forked from freeipa/freeipa
-
Notifications
You must be signed in to change notification settings - Fork 0
ACME Responder
Endi S. Dewata edited this page Jul 22, 2022
·
1 revision
To install IPA, refer to the official IPA documentation.
Add the following rules into /etc/httpd/conf.d/ipa-pki-proxy.conf:
<LocationMatch "^/acme">
SSLOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
SSLVerifyClient optional
ProxyPassMatch ajp://localhost:8009
ProxyPassReverse ajp://localhost:8009
</LocationMatch>
<LocationMatch "^/openssl">
SSLOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
SSLVerifyClient optional
ProxyPassMatch ajp://localhost:8009
ProxyPassReverse ajp://localhost:8009
</LocationMatch>
Then restart HTTP server:
$ systemctl restart httpd
To install ACME responder in IPA:
$ pki-server acme-create $ pki-server acme-deploy
To request a certificate from the ACME responder:
$ certbot certonly --manual \
-d server.example.com \
--server http://$HOSTNAME/acme/directory \
--register-unsafely-without-email
The certificate will be stored at /etc/letsencrypt/live/server.example.com/cert.pem.
To inspect the certificate:
$ openssl x509 -text -noout -in /etc/letsencrypt/live/server.example.com/cert.pem