Hi,
Thought I should introduce myself and post a link to some recent work which might be relevant for some of you.
My name is Antonia Stevens and I'm a DevOps Engineer and long time FreeIPA user.
We recently had a need to get proper certs for IPA servers in AWS which means they have multiple IPs/DNS Names/Principals, since I could not find anything I hacked together a couple of bash scripts to make it a bit easier.
https://github.com/antevens/letsencrypt-freeipa
Thanks for all the great work and depending on my schedule I might try to contribute a bit more going forward.
Antonia Stevens @antevens a@antevens.com https://github.com/antevens/
Antonia Stevens via FreeIPA-devel wrote:
Hi,
Thought I should introduce myself and post a link to some recent work which might be relevant for some of you.
My name is Antonia Stevens and I'm a DevOps Engineer and long time FreeIPA user.
We recently had a need to get proper certs for IPA servers in AWS which means they have multiple IPs/DNS Names/Principals, since I could not find anything I hacked together a couple of bash scripts to make it a bit easier.
https://github.com/antevens/letsencrypt-freeipa
Thanks for all the great work and depending on my schedule I might try to contribute a bit more going forward.
This looks very cool. I haven't executed it yet but from reading the scripts here are a few ideas/suggestions.
- it may be better to get the kerberos realm from /etc/ipa/default.conf - I have the feeling this requires at least IPA v4.5.0. Probably worthwhile to document which version(s) are known to work - A cronjob wouldn't be necessary if certmonger was used to do the renewal. The script would need to be modified to work as a certmonger CA but then it could handle restarting the services, etc.
rob
Thanks for the feedback Rob,
I've updated she scripts with your suggestions except for using certmonger which is probably more work, I've created GitHub issue for refactoring using certmonger.
- Antonia
On Thu, Oct 12, 2017 at 3:18 AM, Rob Crittenden rcritten@redhat.com wrote:
Antonia Stevens via FreeIPA-devel wrote:
Hi,
Thought I should introduce myself and post a link to some recent work which might be relevant for some of you.
My name is Antonia Stevens and I'm a DevOps Engineer and long time FreeIPA user.
We recently had a need to get proper certs for IPA servers in AWS which means they have multiple IPs/DNS Names/Principals, since I could not find anything I hacked together a couple of bash scripts to make it a bit easier.
https://github.com/antevens/letsencrypt-freeipa
Thanks for all the great work and depending on my schedule I might try to contribute a bit more going forward.
This looks very cool. I haven't executed it yet but from reading the scripts here are a few ideas/suggestions.
- it may be better to get the kerberos realm from /etc/ipa/default.conf
- I have the feeling this requires at least IPA v4.5.0. Probably
worthwhile to document which version(s) are known to work
- A cronjob wouldn't be necessary if certmonger was used to do the
renewal. The script would need to be modified to work as a certmonger CA but then it could handle restarting the services, etc.
rob
Antonia Stevens via FreeIPA-devel wrote:
Thanks for the feedback Rob,
I've updated she scripts with your suggestions except for using certmonger which is probably more work, I've created GitHub issue for refactoring using certmonger.
Awesome. I wonder if we should link to this on the freeipa wiki. There is quite a lot of interest in LE certs and being able to handle renewal, even if via a cronjob, makes if far easier to use.
cheers
rob
- Antonia
On Thu, Oct 12, 2017 at 3:18 AM, Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> wrote:
Antonia Stevens via FreeIPA-devel wrote: Hi, Thought I should introduce myself and post a link to some recent work which might be relevant for some of you. My name is Antonia Stevens and I'm a DevOps Engineer and long time FreeIPA user. We recently had a need to get proper certs for IPA servers in AWS which means they have multiple IPs/DNS Names/Principals, since I could not find anything I hacked together a couple of bash scripts to make it a bit easier. https://github.com/antevens/letsencrypt-freeipa <https://github.com/antevens/letsencrypt-freeipa> Thanks for all the great work and depending on my schedule I might try to contribute a bit more going forward. This looks very cool. I haven't executed it yet but from reading the scripts here are a few ideas/suggestions. - it may be better to get the kerberos realm from /etc/ipa/default.conf - I have the feeling this requires at least IPA v4.5.0. Probably worthwhile to document which version(s) are known to work - A cronjob wouldn't be necessary if certmonger was used to do the renewal. The script would need to be modified to work as a certmonger CA but then it could handle restarting the services, etc. rob
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-leave@lists.fedorahosted.org
Ultimately it would be really nice to use certmonger in such a way that any/all servers registered would be able to get a LE cert for any number of principals or possibly even using LE certs for all servers but I think that's beyond my scope right now (and should not use bash).
- Antonia
I think we could add an item "Lets Encrypt" in the "Additional Resources" section in page User Guides [1] Antonia, could you please add a link to your projects/script there?
[1] http://www.freeipa.org/page/Documentation#User_Guides
On Fri, Oct 13, 2017 at 4:45 PM, Antonia Stevens via FreeIPA-devel < freeipa-devel@lists.fedorahosted.org> wrote:
Ultimately it would be really nice to use certmonger in such a way that any/all servers registered would be able to get a LE cert for any number of principals or possibly even using LE certs for all servers but I think that's beyond my scope right now (and should not use bash).
- Antonia
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-leave@lists.fedorahosted.org
Hi Felipe,
I believe I would need editor rights to that page to add a link, seeing as I've not contributed to the FreeIPA project before I don't have the permissions needed.
Perhaps someone else could add the link or direct me on how to obtain the required permissions.
On Sun, Oct 15, 2017 at 6:11 AM, Felipe Barreto Volpone <fbarreto@redhat.com
wrote:
I think we could add an item "Lets Encrypt" in the "Additional Resources" section in page User Guides [1] Antonia, could you please add a link to your projects/script there?
[1] http://www.freeipa.org/page/Documentation#User_Guides
On Fri, Oct 13, 2017 at 4:45 PM, Antonia Stevens via FreeIPA-devel < freeipa-devel@lists.fedorahosted.org> wrote:
Ultimately it would be really nice to use certmonger in such a way that any/all servers registered would be able to get a LE cert for any number of principals or possibly even using LE certs for all servers but I think that's beyond my scope right now (and should not use bash).
- Antonia
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-leave@lists.fedo rahosted.org
Antonia Stevens via FreeIPA-devel wrote:
Hi Felipe,
I believe I would need editor rights to that page to add a link, seeing as I've not contributed to the FreeIPA project before I don't have the permissions needed.
Perhaps someone else could add the link or direct me on how to obtain the required permissions.
Send me privately your Fedora Account System (FAS) login and I can add you to the right groups in the wiki.
rob
On Sun, Oct 15, 2017 at 6:11 AM, Felipe Barreto Volpone <fbarreto@redhat.com mailto:fbarreto@redhat.com> wrote:
I think we could add an item "Lets Encrypt" in the "Additional Resources" section in page User Guides [1] Antonia, could you please add a link to your projects/script there? [1] http://www.freeipa.org/page/Documentation#User_Guides <http://www.freeipa.org/page/Documentation#User_Guides> On Fri, Oct 13, 2017 at 4:45 PM, Antonia Stevens via FreeIPA-devel <freeipa-devel@lists.fedorahosted.org <mailto:freeipa-devel@lists.fedorahosted.org>> wrote: Ultimately it would be really nice to use certmonger in such a way that any/all servers registered would be able to get a LE cert for any number of principals or possibly even using LE certs for all servers but I think that's beyond my scope right now (and should not use bash). - Antonia _______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org <mailto:freeipa-devel@lists.fedorahosted.org> To unsubscribe send an email to freeipa-devel-leave@lists.fedorahosted.org <mailto:freeipa-devel-leave@lists.fedorahosted.org>
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-leave@lists.fedorahosted.org
Per previous suggestions I've created a proof of concept implementation using Certmonger and Cerbot.
At this stage I have a working prototype that can request certificates and thought I'd solicit feedback before doing further work.
The PoC can be found on my github account, I also registered a domain ( cerlet.com) to go with it which I intend to set up so that it can be used for public testing, is there a public FreeIPA test server that could be conveniently set up as an authoritative DNS server for the domain and will allow users to sign up and authenticate using kerberos?
https://github.com/antevens/cerlet
On Fri, Oct 13, 2017 at 8:41 AM, Rob Crittenden rcritten@redhat.com wrote:
Antonia Stevens via FreeIPA-devel wrote:
Thanks for the feedback Rob,
I've updated she scripts with your suggestions except for using certmonger which is probably more work, I've created GitHub issue for refactoring using certmonger.
Awesome. I wonder if we should link to this on the freeipa wiki. There is quite a lot of interest in LE certs and being able to handle renewal, even if via a cronjob, makes if far easier to use.
cheers
rob
- Antonia
On Thu, Oct 12, 2017 at 3:18 AM, Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> wrote:
Antonia Stevens via FreeIPA-devel wrote: Hi, Thought I should introduce myself and post a link to some recent work which might be relevant for some of you. My name is Antonia Stevens and I'm a DevOps Engineer and long time FreeIPA user. We recently had a need to get proper certs for IPA servers in AWS which means they have multiple IPs/DNS Names/Principals, since I could
not find anything I hacked together a couple of bash scripts to make it a bit easier.
https://github.com/antevens/letsencrypt-freeipa <https://github.com/antevens/letsencrypt-freeipa> Thanks for all the great work and depending on my schedule I might try to contribute a bit more going forward. This looks very cool. I haven't executed it yet but from reading the scripts here are a few ideas/suggestions. - it may be better to get the kerberos realm from
/etc/ipa/default.conf - I have the feeling this requires at least IPA v4.5.0. Probably worthwhile to document which version(s) are known to work - A cronjob wouldn't be necessary if certmonger was used to do the renewal. The script would need to be modified to work as a certmonger CA but then it could handle restarting the services, etc.
rob
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-leave@lists.fedo rahosted.org
Antonia Stevens wrote:
Per previous suggestions I've created a proof of concept implementation using Certmonger and Cerbot.
At this stage I have a working prototype that can request certificates and thought I'd solicit feedback before doing further work.
The PoC can be found on my github account, I also registered a domain (cerlet.com http://cerlet.com) to go with it which I intend to set up so that it can be used for public testing, is there a public FreeIPA test server that could be conveniently set up as an authoritative DNS server for the domain and will allow users to sign up and authenticate using kerberos?
This is great news! I'll try to take a look at it soon.
rob
On Fri, Oct 13, 2017 at 8:41 AM, Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> wrote:
Antonia Stevens via FreeIPA-devel wrote: Thanks for the feedback Rob, I've updated she scripts with your suggestions except for using certmonger which is probably more work, I've created GitHub issue for refactoring using certmonger. Awesome. I wonder if we should link to this on the freeipa wiki. There is quite a lot of interest in LE certs and being able to handle renewal, even if via a cronjob, makes if far easier to use. cheers rob - Antonia On Thu, Oct 12, 2017 at 3:18 AM, Rob Crittenden <rcritten@redhat.com <mailto:rcritten@redhat.com> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>> wrote: Antonia Stevens via FreeIPA-devel wrote: Hi, Thought I should introduce myself and post a link to some recent work which might be relevant for some of you. My name is Antonia Stevens and I'm a DevOps Engineer and long time FreeIPA user. We recently had a need to get proper certs for IPA servers in AWS which means they have multiple IPs/DNS Names/Principals, since I could not find anything I hacked together a couple of bash scripts to make it a bit easier. https://github.com/antevens/letsencrypt-freeipa <https://github.com/antevens/letsencrypt-freeipa> <https://github.com/antevens/letsencrypt-freeipa <https://github.com/antevens/letsencrypt-freeipa>> Thanks for all the great work and depending on my schedule I might try to contribute a bit more going forward. This looks very cool. I haven't executed it yet but from reading the scripts here are a few ideas/suggestions. - it may be better to get the kerberos realm from /etc/ipa/default.conf - I have the feeling this requires at least IPA v4.5.0. Probably worthwhile to document which version(s) are known to work - A cronjob wouldn't be necessary if certmonger was used to do the renewal. The script would need to be modified to work as a certmonger CA but then it could handle restarting the services, etc. rob _______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org <mailto:freeipa-devel@lists.fedorahosted.org> To unsubscribe send an email to freeipa-devel-leave@lists.fedorahosted.org <mailto:freeipa-devel-leave@lists.fedorahosted.org>
-- Antonia Stevens a@antevens.com mailto:a@antevens.com +1 416 888 6908 tel:+1%20+(416)%20888-6908
Antonia Stevens wrote:
Per previous suggestions I've created a proof of concept implementation using Certmonger and Cerbot.
At this stage I have a working prototype that can request certificates and thought I'd solicit feedback before doing further work.
The PoC can be found on my github account, I also registered a domain (cerlet.com http://cerlet.com) to go with it which I intend to set up so that it can be used for public testing, is there a public FreeIPA test server that could be conveniently set up as an authoritative DNS server for the domain and will allow users to sign up and authenticate using kerberos?
I haven't forgotten about this :-)
I've started reviewing the code but I need to understand certbot and my knowledge of ACME has atrophied as well so the going has been a bit slow so far.
How would you prefer feedback on the code?
rob
On Fri, Oct 13, 2017 at 8:41 AM, Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> wrote:
Antonia Stevens via FreeIPA-devel wrote: Thanks for the feedback Rob, I've updated she scripts with your suggestions except for using certmonger which is probably more work, I've created GitHub issue for refactoring using certmonger. Awesome. I wonder if we should link to this on the freeipa wiki. There is quite a lot of interest in LE certs and being able to handle renewal, even if via a cronjob, makes if far easier to use. cheers rob - Antonia On Thu, Oct 12, 2017 at 3:18 AM, Rob Crittenden <rcritten@redhat.com <mailto:rcritten@redhat.com> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>> wrote: Antonia Stevens via FreeIPA-devel wrote: Hi, Thought I should introduce myself and post a link to some recent work which might be relevant for some of you. My name is Antonia Stevens and I'm a DevOps Engineer and long time FreeIPA user. We recently had a need to get proper certs for IPA servers in AWS which means they have multiple IPs/DNS Names/Principals, since I could not find anything I hacked together a couple of bash scripts to make it a bit easier. https://github.com/antevens/letsencrypt-freeipa <https://github.com/antevens/letsencrypt-freeipa> <https://github.com/antevens/letsencrypt-freeipa <https://github.com/antevens/letsencrypt-freeipa>> Thanks for all the great work and depending on my schedule I might try to contribute a bit more going forward. This looks very cool. I haven't executed it yet but from reading the scripts here are a few ideas/suggestions. - it may be better to get the kerberos realm from /etc/ipa/default.conf - I have the feeling this requires at least IPA v4.5.0. Probably worthwhile to document which version(s) are known to work - A cronjob wouldn't be necessary if certmonger was used to do the renewal. The script would need to be modified to work as a certmonger CA but then it could handle restarting the services, etc. rob _______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org <mailto:freeipa-devel@lists.fedorahosted.org> To unsubscribe send an email to freeipa-devel-leave@lists.fedorahosted.org <mailto:freeipa-devel-leave@lists.fedorahosted.org>
-- Antonia Stevens a@antevens.com mailto:a@antevens.com +1 416 888 6908 tel:+1%20+(416)%20888-6908
Hi Rob,
Bug reports in github are probably easiest, the good thing about implementing as a Certbot plugin is that hopefully their ACME implementation is correct and up to date.
On Wed, Mar 21, 2018 at 9:31 AM, Rob Crittenden rcritten@redhat.com wrote:
Antonia Stevens wrote:
Per previous suggestions I've created a proof of concept implementation using Certmonger and Cerbot.
At this stage I have a working prototype that can request certificates and thought I'd solicit feedback before doing further work.
The PoC can be found on my github account, I also registered a domain (cerlet.com http://cerlet.com) to go with it which I intend to set up so that it can be used for public testing, is there a public FreeIPA test server that could be conveniently set up as an authoritative DNS server for the domain and will allow users to sign up and authenticate using kerberos?
I haven't forgotten about this :-)
I've started reviewing the code but I need to understand certbot and my knowledge of ACME has atrophied as well so the going has been a bit slow so far.
How would you prefer feedback on the code?
rob
On Fri, Oct 13, 2017 at 8:41 AM, Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> wrote:
Antonia Stevens via FreeIPA-devel wrote: Thanks for the feedback Rob, I've updated she scripts with your suggestions except for using certmonger which is probably more work, I've created GitHub issue for refactoring using certmonger. Awesome. I wonder if we should link to this on the freeipa wiki. There is quite a lot of interest in LE certs and being able to handle renewal, even if via a cronjob, makes if far easier to use. cheers rob - Antonia On Thu, Oct 12, 2017 at 3:18 AM, Rob Crittenden <rcritten@redhat.com <mailto:rcritten@redhat.com> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
wrote:
Antonia Stevens via FreeIPA-devel wrote: Hi, Thought I should introduce myself and post a link to some recent work which might be relevant for some of you. My name is Antonia Stevens and I'm a DevOps Engineer and long time FreeIPA user. We recently had a need to get proper certs for IPA servers in AWS which means they have multiple IPs/DNS Names/Principals, since I could not find anything I hacked together a couple of bash scripts to make it a bit easier. https://github.com/antevens/letsencrypt-freeipa <https://github.com/antevens/letsencrypt-freeipa> <https://github.com/antevens/letsencrypt-freeipa <https://github.com/antevens/letsencrypt-freeipa>> Thanks for all the great work and depending on my
schedule I
might try to contribute a bit more going forward. This looks very cool. I haven't executed it yet but from reading the scripts here are a few ideas/suggestions. - it may be better to get the kerberos realm from /etc/ipa/default.conf - I have the feeling this requires at least IPA v4.5.0.
Probably
worthwhile to document which version(s) are known to work - A cronjob wouldn't be necessary if certmonger was used to do the renewal. The script would need to be modified to work as a certmonger CA but then it could handle restarting the services, etc. rob _______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org <mailto:freeipa-devel@lists.fedorahosted.org> To unsubscribe send an email to freeipa-devel-leave@lists.fedorahosted.org <mailto:freeipa-devel-leave@lists.fedorahosted.org>
-- Antonia Stevens a@antevens.com mailto:a@antevens.com +1 416 888 6908 tel:+1%20+(416)%20888-6908
freeipa-devel@lists.fedorahosted.org