FreeIPA 服务器
使用 Let's Encrypt SSL 证书保护 FreeIPA 服务器
基础设置
安装 FreeIPA 服务器后,通过以管理员用户身份获取 Kerberos 票证来确认它正在工作:
$ sudo kinit admin
Password for admin@COMPUTINGFORGEEKS.COM:
$ sudo klist
Ticket cache: KCM:0
Default principal: admin@COMPUTINGFORGEEKS.COM
Valid starting Expires Service principal
08/02/2021 17:42:38 08/03/2021 17:42:31 krbtgt/COMPUTINGFORGEEKS.COM@COMPUTINGFORGEEKS.COM安装 EPEL 存储库和 Cerbot
在基于 RHEL 的系统上,Certbot 包在 EPEL 存储库中可用。Certbot 旨在用于获取 Let's Encrypt 证书,然后继续更新站点的 HTTPS 证书。
使用以下命令安装epel-release :
$ sudo yum install epel-release
Last metadata expiration check: 1 day, 15:05:30 ago on Tue 27 Jul 2021 10:11:28 PM EAT.
Dependencies resolved.
==================================================================================================================================================================
Package Architecture Version Repository Size
==================================================================================================================================================================
Installing:
epel-release noarch 8-10.el8 extras 22 k
Transaction Summary
==================================================================================================================================================================
Install 1 Package
Total download size: 22 k
Installed size: 32 k
Is this ok [y/N]: y
Downloading Packages:
epel-release-8-10.el8.noarch.rpm 182 kB/s | 22 kB 00:00
------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 67 kB/s | 22 kB 00:00
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : epel-release-8-10.el8.noarch 1/1
Running scriptlet: epel-release-8-10.el8.noarch 1/1
Verifying : epel-release-8-10.el8.noarch 1/1
Installed:
epel-release-8-10.el8.noarch
Complete!之后使用以下命令安装 certbot:
sudo yum install certbot python3-certbot-apache
Last metadata expiration check: 0:10:00 ago on Thu 29 Jul 2021 01:17:18 PM EAT.
Dependencies resolved.
==================================================================================================================================================================
Package Architecture Version Repository Size
==================================================================================================================================================================
Installing:
certbot noarch 1.14.0-1.el8 epel 51 k
python3-certbot-apache noarch 1.14.0-1.el8 epel 143 k
Installing dependencies:
python3-acme noarch 1.14.0-1.el8 epel 88 k
python3-certbot noarch 1.14.0-1.el8 epel 391 k
python3-configargparse noarch 0.14.0-6.el8 epel 36 k
python3-josepy noarch 1.8.0-1.el8 epel 102 k
python3-parsedatetime noarch 2.5-1.el8 epel 79 k
python3-pyOpenSSL noarch 19.0.0-1.el8 appstream 102 k
python3-pyrfc3339 noarch 1.1-1.el8 epel 19 k
python3-requests-toolbelt noarch 0.9.1-4.el8 epel 91 k
python3-zope-component noarch 4.3.0-8.el8 epel 313 k
python3-zope-event noarch 4.2.0-12.el8 epel 210 k
python3-zope-interface x86_64 4.6.0-1.el8 epel 158 k
Installing weak dependencies:
python-josepy-doc noarch 1.8.0-1.el8 epel 22 k
Transaction Summary
==================================================================================================================================================================
Install 14 Packages
Total download size: 1.8 M
Installed size: 6.9 M
Is this ok [y/N]: y确认 certbot 工具安装成功:
$ certbot --version
certbot 1.14.0申请证书
使用 Let's Encrypt SSL 证书保护 FreeIPA 服务器
我们将请求 Let's Encrypt SSL 证书,而不是使用服务器的自签名证书。
在继续之前备份当前的 FreeIPA 服务器私钥和证书:
sudo cp -r /var/lib/ipa/certs{,.bak}
sudo cp -r /var/lib/ipa/private{,.bak}安装 git、vim 或 nano 文件编辑器
sudo yum -y install vim nano方法 1:使用手动方法使用 Let's Encrypt 保护 FreeIPA 服务器
请按照以下步骤操作。
下载并安装 Let's Encrypt CA 证书
创建证书目录:
sudo su -
mkdir freeipa-certs
cd freeipa-certs下载 Let's Encrypt CA 证书:
CERTS=("isrgrootx1.pem" "isrg-root-x2.pem" "lets-encrypt-r3.pem" "lets-encrypt-e1.pem" "lets-encrypt-r4.pem" "lets-encrypt-e2.pem")
for CERT in "${CERTS[@]}"
do
curl -o $CERT "https://letsencrypt.org/certs/$CERT"
done将 Let's Encrypt CA 证书安装到 FreeIPA 证书存储中:
CERTS=("isrgrootx1.pem" "isrg-root-x2.pem" "lets-encrypt-r3.pem" "lets-encrypt-e1.pem" "lets-encrypt-r4.pem" "lets-encrypt-e2.pem")
for CERT in "${CERTS[@]}"
do
ipa-cacert-manage install $CERT
done预期的命令输出:
Installing CA certificate, please wait
Verified CN=ISRG Root X1,O=Internet Security Research Group,C=US
CA certificate successfully installed
The ipa-cacert-manage command was successful
Installing CA certificate, please wait
Verified CN=ISRG Root X2,O=Internet Security Research Group,C=US
CA certificate successfully installed
The ipa-cacert-manage command was successful
Installing CA certificate, please wait
Verified CN=R3,O=Let's Encrypt,C=US
CA certificate successfully installed
The ipa-cacert-manage command was successful
Installing CA certificate, please wait
Verified CN=E1,O=Let's Encrypt,C=US
CA certificate successfully installed
The ipa-cacert-manage command was successful
Installing CA certificate, please wait
Verified CN=R4,O=Let's Encrypt,C=US
CA certificate successfully installed
The ipa-cacert-manage command was successful
Installing CA certificate, please wait
Verified CN=E2,O=Let's Encrypt,C=US
CA certificate successfully installed
The ipa-cacert-manage command was successful使用来自服务器的证书更新本地 IPA 证书数据库:
$ sudo ipa-certupdate
Systemwide CA database updated.
Systemwide CA database updated.
The ipa-certupdate command was successful获取 Let's Encrypt 证书
停止 httpd 服务以释放获取证书所需的端口80 。
sudo systemctl stop httpd然后运行 Certbot 获取 Let's Encrypt 证书:
EMAIL="your-email-address"
DOMAIN="idm.example.com"
sudo certbot certonly --standalone --preferred-challenges http --agree-tos -n -d $DOMAIN -m $EMAIL确保生成证书的命令成功:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Requesting a certificate for idm.example.com
Performing the following challenges:
http-01 challenge for idm.example.com
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/idm.example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/idm.example.com/privkey.pem
Your certificate will expire on 2021-10-27. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again. To non-interactively renew *all* of your
certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le您的证书应存储在/etc/letsencrypt/live/idm.example.com目录中:
$ ls /etc/letsencrypt/live/idm.example.com
cert.pem chain.pem fullchain.pem privkey.pem README确认生成所需的证书后启动 httpd 服务器:
sudo systemctl restart httpd添加 Let's Encrypt SSL 证书以在 FreeIPA Web UI 中使用:
DOMAIN="idm.example.com" # Set correct IdM hostname
sudo ipa-server-certinstall -w -d /etc/letsencrypt/live/$DOMAIN/privkey.pem /etc/letsencrypt/live/$DOMAIN/cert.pem --pin=''命令执行输出:
Directory Manager password:
Please restart ipa services after installing certificate (ipactl restart)
The ipa-server-certinstall command was successful重启 FreeIPA 服务
$ sudo ipactl restart
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting pki-tomcatd Service
Restarting ipa-otpd Service
ipa: INFO: The ipactl command was successful可以从终端或网络浏览器确认当前使用的 SSL 证书。
使用 OpenSSL:
$ openssl s_client -showcerts -verify 5 -connect $(hostname -f):443
verify depth is 5
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = idm.example.com
verify return:1
---
Certificate chain
0 s:CN = idm.example.com
i:C = US, O = Let's Encrypt, CN = R3
-----BEGIN CERTIFICATE-----
从 Web 控制台:
方法 2:使用 bash 脚本通过 Let's Encrypt 保护 FreeIPA 服务器
如果您的偏好是自动安装 Let's Encrypt 证书,则从 github克隆官方FreeIPA Let's Encrypt 管理脚本代码:
$ git clone https://github.com/freeipa/freeipa-letsencrypt.git
Cloning into 'freeipa-letsencrypt'...
remote: Enumerating objects: 71, done.
remote: Counting objects: 100% (23/23), done.
remote: Compressing objects: 100% (19/19), done.
remote: Total 71 (delta 6), reused 13 (delta 4), pack-reused 48
Unpacking objects: 100% (71/71), 18.71 KiB | 299.00 KiB/s, done.切换到创建的目录:
cd freeipa-letsencrypt编辑 renew-le.sh 脚本并设置EMAIL变量:
$ vim renew-le.sh
EMAIL="input-your-email-address"在 setup-le.sh 脚本中,FreeIPA 服务器 FQDN 设置为服务器的主机名:
FQDN=$(hostname -f)确保以下命令将主机名作为 FQDN 返回:
$ hostname -f
idm.example.com运行setup-le.sh脚本来准备机器:
sudo bash setup-le.sh该脚本将执行以下操作:
- 将 Let's Encrypt CA 证书安装到 FreeIPA 证书存储中
- 为 FreeIPA 网页界面申请新证书
命令执行输出示例:
...
Installing CA certificate, please wait
Verified CN=R4,O=Let's Encrypt,C=US
CA certificate successfully installed
The ipa-cacert-manage command was successful
--2021-07-29 14:46:06-- https://letsencrypt.org/certs/lets-encrypt-e2.pem
Resolving letsencrypt.org (letsencrypt.org)... 34.194.149.67, 68.183.23.220, 2a05:d014:275:cb01:8909:43f0:2069:7b77, ...
Connecting to letsencrypt.org (letsencrypt.org)|34.194.149.67|:443... connected.
GnuTLS: Resource temporarily unavailable, try again.
GnuTLS: Resource temporarily unavailable, try again.
GnuTLS: Resource temporarily unavailable, try again.
HTTP request sent, awaiting response... 200 OK
Length: 1021 [application/x-pem-file]
Saving to: ‘/etc/ssl/idm.example.com/lets-encrypt-e2.pem’
/etc/ssl/idm.example.com/lets- 100%[================================================================================>] 1021 --.-KB/s in 0s
2021-07-29 14:46:06 (13.3 MB/s) - ‘/etc/ssl/idm.example.com/lets-encrypt-e2.pem’ saved [1021/1021]
Installing CA certificate, please wait
Verified CN=E2,O=Let's Encrypt,C=US
CA certificate successfully installed
The ipa-cacert-manage command was successful重启httpd服务:
sudo systemctl restart httpd确认ipa-certupdate命令执行成功:
$ sudo ipa-certupdate
Systemwide CA database updated.
Systemwide CA database updated.
The ipa-certupdate command was successful续订证书
续订 FreeIPA Let's Encrypt 证书
每当更新 SSL 证书时,运行以下命令以在 FreeIPA 端更新:s
DOMAIN="idm.example.com" # Set correct IdM hostname
sudo ipa-server-certinstall -w -d /etc/letsencrypt/live/$DOMAIN/privkey.pem /etc/letsencrypt/live/$DOMAIN/cert.pem --pin=''根据需要输入目录管理员密码:
Directory Manager password:
The ipa-server-certinstall command was successful然后在安装证书后继续重启 FreeIPA 服务:
sudo ipactl restart然后,您应该在 FreeIPA 服务器设置上使用 Let's Encrypt SSL。访问 FreeIPA 网络仪表板时浏览器上的 SSL 警告应该消失。