-
Notifications
You must be signed in to change notification settings - Fork 71
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CA Certs included are Expired #25
Comments
@afrothundaaaa can you kindly paste the updated code in here, please? |
I'm curious what you did as well. What errors did you see? I'm unable to reproduce it. From what I can tell the certificates in the repo match those at letsencrypt.org. It may be related to the distro (or my system) already having the LE certificates available, I don't know. |
I am on Fedora 31 (freeipa package broken in the latest debian, so I could not use it) It might be the distro as you suggested. To be honest, I did not check the code, I ran it blindly. I will read through the code over the weekend and see if I have to make changes to the directory structure within the code. Also, according to https://letsencrypt.org/certificates/, they have now retired DSTRootCAX3.pem, the cross-signed root certificate. maybe this need to be updated? or include or include a wget to download the correct certificates, inside the code for consistency? I will check and update on it. |
Hello all. Sorry I wasn't getting notifications for this. @amohideen - You are correct. I did just this by downloading the certificates manually, and replacing the names in the script. I actually modified this heavily to also tie in to acme.sh project so that you can do DNS API integration. I would suggest the wget to pull the latest root certs and to not include them within the script itself if that were possible. Thanks! |
Yes I rand the setup script and it worked, sort of, but then I could no longer sign in because of a cert error. wget 'https://letsencrypt.org/certs/isrgrootx1.pem' 'https://letsencrypt.org/certs/lets-encrypt-r3.pem' And things appear to be working now. Edit... I have no idea how to formatting |
I'm not using these scripts, however, I do use LetsEncrypt with FreeIPA and noticed today when looking at monitoring that one of my IPA servers was only a few weeks away from it's certificate expiring. Looking into the cause revealed that it was due to the change in intermediate certs at LE and the FreeIPA tools not handling it all too well, with the ipa-server-certinstall command getting an error: This server previously had a certificate issued by the X3 LE issuer, but, on it's most recent renewal, got an R3 issued certificate. The commands from @Necronian should be enough to fix it, for now at least, but, there appear to be additional LE changes coming, so, you may want to add some of the additional certs too. As mentioned by a few people above, https://letsencrypt.org/certificates/ gives details on what issuers are currently valid and which will be coming soon, based on this I've done the following:
Where I keep my certs under /etc/ssl/ I use acme.sh (https://acme.sh) for handling the cert renewal, with a renew-hook running the following contained in /root/bin/newcert.sh:
The command to issue the cert using acme.sh being:
|
@dtucny - this is perfect. While your additional renewal script for acme.sh isn't what i needed, the wget script is perfect and works with the freeipa-letsencrypt script. I have made changes, including a QOL update to automatically replace the ipa-httpd.conf file with the FQDN of the server, and submitted a pull request. Thanks everyone! |
I seem to have a further problem as even after replacing the certs with "ipa-cacert-manage install"
Might you have an Idea what's going wrong. |
Same problem as @jsievertde - correct cert but login via web UI response is: |
Detect wget or curl availability and retrieve the set of current certs from LE directly and import them into IPA. Use the current hostname to configure the CSR for the LE certificate request. Fixes: freeipa#25 Signed-off-by: Mr. Snrub <[email protected]>
@jsievertde Have you restarted the server? I'm unable to reproduce this on CentOS 8. |
@dtucny Maybe something with the python3.6 version the IPA-Server is using in the background. Thanks for your time. |
The solution (worked for me) was (on Fedora 31): I manually installed the certificates. 1: ipa-cacert-manage install "$WORKDIR/ca/DSTRootCAX3.pem" -n DSTRootCAX3 after this stage I ran the /renew-le.sh (This will ask for the passphrase), In a different terminal/tab cd into /var/lib/ipa/passwds/ everything went smooth. (This worked for me) |
Okay my problem seems to be this:
For me it seems like my freeipa-server didn't properly activate the let's encrypt ca-certs. |
@jsievertde its unclear what problem you're having as you mention local and non-local and it isn't clear which is working, or what sequence of commands you've run. |
Okay I'm sorry.
We looked into the underlying issue and it looked like that we were missing the new ca certs from lets encrypt. While contacting the Webserver from a second system works as expected and the certificate is valid. So for me it seems as IPA itself is unable to pick up the changes. I'm sorry if my writing wasn't as informative as I intended it to be. |
Thank you @dtucny! I have been looking around the internet for an example of someone using Acme.sh and trying to scrap together bits and pieces of what I found until I reached your example here! I tweaked it a little to pull in the original httpd password like in renew-le.sh just because, but you got me up and running! |
@jsievertde and @laurenegerton I was having the same issue and solved it by temporarily disable SSL checks. Please note that I have no idea if this will break something or even work for you. Only tested on CentOS 8, so very likely different paths on other systems. Use at own risk :) In
Add after the lines above:
Run:
Revert changes above and run |
@olemathias Thanks - that fix worked for us. |
Detect wget or curl availability and retrieve the set of current certs from LE directly and import them into IPA. Use the current hostname to configure the CSR for the LE certificate request. Fixes: freeipa#25 Signed-off-by: Mr. Snrub <[email protected]>
i have cert expired problem with ipa-server-4.9.6-10. i modify /usr/lib/python3.6/site-packages/ipalib/util.py:
|
@pubyun Hello, Did you find a sloution for your error, beacuse now i have encountered with this and do not know how to fix it |
Thanks for the script. Was helpful. I was trying to run and getting errors during import of the CA Certs.
I was able to resolve by directly visiting LetsEncrypt and downloading an updated Root Certificate and Intermediate certificate.
https://letsencrypt.org/certificates/
i replaced the existing files with the new cert and the import was successful.
The text was updated successfully, but these errors were encountered: