Secure FreeIPA Server With Let’s Encrypt SSL Certificate

Photo of Namachila Namachila Send an email 3 weeks ago
0 1 6 minutes read
.tdi_3.td-a-rec{text-align:center}.tdi_3 .td-element-style{z-index:-1}.tdi_3.td-a-rec-img{text-align:left}.tdi_3.td-a-rec-img img{margin:0 auto 0 0}@media(max-width:767px){.tdi_3.td-a-rec-img{text-align:center}}

FreeIPA is a powerful open source solution created to provide a centralized way of managing authentication, identity stores, policies, and authorization policies in a Linux-based domain. We have a number of articles discussing on the installation of FreeIPA Server on varying Linux distributions. In this guide we will discuss on how you can secure the web interface of FreeIPA server using free Let’s Encrypt SSL certificates.

As a pre-requisite you’ll need a working installation of FreeIPA Server on your system. You can refer our guides in the links below:

Once FreeIPA Server is installed confirm it is working by obtaining Kerberos ticket as admin user:

.tdi_2.td-a-rec{text-align:center}.tdi_2 .td-element-style{z-index:-1}.tdi_2.td-a-rec-img{text-align:left}.tdi_2.td-a-rec-img img{margin:0 auto 0 0}@media(max-width:767px){.tdi_2.td-a-rec-img{text-align:center}} 
$ sudo kinit admin
Password for [email protected]:

$ sudo klist
Ticket cache: KCM:0
Default principal: admin@COMPUTINGFORGEEKS.COM

Valid starting       Expires              Service principal
08/02/202317:42:38  08/03/2021 17:42:31  krbtgt/COMPUTINGFORGEEKS.COM@COMPUTINGFORGEEKS.COM

Install EPEL repository and Certbot

On RHEL based systems the Certbot packages are available in EPEL repository. Certbot is meant to be used to obtain Let’s Encrypt certificates and, afterward, to continue renewing the site’s HTTPS certificates.

Install epel-release using the following command:

$ sudo yum install epel-release
Dependencies resolved.
======================================================================================================================================================================================================
 Package                                            Architecture                                 Version                                           Repository                                    Size
======================================================================================================================================================================================================
Installing:
 epel-release                                       noarch                                       8-13.el8                                          extras                                        23 k

Transaction Summary
======================================================================================================================================================================================================
Install  1 Package

Total download size: 23 k
Installed size: 35 k
Is this ok [y/N]: y

Install certbot thereafter with the next command:

$ sudo yum install certbot python3-certbot-apache
....
Transaction Summary
======================================================================================================================================================================================================
Install  36 Packages

Total download size: 5.7 M
Installed size: 20 M
Is this ok [y/N]: y

Confirm installation of certbot tool was successful:

$ certbot --version
certbot x.y.z

Secure FreeIPA Server With Let’s Encrypt SSL Certificate

We will request for Let’s Encrypt SSL certificates rather than using the server’s self-signed certs.

Backup current FreeIPA server private keys and certificates before you proceed:

sudo cp -r /var/lib/ipa/certs{,.bak}
sudo cp -r /var/lib/ipa/private{,.bak}

Install git, vim or nano file editor

sudo yum -y install vim nano

Method 1: Secure FreeIPA Server With Let’s Encrypt using Manual method

Follow the steps below.

Download and install Let’s Encrypt CA certificates

Create certs directory:

sudo su -
mkdir freeipa-certs
cd freeipa-certs

Download  Let’s Encrypt CA certificates:

CERTS=("isrgrootx1.pem" "isrg-root-x2.pem" "lets-encrypt-r3.pem" "lets-encrypt-e1.pem" "lets-encrypt-r4.pem" "lets-encrypt-e2.pem")
for CERT in "${CERTS[@]}"
do
  curl -o $CERT "https://letsencrypt.org/certs/$CERT"
done

Install Let’s Encrypt CA certificates into FreeIPA certificate store:

CERTS=("isrgrootx1.pem" "isrg-root-x2.pem" "lets-encrypt-r3.pem" "lets-encrypt-e1.pem" "lets-encrypt-r4.pem" "lets-encrypt-e2.pem")
for CERT in "${CERTS[@]}"
do
  ipa-cacert-manage install $CERT
done

Expected command output:

Installing CA certificate, please wait
Verified CN=ISRG Root X1,O=Internet Security Research Group,C=US
CA certificate successfully installed
The ipa-cacert-manage command was successful
Installing CA certificate, please wait
Verified CN=ISRG Root X2,O=Internet Security Research Group,C=US
CA certificate successfully installed
The ipa-cacert-manage command was successful
Installing CA certificate, please wait
Verified CN=R3,O=Let's Encrypt,C=US
CA certificate successfully installed
The ipa-cacert-manage command was successful
Installing CA certificate, please wait
Verified CN=E1,O=Let's Encrypt,C=US
CA certificate successfully installed
The ipa-cacert-manage command was successful
Installing CA certificate, please wait
Verified CN=R4,O=Let's Encrypt,C=US
CA certificate successfully installed
The ipa-cacert-manage command was successful
Installing CA certificate, please wait
Verified CN=E2,O=Let's Encrypt,C=US
CA certificate successfully installed
The ipa-cacert-manage command was successful

Update local IPA certificate databases with certificates from the server:

$ sudo ipa-certupdate
Systemwide CA database updated.
Systemwide CA database updated.
The ipa-certupdate command was successful

Obtain Let’s Encrypt Certificates

Stop httpd service to release port 80 required to get certs.

sudo systemctl stop httpd

Then run Certbot to obtain Let’s Encrypt certificates:

EMAIL="your-email-address"
DOMAIN="idm.example.com"
sudo certbot certonly --standalone --preferred-challenges http --agree-tos -n -d $DOMAIN -m $EMAIL

Ensure the command for cert generation is successful:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Requesting a certificate for idm.example.com
Performing the following challenges:
http-01 challenge for idm.example.com
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/idm.example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/idm.example.com/privkey.pem
   Your certificate will expire on 2021-10-27. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again. To non-interactively renew *all* of your
   certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Your certs should be stored in /etc/letsencrypt/live/idm.example.com directory:

$ ls /etc/letsencrypt/live/idm.example.com
cert.pem  chain.pem  fullchain.pem  privkey.pem  README

Start httpd server after confirming required certs were generated:

sudo systemctl restart httpd

Add Let’s Encrypt SSL certificates to for use in FreeIPA Web UI:

DOMAIN="idm.example.com" # Set correct IdM hostname
sudo ipa-server-certinstall -w -d /etc/letsencrypt/live/$DOMAIN/privkey.pem /etc/letsencrypt/live/$DOMAIN/cert.pem --pin=''

Command execution output:

Directory Manager password:

Please restart ipa services after installing certificate (ipactl restart)
The ipa-server-certinstall command was successful

Restart FreeIPA services

$ sudo ipactl restart
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting pki-tomcatd Service
Restarting ipa-otpd Service
ipa: INFO: The ipactl command was successful

Confirmation of currently used SSL certificate can be done from the terminal or web browser.

Using OpenSSL:

$ openssl s_client -showcerts -verify 5 -connect $(hostname -f):443
verify depth is 5
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = idm.example.com
verify return:1
---
Certificate chain
 0 s:CN = idm.example.com
   i:C = US, O = Let's Encrypt, CN = R3
-----BEGIN CERTIFICATE-----

From Web console:

secure freeipa server letsencrypt ssl 01

Method 2: Secure FreeIPA Server With Let’s Encrypt using bash script

If your preference is automated installation of Let’s Encrypt certificates then clone official FreeIPA Let’s Encrypt management script code from github:

$ git clone https://github.com/freeipa/freeipa-letsencrypt.git
Cloning into 'freeipa-letsencrypt'...
remote: Enumerating objects: 71, done.
remote: Counting objects: 100% (23/23), done.
remote: Compressing objects: 100% (19/19), done.
remote: Total 71 (delta 6), reused 13 (delta 4), pack-reused 48
Unpacking objects: 100% (71/71), 18.71 KiB | 299.00 KiB/s, done.

Switch to the directory created:

cd freeipa-letsencrypt

Edit renew-le.sh script and set EMAIL variable:

$ vim renew-le.sh
EMAIL="input-your-email-address"

Inside the setup-le.sh script the FreeIPA server FQDN is set to server’s hostname:

FQDN=$(hostname -f)

Ensure the command below returns the hostname as FQDN:

$ hostname -f
idm.example.com

Run setup-le.sh script to prepare the machine:

sudo bash setup-le.sh

The script will perform below actions:

  • Install Let’s Encrypt CA certificates into FreeIPA certificate store
  • Request new certificate for FreeIPA web interface

Example of command execution output:

...
Installing CA certificate, please wait
Verified CN=R4,O=Let's Encrypt,C=US
CA certificate successfully installed
The ipa-cacert-manage command was successful
--2021-07-29 14:46:06--  https://letsencrypt.org/certs/lets-encrypt-e2.pem
Resolving letsencrypt.org (letsencrypt.org)... 34.194.149.67, 68.183.23.220, 2a05:d014:275:cb01:8909:43f0:2069:7b77, ...
Connecting to letsencrypt.org (letsencrypt.org)|34.194.149.67|:443... connected.
GnuTLS: Resource temporarily unavailable, try again.
GnuTLS: Resource temporarily unavailable, try again.
GnuTLS: Resource temporarily unavailable, try again.
HTTP request sent, awaiting response... 200 OK
Length: 1021 [application/x-pem-file]
Saving to: ‘/etc/ssl/idm.example.com/lets-encrypt-e2.pem’

/etc/ssl/idm.example.com/lets- 100%[================================================================================>]    1021  --.-KB/s    in 0s

2021-07-29 14:46:06 (13.3 MB/s) - ‘/etc/ssl/idm.example.com/lets-encrypt-e2.pem’ saved [1021/1021]

Installing CA certificate, please wait
Verified CN=E2,O=Let's Encrypt,C=US
CA certificate successfully installed
The ipa-cacert-manage command was successful

Restart httpd service:

sudo systemctl restart httpd

Confirm ipa-certupdate command execution is successful:

$ sudo ipa-certupdate
Systemwide CA database updated.
Systemwide CA database updated.
The ipa-certupdate command was successful

Modifying Apache web server configuration file to set SSL Cert and Key (Not recommended)

If only interested in using Let’s Encrypt SSL on the browser pages, you can manually modify ssl.conf file and set the following directives:

$ sudo vim /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/letsencrypt/live/idm.example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/idm.example.com/privkey.pem

Restart httpd service:

sudo systemctl restart httpd

Check that the status is running:

$ systemctl status httpd
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
  Drop-In: /etc/systemd/system/httpd.service.d
           └─ipa.conf
   Active: active (running) since Thu 2021-07-29 23:00:51 EAT; 17s ago
     Docs: man:httpd.service(8)
  Process: 39925 ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy (code=exited, status=0/SUCCESS)
 Main PID: 39928 (httpd)
   Status: "Running, listening on: port 443, port 80"
    Tasks: 265 (limit: 101105)
   Memory: 332.4M
   CGroup: /system.slice/httpd.service
           ├─39928 /usr/sbin/httpd -DFOREGROUND
           ├─39929 /usr/sbin/httpd -DFOREGROUND
           ├─39930 (wsgi:kdcproxy) -DFOREGROUND
           ├─39931 (wsgi:kdcproxy) -DFOREGROUND
           ├─39932 (wsgi:ipa)      -DFOREGROUND
           ├─39933 (wsgi:ipa)      -DFOREGROUND
           ├─39934 (wsgi:ipa)      -DFOREGROUND
           ├─39935 (wsgi:ipa)      -DFOREGROUND
           ├─39936 /usr/sbin/httpd -DFOREGROUND
           ├─39937 /usr/sbin/httpd -DFOREGROUND
           └─39938 /usr/sbin/httpd -DFOREGROUND

Jul 29 23:00:51 idm.example.com systemd[1]: Starting The Apache HTTP Server...
Jul 29 23:00:51 idm.example.com ipa-httpd-kdcproxy[39925]: ipa: INFO: KDC proxy enabled
Jul 29 23:00:51 idm.example.com ipa-httpd-kdcproxy[39925]: ipa-httpd-kdcproxy: INFO     KDC proxy enabled
Jul 29 23:00:51 idm.example.com systemd[1]: Started The Apache HTTP Server.
Jul 29 23:00:52 idm.example.com httpd[39928]: Server configured, listening on: port 443, port 80

Renewal of FreeIPA Let’s Encrypt Certificate

Whenever SSL certificates are renewed run the commands below to updated on FreeIPA end:s

DOMAIN="idm.example.com" # Set correct IdM hostname
sudo ipa-server-certinstall -w -d /etc/letsencrypt/live/$DOMAIN/privkey.pem /etc/letsencrypt/live/$DOMAIN/cert.pem --pin=''

Enter Directory Manager password as required:

Directory Manager password:
The ipa-server-certinstall command was successful

Then proceed to restart FreeIPA services after installing certificate:

sudo ipactl restart

You should then have a working usage of Let’s Encrypt SSL on your FreeIPA Server setup. The SSL warnings on your browse when accessing FreeIPA web dashboard should vanish. We would love to do more content on FreeIPA Server administration and integration with third party services. Stay connected for updates!

More guides on FreeIPA:

.tdi_4.td-a-rec{text-align:center}.tdi_4 .td-element-style{z-index:-1}.tdi_4.td-a-rec-img{text-align:left}.tdi_4.td-a-rec-img img{margin:0 auto 0 0}@media(max-width:767px){.tdi_4.td-a-rec-img{text-align:center}}
Photo of Namachila Namachila Send an email 3 weeks ago
0 1 6 minutes read
Photo of Namachila

Namachila

Related Articles

Common Problems in OnePlus Nord CE 2 5G and Solution Fix – Tips & Tricks!

3 minutes ago

Jailbreak tweaks of the week: Edictus, WeatherGround, WonderBar, and more…

3 minutes ago

Common Problems in OnePlus 9R and Solution Fix – Tips & Tricks!

3 minutes ago

Common Problems in OnePlus 9RT 5G and Solution Fix – Tips & Tricks!

3 minutes ago

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button