FreeIPA is a powerful open source solution created to provide a centralized way of managing authentication, identity stores, policies, and authorization policies in a Linux-based domain. We have a number of articles discussing on the installation of FreeIPA Server on varying Linux distributions. In this guide we will discuss on how you can secure the web interface of FreeIPA server using free Let’s Encrypt SSL certificates.
As a pre-requisite you’ll need a working installation of FreeIPA Server on your system. You can refer our guides in the links below:
- Install FreeIPA Server on Rocky Linux 8 / CentOS 8
- Install FreeIPA Server on CentOS 7
- Install and Configure FreeIPA Server on Rocky Linux 8
Once FreeIPA Server is installed confirm it is working by obtaining Kerberos ticket as admin user:
$ sudo kinit admin
Password for [email protected]:
$ sudo klist
Ticket cache: KCM:0
Default principal: admin@COMPUTINGFORGEEKS.COM
Valid starting Expires Service principal
08/02/202317:42:38 08/03/2021 17:42:31 krbtgt/COMPUTINGFORGEEKS.COM@COMPUTINGFORGEEKS.COMInstall EPEL repository and Certbot
On RHEL based systems the Certbot packages are available in EPEL repository. Certbot is meant to be used to obtain Let’s Encrypt certificates and, afterward, to continue renewing the site’s HTTPS certificates.
Install epel-release using the following command:
$ sudo yum install epel-release
Dependencies resolved.
======================================================================================================================================================================================================
Package Architecture Version Repository Size
======================================================================================================================================================================================================
Installing:
epel-release noarch 8-13.el8 extras 23 k
Transaction Summary
======================================================================================================================================================================================================
Install 1 Package
Total download size: 23 k
Installed size: 35 k
Is this ok [y/N]: yInstall certbot thereafter with the next command:
$ sudo yum install certbot python3-certbot-apache
....
Transaction Summary
======================================================================================================================================================================================================
Install 36 Packages
Total download size: 5.7 M
Installed size: 20 M
Is this ok [y/N]: y
Confirm installation of certbot tool was successful:
$ certbot --version
certbot x.y.zSecure FreeIPA Server With Let’s Encrypt SSL Certificate
We will request for Let’s Encrypt SSL certificates rather than using the server’s self-signed certs.
Backup current FreeIPA server private keys and certificates before you proceed:
sudo cp -r /var/lib/ipa/certs{,.bak}
sudo cp -r /var/lib/ipa/private{,.bak}Install git, vim or nano file editor
sudo yum -y install vim nano
Method 1: Secure FreeIPA Server With Let’s Encrypt using Manual method
Follow the steps below.
Download and install Let’s Encrypt CA certificates
Create certs directory:
sudo su -
mkdir freeipa-certs
cd freeipa-certsDownload Let’s Encrypt CA certificates:
CERTS=("isrgrootx1.pem" "isrg-root-x2.pem" "lets-encrypt-r3.pem" "lets-encrypt-e1.pem" "lets-encrypt-r4.pem" "lets-encrypt-e2.pem")
for CERT in "${CERTS[@]}"
do
curl -o $CERT "https://letsencrypt.org/certs/$CERT"
done
Install Let’s Encrypt CA certificates into FreeIPA certificate store:
CERTS=("isrgrootx1.pem" "isrg-root-x2.pem" "lets-encrypt-r3.pem" "lets-encrypt-e1.pem" "lets-encrypt-r4.pem" "lets-encrypt-e2.pem")
for CERT in "${CERTS[@]}"
do
ipa-cacert-manage install $CERT
doneExpected command output:
Installing CA certificate, please wait
Verified CN=ISRG Root X1,O=Internet Security Research Group,C=US
CA certificate successfully installed
The ipa-cacert-manage command was successful
Installing CA certificate, please wait
Verified CN=ISRG Root X2,O=Internet Security Research Group,C=US
CA certificate successfully installed
The ipa-cacert-manage command was successful
Installing CA certificate, please wait
Verified CN=R3,O=Let's Encrypt,C=US
CA certificate successfully installed
The ipa-cacert-manage command was successful
Installing CA certificate, please wait
Verified CN=E1,O=Let's Encrypt,C=US
CA certificate successfully installed
The ipa-cacert-manage command was successful
Installing CA certificate, please wait
Verified CN=R4,O=Let's Encrypt,C=US
CA certificate successfully installed
The ipa-cacert-manage command was successful
Installing CA certificate, please wait
Verified CN=E2,O=Let's Encrypt,C=US
CA certificate successfully installed
The ipa-cacert-manage command was successful
Update local IPA certificate databases with certificates from the server:
$ sudo ipa-certupdate
Systemwide CA database updated.
Systemwide CA database updated.
The ipa-certupdate command was successfulObtain Let’s Encrypt Certificates
Stop httpd service to release port 80 required to get certs.
sudo systemctl stop httpdThen run Certbot to obtain Let’s Encrypt certificates:
EMAIL="your-email-address"
DOMAIN="idm.example.com"
sudo certbot certonly --standalone --preferred-challenges http --agree-tos -n -d $DOMAIN -m $EMAILEnsure the command for cert generation is successful:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Requesting a certificate for idm.example.com
Performing the following challenges:
http-01 challenge for idm.example.com
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/idm.example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/idm.example.com/privkey.pem
Your certificate will expire on 2021-10-27. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again. To non-interactively renew *all* of your
certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-leYour certs should be stored in /etc/letsencrypt/live/idm.example.com directory:
$ ls /etc/letsencrypt/live/idm.example.com
cert.pem chain.pem fullchain.pem privkey.pem READMEStart httpd server after confirming required certs were generated:
sudo systemctl restart httpdAdd Let’s Encrypt SSL certificates to for use in FreeIPA Web UI:
DOMAIN="idm.example.com" # Set correct IdM hostname
sudo ipa-server-certinstall -w -d /etc/letsencrypt/live/$DOMAIN/privkey.pem /etc/letsencrypt/live/$DOMAIN/cert.pem --pin=''Command execution output:
Directory Manager password:
Please restart ipa services after installing certificate (ipactl restart)
The ipa-server-certinstall command was successfulRestart FreeIPA services
$ sudo ipactl restart
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting pki-tomcatd Service
Restarting ipa-otpd Service
ipa: INFO: The ipactl command was successfulConfirmation of currently used SSL certificate can be done from the terminal or web browser.
Using OpenSSL:
$ openssl s_client -showcerts -verify 5 -connect $(hostname -f):443
verify depth is 5
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = idm.example.com
verify return:1
---
Certificate chain
0 s:CN = idm.example.com
i:C = US, O = Let's Encrypt, CN = R3
-----BEGIN CERTIFICATE-----From Web console:
Method 2: Secure FreeIPA Server With Let’s Encrypt using bash script
If your preference is automated installation of Let’s Encrypt certificates then clone official FreeIPA Let’s Encrypt management script code from github:
$ git clone https://github.com/freeipa/freeipa-letsencrypt.git
Cloning into 'freeipa-letsencrypt'...
remote: Enumerating objects: 71, done.
remote: Counting objects: 100% (23/23), done.
remote: Compressing objects: 100% (19/19), done.
remote: Total 71 (delta 6), reused 13 (delta 4), pack-reused 48
Unpacking objects: 100% (71/71), 18.71 KiB | 299.00 KiB/s, done.Switch to the directory created:
cd freeipa-letsencryptEdit renew-le.sh script and set EMAIL variable:
$ vim renew-le.sh
EMAIL="input-your-email-address"Inside the setup-le.sh script the FreeIPA server FQDN is set to server’s hostname:
FQDN=$(hostname -f)Ensure the command below returns the hostname as FQDN:
$ hostname -f
idm.example.comRun setup-le.sh script to prepare the machine:
sudo bash setup-le.shThe script will perform below actions:
- Install Let’s Encrypt CA certificates into FreeIPA certificate store
- Request new certificate for FreeIPA web interface
Example of command execution output:
...
Installing CA certificate, please wait
Verified CN=R4,O=Let's Encrypt,C=US
CA certificate successfully installed
The ipa-cacert-manage command was successful
--2021-07-29 14:46:06-- https://letsencrypt.org/certs/lets-encrypt-e2.pem
Resolving letsencrypt.org (letsencrypt.org)... 34.194.149.67, 68.183.23.220, 2a05:d014:275:cb01:8909:43f0:2069:7b77, ...
Connecting to letsencrypt.org (letsencrypt.org)|34.194.149.67|:443... connected.
GnuTLS: Resource temporarily unavailable, try again.
GnuTLS: Resource temporarily unavailable, try again.
GnuTLS: Resource temporarily unavailable, try again.
HTTP request sent, awaiting response... 200 OK
Length: 1021 [application/x-pem-file]
Saving to: ‘/etc/ssl/idm.example.com/lets-encrypt-e2.pem’
/etc/ssl/idm.example.com/lets- 100%[================================================================================>] 1021 --.-KB/s in 0s
2021-07-29 14:46:06 (13.3 MB/s) - ‘/etc/ssl/idm.example.com/lets-encrypt-e2.pem’ saved [1021/1021]
Installing CA certificate, please wait
Verified CN=E2,O=Let's Encrypt,C=US
CA certificate successfully installed
The ipa-cacert-manage command was successfulRestart httpd service:
sudo systemctl restart httpdConfirm ipa-certupdate command execution is successful:
$ sudo ipa-certupdate
Systemwide CA database updated.
Systemwide CA database updated.
The ipa-certupdate command was successfulModifying Apache web server configuration file to set SSL Cert and Key (Not recommended)
If only interested in using Let’s Encrypt SSL on the browser pages, you can manually modify ssl.conf file and set the following directives:
$ sudo vim /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/letsencrypt/live/idm.example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/idm.example.com/privkey.pemRestart httpd service:
sudo systemctl restart httpdCheck that the status is running:
$ systemctl status httpd
● httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
Drop-In: /etc/systemd/system/httpd.service.d
└─ipa.conf
Active: active (running) since Thu 2021-07-29 23:00:51 EAT; 17s ago
Docs: man:httpd.service(8)
Process: 39925 ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy (code=exited, status=0/SUCCESS)
Main PID: 39928 (httpd)
Status: "Running, listening on: port 443, port 80"
Tasks: 265 (limit: 101105)
Memory: 332.4M
CGroup: /system.slice/httpd.service
├─39928 /usr/sbin/httpd -DFOREGROUND
├─39929 /usr/sbin/httpd -DFOREGROUND
├─39930 (wsgi:kdcproxy) -DFOREGROUND
├─39931 (wsgi:kdcproxy) -DFOREGROUND
├─39932 (wsgi:ipa) -DFOREGROUND
├─39933 (wsgi:ipa) -DFOREGROUND
├─39934 (wsgi:ipa) -DFOREGROUND
├─39935 (wsgi:ipa) -DFOREGROUND
├─39936 /usr/sbin/httpd -DFOREGROUND
├─39937 /usr/sbin/httpd -DFOREGROUND
└─39938 /usr/sbin/httpd -DFOREGROUND
Jul 29 23:00:51 idm.example.com systemd[1]: Starting The Apache HTTP Server...
Jul 29 23:00:51 idm.example.com ipa-httpd-kdcproxy[39925]: ipa: INFO: KDC proxy enabled
Jul 29 23:00:51 idm.example.com ipa-httpd-kdcproxy[39925]: ipa-httpd-kdcproxy: INFO KDC proxy enabled
Jul 29 23:00:51 idm.example.com systemd[1]: Started The Apache HTTP Server.
Jul 29 23:00:52 idm.example.com httpd[39928]: Server configured, listening on: port 443, port 80Renewal of FreeIPA Let’s Encrypt Certificate
Whenever SSL certificates are renewed run the commands below to updated on FreeIPA end:s
DOMAIN="idm.example.com" # Set correct IdM hostname
sudo ipa-server-certinstall -w -d /etc/letsencrypt/live/$DOMAIN/privkey.pem /etc/letsencrypt/live/$DOMAIN/cert.pem --pin=''Enter Directory Manager password as required:
Directory Manager password:
The ipa-server-certinstall command was successfulThen proceed to restart FreeIPA services after installing certificate:
sudo ipactl restartYou should then have a working usage of Let’s Encrypt SSL on your FreeIPA Server setup. The SSL warnings on your browse when accessing FreeIPA web dashboard should vanish. We would love to do more content on FreeIPA Server administration and integration with third party services. Stay connected for updates!
More guides on FreeIPA:
- Change FreeIPA user maximum password expiry lifetime > 90 days
- Run FreeIPA Server in Docker / Podman Containers
- Manage Users and Groups in FreeIPA using CLI
- How To Configure Jenkins FreeIPA LDAP Authentication
- Configure GitLab FreeIPA LDAP Authentication
