The web UI on the FreeIPA server comes with a self-signed certificate, which means that your web browser will complain about an invalid certificate when first connecting. This is undesirable for a security product.
Today Let's Encrypt provides signed x509 certificates for free, hence this has become a very attractive solution to the problem.
To implement this we can distinguish 3 fundamental steps:
Obtaining Let's Encrypt certificates is largely explained on the web, this procedure should work with any of these generic explications.
Download the DTSRoot CA certificate and copy/paste it in a file (here DTSRootCAX3.pem), make sure the file begins and ends respectively with the lines:
-----BEGIN CERTIFICATE----- -----END CERTIFICATE-----
- Then import the certificates in the FreeIPA server, as explained below:
The commands that follow will prompted you for the Directory Manager password if needed, the different ipa commands also support a
-p password option to provide the password at the command-line. (personally, I prefer not to have the Directory Manager password in my command history)
Change to the directory where the Let's Encrypt certificates are stored.
[root@ipa ~]# cd /root/ipa.soholab.org
Import the respective CA certificates and run
[root@ipa ipa.soholab.org]# ipa-cacert-manage -n DSTRootCAX3 -t C,, install DTSRootCAX3.pem Installing CA certificate, please wait CA certificate successfully installed The ipa-cacert-manage command was successful [root@ipa ipa.soholab.org]# ipa-cacert-manage -n LetsEncryptX3 -t C,, install ca.cer Installing CA certificate, please wait CA certificate successfully installed The ipa-cacert-manage command was successful [root@lxipa ~]# ipa-certupdate -v
openssl to convert the Let's Encrypt certificate into the p12 certificate format, this to combine the certificate with the private key in one single file.
[root@ipa ipa.soholab.org]# openssl pkcs12 -export -in ipa.soholab.org.cer -inkey ipa.soholab.org.key -out ipa.soholab.org.p12 -certfile fullchain.cer Enter Export Password: Verifying - Enter Export Password:
Finally install the obtained p12 certificate in the directory server.
[root@ipa ipa.soholab.org]# ipa-server-certinstall -w ipa.soholab.org.p12 Directory Manager password: Enter private key unlock password: The ipa-server-certinstall command was successful [root@ipa ipa.soholab.org]#
The following services have to be restarted to take our changes into account:
[root@ipa ipa.soholab.org]# systemctl restart httpd.service [root@ipa ipa.soholab.org]# systemctl restart dirsrv@SOHOLABS-ORG.service
Alternatively you could also restart all ipa related services with
[root@lxipa ipa.soholab.org]# ipactl stop Stopping ipa-otpd Service Stopping pki-tomcatd Service Stopping ipa-custodia Service Stopping httpd Service Stopping ipa_memcached Service Stopping kadmin Service Stopping krb5kdc Service Stopping Directory Service ipa: INFO: The ipactl command was successful [root@lxipa ~]# ipactl start Starting Directory Service Starting krb5kdc Service Starting kadmin Service Starting ipa_memcached Service Starting httpd Service Starting ipa-custodia Service Starting pki-tomcatd Service Starting ipa-otpd Service ipa: INFO: The ipactl command was successful [root@lxipa ~]#