Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 7 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,13 +3,18 @@ to FreeIPA web interface.

To use it, do this:
* BACKUP /etc/httpd/alias to some safe place (it contains private keys!)
* clone/unpack all scripts including "ca" subdirectory somewhere
* set WORKDIR and EMAIL variables in scripts setup-le.sh and renew-le.sh
* clone/unpack all scripts including "ca" subdirectory somewhere (/root/ipa-le is the default)
* set WORKDIR variable to the directory you cloned the repository to in scripts setup-le.sh and renew-le.sh
* set EMAIL variable in script renew-le.sh
* run "yum install dnf" (a stock FreeIPA machine doesn't have dnf installed)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fedora has dnf by default. Perhaps this could be changed to "make sure you have dnf installed"?

* run "kinit your-admin-username" to get a Kerberos ticket (necessary to install the new certificates)
* run setup-le.sh script once to prepare the machine. The script will:
* install Let's Encrypt client package
* install Let's Encrypt CA certificates into FreeIPA certificate store
* requests new certificate for FreeIPA web interface
* run renew-le.sh script once a day: it will renew the cert as necessary
* run "crontab -e" as root
* add the line "* * * * * /root/ipa-le/renew-le.sh"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This runs the script every minute, which is probably overkill and isn't in line with "run it once a day" mentioned previously.



If you have any problem, feel free to contact FreeIPA team:
Expand Down