IPA ACME Responder

From Dogtag
(Redirected from IPA ACME Service)
Jump to: navigation, search

Current Issues

Installing IPA

To install IPA, refer to the official IPA documentation.

Add the following rules in /etc/httpd/conf.d/ipa-pki-proxy.conf:

<LocationMatch "^/acme">
    SSLOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
    SSLVerifyClient optional
    ProxyPassMatch ajp://localhost:8009
    ProxyPassReverse ajp://localhost:8009
</LocationMatch>

<LocationMatch "^/openssl">
    SSLOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
    SSLVerifyClient optional
    ProxyPassMatch ajp://localhost:8009
    ProxyPassReverse ajp://localhost:8009
</LocationMatch>

Then restart HTTP server:

$ systemctl restart httpd

Installing ACME Responder

To install ACME responder in IPA:

$ pki-server acme-create
$ pki-server acme-deploy

Requesting a Certificate

To request a certificate from the ACME responder:

$ certbot certonly --manual \
    -d server.example.com \
    --server http://$HOSTNAME/acme/directory \
    --register-unsafely-without-email

The certificate will be stored at /etc/letsencrypt/live/server.example.com/cert.pem.

To inspect the certificate:

$ openssl x509 -text -noout -in /etc/letsencrypt/live/server.example.com/cert.pem

See Also