installed confirm it is working by obtaining Kerberos ticket as admin user:
# kinit admin
Password for [email protected]:
# klist
Ticket cache: KCM:0
Default principal: [email protected]
Valid starting Expires Service principal
08/02/2021 17:42:38 08/03/2021 17:42:31 krbtgt/[email protected]Install EPEL repository and Cerbot
On RHEL based systems the Certbot packages are available in EPEL repository. Certbot is meant to be used to obtain Let’s Encrypt certificates and, afterward, to continue renewing the site’s HTTPS certificates.
Install epel-release using the following command:
$ sudo yum install epel-release
Last metadata expiration check: 1 day, 15:05:30 ago on Tue 27 Jul 2021 10:11:28 PM EAT.
Dependencies resolved.
==================================================================================================================================================================
Package Architecture Version Repository Size
==================================================================================================================================================================
Installing:
epel-release noarch 8-10.el8 extras 22 k
Transaction Summary
==================================================================================================================================================================
Install 1 Package
Total download size: 22 k
Installed size: 32 k
Is this ok [y/N]: y
Downloading Packages:
epel-release-8-10.el8.noarch.rpm 182 kB/s | 22 kB 00:00
------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 67 kB/s | 22 kB 00:00
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : epel-release-8-10.el8.noarch 1/1
Running scriptlet: epel-release-8-10.el8.noarch 1/1
Verifying : epel-release-8-10.el8.noarch 1/1
Installed:
epel-release-8-10.el8.noarch
Complete!Install certbot thereafter with the next command:
$ sudo yum install certbot python3-certbot-apache
Last metadata expiration check: 0:10:00 ago on Thu 29 Jul 2021 01:17:18 PM EAT.
Dependencies resolved.
==================================================================================================================================================================
Package Architecture Version Repository Size
==================================================================================================================================================================
Installing:
certbot noarch 1.14.0-1.el8 epel 51 k
python3-certbot-apache noarch 1.14.0-1.el8 epel 143 k
Installing dependencies:
python3-acme noarch 1.14.0-1.el8 epel 88 k
python3-certbot noarch 1.14.0-1.el8 epel 391 k
python3-configargparse noarch 0.14.0-6.el8 epel 36 k
python3-josepy noarch 1.8.0-1.el8 epel 102 k
python3-parsedatetime noarch 2.5-1.el8 epel 79 k
python3-pyOpenSSL noarch 19.0.0-1.el8 appstream 102 k
python3-pyrfc3339 noarch 1.1-1.el8 epel 19 k
python3-requests-toolbelt noarch 0.9.1-4.el8 epel 91 k
python3-zope-component noarch 4.3.0-8.el8 epel 313 k
python3-zope-event noarch 4.2.0-12.el8 epel 210 k
python3-zope-interface x86_64 4.6.0-1.el8 epel 158 k
Installing weak dependencies:
python-josepy-doc noarch 1.8.0-1.el8 epel 22 k
Transaction Summary
==================================================================================================================================================================
Install 14 Packages
Total download size: 1.8 M
Installed size: 6.9 M
Is this ok [y/N]: yConfirm installation of certbot tool was successful:
$ certbot --version
certbot 1.14.0Secure FreeIPA Server With Let’s Encrypt SSL Certificate
We will request for Let’s Encrypt SSL certificates rather than using the server’s self-signed certs.
Backup current FreeIPA server private keys and certificates before you proceed:
sudo cp -r /var/lib/ipa/certs{,.bak}
sudo cp -r /var/lib/ipa/private{,.bak}Install git, vim or nano file editor
sudo yum -y install vim nanoMethod 1: Secure FreeIPA Server With Let’s Encrypt using Manual method
Follow the steps below.
Download and install Let’s Encrypt CA certificates
Create certs directory:
sudo su -
mkdir freeipa-certs
cd freeipa-certsDownload Let’s Encrypt CA certificates:
CERTS=("isrgrootx1.pem" "isrg-root-x2.pem" "lets-encrypt-r3.pem" "lets-encrypt-e1.pem" "lets-encrypt-r4.pem" "lets-encrypt-e2.pem")
for CERT in "${CERTS[@]}"
do
curl -o $CERT "https://letsencrypt.org/certs/$CERT"
doneInstall Let’s Encrypt CA certificates into FreeIPA certificate store:
CERTS=("isrgrootx1.pem" "isrg-root-x2.pem" "lets-encrypt-r3.pem" "lets-encrypt-e1.pem" "lets-encrypt-r4.pem" "lets-encrypt-e2.pem")
for CERT in "${CERTS[@]}"
do
ipa-cacert-manage install $CERT
doneExpected command output:
Installing CA certificate, please wait
Verified CN=ISRG Root X1,O=Internet Security Research Group,C=US
CA certificate successfully installed
The ipa-cacert-manage command was successful
Installing CA certificate, please wait
Verified CN=ISRG Root X2,O=Internet Security Research Group,C=US
CA certificate successfully installed
The ipa-cacert-manage command was successful
Installing CA certificate, please wait
Verified CN=R3,O=Let's Encrypt,C=US
CA certificate successfully installed
The ipa-cacert-manage command was successful
Installing CA certificate, please wait
Verified CN=E1,O=Let's Encrypt,C=US
CA certificate successfully installed
The ipa-cacert-manage command was successful
Installing CA certificate, please wait
Verified CN=R4,O=Let's Encrypt,C=US
CA certificate successfully installed
The ipa-cacert-manage command was successful
Installing CA certificate, please wait
Verified CN=E2,O=Let's Encrypt,C=US
CA certificate successfully installed
The ipa-cacert-manage command was successfulUpdate local IPA certificate databases with certificates from the server:
$ sudo ipa-certupdate
Systemwide CA database updated.
Systemwide CA database updated.
The ipa-certupdate command was successfulObtain Let’s Encrypt Certificates
Stop httpd service to release port 80 required to get certs.
sudo systemctl stop httpdThen run Certbot to obtain Let’s Encrypt certificates:
EMAIL="your-email-address"
DOMAIN="idm.example.com"
sudo certbot certonly --standalone --preferred-challenges http --agree-tos -n -d $DOMAIN -m $EMAILEnsure the command for cert generation is successful:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Requesting a certificate for idm.example.com
Performing the following challenges:
http-01 challenge for idm.example.com
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/idm.example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/idm.example.com/privkey.pem
Your certificate will expire on 2021-10-27. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again. To non-interactively renew *all* of your
certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-leYour certs should be stored in /etc/letsencrypt/live/idm.example.com directory:
$ ls /etc/letsencrypt/live/idm.example.com
cert.pem chain.pem fullchain.pem privkey.pem READMEStart httpd server after confirming required certs were generated:
sudo systemctl restart httpdAdd Let’s Encrypt SSL certificates to for use in FreeIPA Web UI:
DOMAIN="idm.example.com" # Set correct IdM hostname
sudo ipa-server-certinstall -w -d /etc/letsencrypt/live/$DOMAIN/privkey.pem /etc/letsencrypt/live/$DOMAIN/cert.pem --pin=''Command execution output:
Directory Manager password:
Please restart ipa services after installing certificate (ipactl restart)
The ipa-server-certinstall command was successfulRestart FreeIPA services
$ sudo ipactl restart
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting pki-tomcatd Service
Restarting ipa-otpd Service
ipa: INFO: The ipactl command was successfulConfirmation of currently used SSL certificate can be done from the terminal or web browser.
Using OpenSSL:
$ openssl s_client -showcerts -verify 5 -connect $(hostname -f):443
verify depth is 5
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = idm.example.com
verify return:1
---
Certificate chain
0 s:CN = idm.example.com
i:C = US, O = Let's Encrypt, CN = R3
-----BEGIN CERTIFICATE-----From Web console:
Method 2: Secure FreeIPA Server With Let’s Encrypt using bash script
If your preference is automated installation of Let’s Encrypt certificates then clone official FreeIPA Let’s Encrypt management script code from github:
$ git clone https://github.com/freeipa/freeipa-letsencrypt.git
Cloning into 'freeipa-letsencrypt'...
remote: Enumerating objects: 71, done.
remote: Counting objects: 100% (23/23), done.
remote: Compressing objects: 100% (19/19), done.
remote: Total 71 (delta 6), reused 13 (delta 4), pack-reused 48
Unpacking objects: 100% (71/71), 18.71 KiB | 299.00 KiB/s, done.Switch to the directory created:
cd freeipa-letsencryptEdit renew-le.sh script and set EMAIL variable:
$ vim renew-le.sh
EMAIL="input-your-email-address"Inside the setup-le.sh script the FreeIPA server FQDN is set to server’s hostname:
FQDN=$(hostname -f)Ensure the command below returns the hostname as FQDN:
$ hostname -f
idm.example.comRun setup-le.sh script to prepare the machine:
sudo bash setup-le.shThe script will perform below actions:
- Install Let’s Encrypt CA certificates into FreeIPA certificate store
- Request new certificate for FreeIPA web interface
Example of command execution output:
...
Installing CA certificate, please wait
Verified CN=R4,O=Let's Encrypt,C=US
CA certificate successfully installed
The ipa-cacert-manage command was successful
--2021-07-29 14:46:06-- https://letsencrypt.org/certs/lets-encrypt-e2.pem
Resolving letsencrypt.org (letsencrypt.org)... 34.194.149.67, 68.183.23.220, 2a05:d014:275:cb01:8909:43f0:2069:7b77, ...
Connecting to letsencrypt.org (letsencrypt.org)|34.194.149.67|:443... connected.
GnuTLS: Resource temporarily unavailable, try again.
GnuTLS: Resource temporarily unavailable, try again.
GnuTLS: Resource temporarily unavailable, try again.
HTTP request sent, awaiting response... 200 OK
Length: 1021 [application/x-pem-file]
Saving to: ‘/etc/ssl/idm.example.com/lets-encrypt-e2.pem’
/etc/ssl/idm.example.com/lets- 100%[================================================================================>] 1021 --.-KB/s in 0s
2021-07-29 14:46:06 (13.3 MB/s) - ‘/etc/ssl/idm.example.com/lets-encrypt-e2.pem’ saved [1021/1021]
Installing CA certificate, please wait
Verified CN=E2,O=Let's Encrypt,C=US
CA certificate successfully installed
The ipa-cacert-manage command was successfulRestart httpd service:
sudo systemctl restart httpdConfirm ipa-certupdate command execution is successful:
$ sudo ipa-certupdate
Systemwide CA database updated.
Systemwide CA database updated.
The ipa-certupdate command was successfulModifying Apache web server configuration file to set SSL Cert and Key (Not recommended)
If only interested in using Let’s Encrypt SSL on the browser pages, you can manually modify ssl.conf file and set the following directives:
$ sudo vim /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/letsencrypt/live/idm.example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/idm.example.com/privkey.pemRestart httpd service:
sudo systemctl restart httpdCheck that the status is running:
$ systemctl status httpd
● httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
Drop-In: /etc/systemd/system/httpd.service.d
└─ipa.conf
Active: active (running) since Thu 2021-07-29 23:00:51 EAT; 17s ago
Docs: man:httpd.service(8)
Process: 39925 ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy (code=exited, status=0/SUCCESS)
Main PID: 39928 (httpd)
Status: "Running, listening on: port 443, port 80"
Tasks: 265 (limit: 101105)
Memory: 332.4M
CGroup: /system.slice/httpd.service
├─39928 /usr/sbin/httpd -DFOREGROUND
├─39929 /usr/sbin/httpd -DFOREGROUND
├─39930 (wsgi:kdcproxy) -DFOREGROUND
├─39931 (wsgi:kdcproxy) -DFOREGROUND
├─39932 (wsgi:ipa) -DFOREGROUND
├─39933 (wsgi:ipa) -DFOREGROUND
├─39934 (wsgi:ipa) -DFOREGROUND
├─39935 (wsgi:ipa) -DFOREGROUND
├─39936 /usr/sbin/httpd -DFOREGROUND
├─39937 /usr/sbin/httpd -DFOREGROUND
└─39938 /usr/sbin/httpd -DFOREGROUND
Jul 29 23:00:51 idm.example.com systemd[1]: Starting The Apache HTTP Server...
Jul 29 23:00:51 idm.example.com ipa-httpd-kdcproxy[39925]: ipa: INFO: KDC proxy enabled
Jul 29 23:00:51 idm.example.com ipa-httpd-kdcproxy[39925]: ipa-httpd-kdcproxy: INFO KDC proxy enabled
Jul 29 23:00:51 idm.example.com systemd[1]: Started The Apache HTTP Server.
Jul 29 23:00:52 idm.example.com httpd[39928]: Server configured, listening on: port 443, port 80Renewal of FreeIPA Let’s Encrypt Certificate
Whenever SSL certificates are renewed run the commands below to updated on FreeIPA end:s
DOMAIN="idm.example.com" # Set correct IdM hostname
sudo ipa-server-certinstall -w -d /etc/letsencrypt/live/$DOMAIN/privkey.pem /etc/letsencrypt/live/$DOMAIN/cert.pem --pin=''Enter Directory Manager password as required:
Directory Manager password:
The ipa-server-certinstall command was successfulThen proceed to restart FreeIPA services after installing certificate:
sudo ipactl restartYou should then have a working usage of Let’s Encrypt SSL on your FreeIPA Server setup. The SSL warnings on your browse when accessing FreeIPA web dashboard should vanish. We would love to do more content on FreeIPA Server administration and integration with third party services. Stay connected for updates!
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK