Using ipa-server-certinstall, including automatic backup mechanism and removing local cert store

README.md

@@ -3,15 +3,15 @@ to FreeIPA web interface.
 
 To use it, do this:
 * BACKUP /var/lib/ipa/certs/ and /var/lib/ipa/private/ to some safe place (it contains private keys!)
-* clone/unpack all scripts including "ca" subdirectory somewhere
-* set EMAIL variable in renew-le.sh
+* clone/unpack all scripts somewhere (e.g. /opt/) where they are going to run and create directories and files
+* set DIRPASSWD and EMAIL variable in renew-le.sh
 * set FQDN in ipa-httpd.cnf
+* retrieve current ticket for admin (kinit admin)
 * run setup-le.sh script once to prepare the machine. The script will:
   * install Let's Encrypt client package
   * install Let's Encrypt CA certificates into FreeIPA certificate store
   * requests new certificate for FreeIPA web interface
-* run renew-le.sh script once a day: it will renew the cert as necessary
-
+* run renew-le.sh script as needed (e.g. daily, weekly)
 
 If you have any problem, feel free to contact FreeIPA team:
-http://www.freeipa.org/page/Contribute#Communication
+http://www.freeipa.org/page/Contribute#Communication

renew-le.sh

@@ -4,40 +4,67 @@ set -o nounset -o errexit
 WORKDIR=$(dirname "$(realpath $0)")
 EMAIL=""
 
+# This is needed for enabling the certificates
+# TODO : Store safely
+DIRPASSWD=""
+
 ### cron
 # check that the cert will last at least 2 days from now to prevent too frequent renewal
 # comment out this line for the first run
 if [ "${1:-renew}" != "--first-time" ]
 then
-	start_timestamp=`date +%s --date="$(openssl x509 -startdate -noout -in /var/lib/ipa/certs/httpd.crt | cut -d= -f2)"`
-	now_timestamp=`date +%s`
-	let diff=($now_timestamp-$start_timestamp)/86400
-	if [ "$diff" -lt "2" ]; then
-		exit 0
-	fi
+        echo "Checking when certificate was renewed"
+        start_timestamp=`date +%s --date="$(openssl x509 -startdate -noout -in /var/lib/ipa/certs/httpd.crt | cut -d= -f2)"`
+        now_timestamp=`date +%s`
+        diff=$(((now_timestamp-start_timestamp) / 86400))
+        if [ "$diff" -lt "2" ]; then
+                echo "No renewal needed"
+                exit 0
+        fi
 fi
+
 cd "$WORKDIR"
 # cert renewal is needed if we reached this line
+echo "Renewal needed"
 
 # cleanup
-rm -f "$WORKDIR"/*.pem
-rm -f "$WORKDIR"/httpd-csr.*
+needs_cleanup=false
+for f in "$WORKDIR/*.key"; do
+	echo $f
+    ## Check if the glob gets expanded to existing files.
+    ## If not, f here will be exactly the pattern above
+    ## and the exists test will evaluate to false.
+	if [ -e $f ]; then
+		needs_cleanup=true
+	fi
+
+    ## This is all we needed to know, so we can break after the first iteration
+    break
+done
+
+if [ "$needs_cleanup" = true ]; then
+	#backup
+	echo "BACKUP"
+	mkdir -p "$WORKDIR"/backup
+	rm -f "$WORKDIR"/backup/*
+	mv "$WORKDIR"/*.key "$WORKDIR"/backup/
+	mv "$WORKDIR"/*.pem "$WORKDIR"/backup/
+
+	#cleanup
+	rm -f "$WORKDIR"/*.csr
+	rm -f "$WORKDIR"/*.key
+	rm -f "$WORKDIR"/*.pem
+fi
 
 # generate CSR
-OPENSSL_PASSWD_FILE="/var/lib/ipa/passwds/$HOSTNAME-443-RSA"
-[ -f "$OPENSSL_PASSWD_FILE" ] && OPENSSL_EXTRA_ARGS="-passout file:$OPENSSL_PASSWD_FILE" || OPENSSL_EXTRA_ARGS=""
-openssl req -new -sha256 -config "$WORKDIR/ipa-httpd.cnf"  -key /var/lib/ipa/private/httpd.key -out "$WORKDIR/httpd-csr.der" $OPENSSL_EXTRA_ARGS
+openssl req -new -config "$WORKDIR/ipa-httpd.cnf" -keyout "$WORKDIR/req.key" -out "$WORKDIR/req.csr"
 
 # httpd process prevents letsencrypt from working, stop it
 service httpd stop
 
 # get a new cert
-letsencrypt certonly --standalone --csr "$WORKDIR/httpd-csr.der" --email "$EMAIL" --agree-tos
+letsencrypt certonly --standalone --csr "$WORKDIR/req.csr" --email "$EMAIL" --agree-tos --cert-path "$WORKDIR/cert.pem" --chain-path "$WORKDIR/chain.pem" --fullchain-path "$WORKDIR/fullchain.pem"
 
 # replace the cert
-cp /var/lib/ipa/certs/httpd.crt /var/lib/ipa/certs/httpd.crt.bkp
-mv -f "$WORKDIR/0000_cert.pem" /var/lib/ipa/certs/httpd.crt
-restorecon -v /var/lib/ipa/certs/httpd.crt
-
-# start httpd with the new cert
-service httpd start
+yes $DIRPASSWD "" | ipa-server-certinstall -w -d "$WORKDIR/req.key" "$WORKDIR/cert.pem"
+ipactl restart

setup-le.sh

@@ -28,4 +28,4 @@ done
 
 ipa-certupdate
 
-"$WORKDIR/renew-le.sh" --first-time
+"$WORKDIR/renew-le.sh" --first-time