Secure FreeIPA Server With Let’s Encrypt SSL Certificate

Posted on 181 views

FreeIPA is a powerful open source solution created to provide a centralized way of managing authentication, identity stores, policies, and authorization policies in a Linux-based domain. We have a number of articles discussing on the installation of FreeIPA Server on varying Linux distributions. In this guide we will discuss on how you can secure the web interface of FreeIPA server using free Let’s Encrypt SSL certificates.

As a pre-requisite you’ll need a working installation of FreeIPA Server on your system. You can refer our guides in the links below:

Once FreeIPA Server is installed confirm it is working by obtaining Kerberos ticket as admin user:

$ sudo kinit admin
Password for [email protected]:

$ sudo klist
Ticket cache: KCM:0
Default principal: [email protected]

Valid starting       Expires              Service principal
08/02/2021 17:42:38  08/03/2021 17:42:31  krbtgt/[email protected]

Install EPEL repository and Certbot

On RHEL based systems the Certbot packages are available in EPEL repository. Certbot is meant to be used to obtain Let’s Encrypt certificates and, afterward, to continue renewing the site’s HTTPS certificates.

Install epel-release using the following command:

$ sudo yum install epel-release
Dependencies resolved.
======================================================================================================================================================================================================
 Package                                            Architecture                                 Version                                           Repository                                    Size
======================================================================================================================================================================================================
Installing:
 epel-release                                       noarch                                       8-13.el8                                          extras                                        23 k

Transaction Summary
======================================================================================================================================================================================================
Install  1 Package

Total download size: 23 k
Installed size: 35 k
Is this ok [y/N]: y

Install certbot thereafter with the next command:

$ sudo yum install certbot python3-certbot-apache
Dependencies resolved.
======================================================================================================================================================================================================
 Package                                             Architecture                     Version                                                               Repository                           Size
======================================================================================================================================================================================================
Installing:
 certbot                                             noarch                           1.22.0-1.el8                                                          epel                                 54 k
 python3-certbot-apache                              noarch                           1.22.0-1.el8                                                          epel                                145 k
Installing dependencies:
 apr                                                 x86_64                           1.6.3-12.el8                                                          appstream                           128 k
 apr-util                                            x86_64                           1.6.1-6.el8.1                                                         appstream                           104 k
 augeas-libs                                         x86_64                           1.12.0-7.el8                                                          baseos                              436 k
 httpd                                               x86_64                           2.4.37-47.module+el8.6.0+985+b8ff6398.2                               appstream                           1.4 M
 httpd-filesystem                                    noarch                           2.4.37-47.module+el8.6.0+985+b8ff6398.2                               appstream                            40 k
 httpd-tools                                         x86_64                           2.4.37-47.module+el8.6.0+985+b8ff6398.2                               appstream                           107 k
 mod_http2                                           x86_64                           1.15.7-5.module+el8.6.0+823+f143cee1                                  appstream                           153 k
 mod_ssl                                             x86_64                           1:2.4.37-47.module+el8.6.0+985+b8ff6398.2                             appstream                           137 k
 python3-acme                                        noarch                           1.22.0-1.el8                                                          epel                                 96 k
 python3-augeas                                      noarch                           0.5.0-12.el8                                                          appstream                            30 k
 python3-certbot                                     noarch                           1.22.0-1.el8                                                          epel                                426 k
 python3-cffi                                        x86_64                           1.11.5-5.el8                                                          baseos                              237 k
 python3-configargparse                              noarch                           0.14.0-6.el8                                                          epel                                 36 k
 python3-configobj                                   noarch                           5.0.6-11.el8                                                          baseos                               67 k
 python3-cryptography                                x86_64                           3.2.1-5.el8                                                           baseos                              558 k
 python3-distro                                      noarch                           1.4.0-2.module+el8.3.0+120+426d8baf                                   appstream                            36 k
 python3-josepy                                      noarch                           1.9.0-1.el8                                                           epel                                103 k
 python3-parsedatetime                               noarch                           2.5-1.el8                                                             epel                                 79 k
 python3-pip                                         noarch                           9.0.3-22.el8.rocky.0                                                  appstream                            19 k
 python3-pyOpenSSL                                   noarch                           19.0.0-1.el8                                                          appstream                           102 k
 python3-pycparser                                   noarch                           2.14-14.el8                                                           baseos                              108 k
 python3-pyrfc3339                                   noarch                           1.1-1.el8                                                             epel                                 19 k
 python3-pytz                                        noarch                           2017.2-9.el8                                                          appstream                            53 k
 python3-requests-toolbelt                           noarch                           0.9.1-4.el8                                                           epel                                 91 k
 python3-setuptools                                  noarch                           39.2.0-6.el8                                                          baseos                              162 k
 python3-zope-component                              noarch                           4.3.0-8.el8                                                           epel                                313 k
 python3-zope-event                                  noarch                           4.2.0-12.el8                                                          epel                                210 k
 python3-zope-interface                              x86_64                           4.6.0-1.el8                                                           epel                                158 k
 python36                                            x86_64                           3.6.8-38.module+el8.5.0+671+195e4563                                  appstream                            18 k
 rocky-logos-httpd                                   noarch                           86.2-1.el8                                                            baseos                               24 k
 sscg                                                x86_64                           2.3.3-14.el8                                                          appstream                            48 k
Installing weak dependencies:
 apr-util-bdb                                        x86_64                           1.6.1-6.el8.1                                                         appstream                            23 k
 apr-util-openssl                                    x86_64                           1.6.1-6.el8.1                                                         appstream                            26 k
 python-josepy-doc                                   noarch                           1.9.0-1.el8                                                           epel                                 23 k
Enabling module streams:
 httpd                                                                                2.4
 python36                                                                             3.6

Transaction Summary
======================================================================================================================================================================================================
Install  36 Packages

Total download size: 5.7 M
Installed size: 20 M
Is this ok [y/N]: y

Confirm installation of certbot tool was successful:

$ certbot --version
certbot 1.22.0

Secure FreeIPA Server With Let’s Encrypt SSL Certificate

We will request for Let’s Encrypt SSL certificates rather than using the server’s self-signed certs.

Backup current FreeIPA server private keys and certificates before you proceed:

sudo cp -r /var/lib/ipa/certs,.bak
sudo cp -r /var/lib/ipa/private,.bak

Install git, vim or nano file editor

sudo yum -y install vim nano

Method 1: Secure FreeIPA Server With Let’s Encrypt using Manual method

Follow the steps below.

Download and install Let’s Encrypt CA certificates

Create certs directory:

sudo su -
mkdir freeipa-certs
cd freeipa-certs

Download  Let’s Encrypt CA certificates:

CERTS=("isrgrootx1.pem" "isrg-root-x2.pem" "lets-encrypt-r3.pem" "lets-encrypt-e1.pem" "lets-encrypt-r4.pem" "lets-encrypt-e2.pem")
for CERT in "$CERTS[@]"
do
  curl -o $CERT "https://letsencrypt.org/certs/$CERT"
done

Install Let’s Encrypt CA certificates into FreeIPA certificate store:

CERTS=("isrgrootx1.pem" "isrg-root-x2.pem" "lets-encrypt-r3.pem" "lets-encrypt-e1.pem" "lets-encrypt-r4.pem" "lets-encrypt-e2.pem")
for CERT in "$CERTS[@]"
do
  ipa-cacert-manage install $CERT
done

Expected command output:

Installing CA certificate, please wait
Verified CN=ISRG Root X1,O=Internet Security Research Group,C=US
CA certificate successfully installed
The ipa-cacert-manage command was successful
Installing CA certificate, please wait
Verified CN=ISRG Root X2,O=Internet Security Research Group,C=US
CA certificate successfully installed
The ipa-cacert-manage command was successful
Installing CA certificate, please wait
Verified CN=R3,O=Let's Encrypt,C=US
CA certificate successfully installed
The ipa-cacert-manage command was successful
Installing CA certificate, please wait
Verified CN=E1,O=Let's Encrypt,C=US
CA certificate successfully installed
The ipa-cacert-manage command was successful
Installing CA certificate, please wait
Verified CN=R4,O=Let's Encrypt,C=US
CA certificate successfully installed
The ipa-cacert-manage command was successful
Installing CA certificate, please wait
Verified CN=E2,O=Let's Encrypt,C=US
CA certificate successfully installed
The ipa-cacert-manage command was successful

Update local IPA certificate databases with certificates from the server:

$ sudo ipa-certupdate
Systemwide CA database updated.
Systemwide CA database updated.
The ipa-certupdate command was successful

Obtain Let’s Encrypt Certificates

Stop httpd service to release port 80 required to get certs.

sudo systemctl stop httpd

Then run Certbot to obtain Let’s Encrypt certificates:

EMAIL="your-email-address"
DOMAIN="idm.example.com"
sudo certbot certonly --standalone --preferred-challenges http --agree-tos -n -d $DOMAIN -m $EMAIL

Ensure the command for cert generation is successful:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Requesting a certificate for idm.example.com
Performing the following challenges:
http-01 challenge for idm.example.com
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/idm.example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/idm.example.com/privkey.pem
   Your certificate will expire on 2021-10-27. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again. To non-interactively renew *all* of your
   certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Your certs should be stored in /etc/letsencrypt/live/idm.example.com directory:

$ ls /etc/letsencrypt/live/idm.example.com
cert.pem  chain.pem  fullchain.pem  privkey.pem  README

Start httpd server after confirming required certs were generated:

sudo systemctl restart httpd

Add Let’s Encrypt SSL certificates to for use in FreeIPA Web UI:

DOMAIN="idm.example.com" # Set correct IdM hostname
sudo ipa-server-certinstall -w -d /etc/letsencrypt/live/$DOMAIN/privkey.pem /etc/letsencrypt/live/$DOMAIN/cert.pem --pin=''

Command execution output:

Directory Manager password:

Please restart ipa services after installing certificate (ipactl restart)
The ipa-server-certinstall command was successful

Restart FreeIPA services

$ sudo ipactl restart
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting pki-tomcatd Service
Restarting ipa-otpd Service
ipa: INFO: The ipactl command was successful

Confirmation of currently used SSL certificate can be done from the terminal or web browser.

Using OpenSSL:

$ openssl s_client -showcerts -verify 5 -connect $(hostname -f):443
verify depth is 5
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = idm.example.com
verify return:1
---
Certificate chain
 0 s:CN = idm.example.com
   i:C = US, O = Let's Encrypt, CN = R3
-----BEGIN CERTIFICATE-----

From Web console:

secure-freeipa-server-letsencrypt-ssl-01-1024x569

Method 2: Secure FreeIPA Server With Let’s Encrypt using bash script

If your preference is automated installation of Let’s Encrypt certificates then clone official FreeIPA Let’s Encrypt management script code from github:

$ git clone https://github.com/freeipa/freeipa-letsencrypt.git
Cloning into 'freeipa-letsencrypt'...
remote: Enumerating objects: 71, done.
remote: Counting objects: 100% (23/23), done.
remote: Compressing objects: 100% (19/19), done.
remote: Total 71 (delta 6), reused 13 (delta 4), pack-reused 48
Unpacking objects: 100% (71/71), 18.71 KiB | 299.00 KiB/s, done.

Switch to the directory created:

cd freeipa-letsencrypt

Edit renew-le.sh script and set EMAIL variable:

$ vim renew-le.sh
EMAIL="input-your-email-address"

Inside the setup-le.sh script the FreeIPA server FQDN is set to server’s hostname:

FQDN=$(hostname -f)

Ensure the command below returns the hostname as FQDN:

$ hostname -f
idm.example.com

Run setup-le.sh script to prepare the machine:

sudo bash setup-le.sh

The script will perform below actions:

  • Install Let’s Encrypt CA certificates into FreeIPA certificate store
  • Request new certificate for FreeIPA web interface

Example of command execution output:

...
Installing CA certificate, please wait
Verified CN=R4,O=Let's Encrypt,C=US
CA certificate successfully installed
The ipa-cacert-manage command was successful
--2021-07-29 14:46:06--  https://letsencrypt.org/certs/lets-encrypt-e2.pem
Resolving letsencrypt.org (letsencrypt.org)... 34.194.149.67, 68.183.23.220, 2a05:d014:275:cb01:8909:43f0:2069:7b77, ...
Connecting to letsencrypt.org (letsencrypt.org)|34.194.149.67|:443... connected.
GnuTLS: Resource temporarily unavailable, try again.
GnuTLS: Resource temporarily unavailable, try again.
GnuTLS: Resource temporarily unavailable, try again.
HTTP request sent, awaiting response... 200 OK
Length: 1021 [application/x-pem-file]
Saving to: ‘/etc/ssl/idm.example.com/lets-encrypt-e2.pem’

/etc/ssl/idm.example.com/lets- 100%[================================================================================>]    1021  --.-KB/s    in 0s

2021-07-29 14:46:06 (13.3 MB/s) - ‘/etc/ssl/idm.example.com/lets-encrypt-e2.pem’ saved [1021/1021]

Installing CA certificate, please wait
Verified CN=E2,O=Let's Encrypt,C=US
CA certificate successfully installed
The ipa-cacert-manage command was successful

Restart httpd service:

sudo systemctl restart httpd

Confirm ipa-certupdate command execution is successful:

$ sudo ipa-certupdate
Systemwide CA database updated.
Systemwide CA database updated.
The ipa-certupdate command was successful

Modifying Apache web server configuration file to set SSL Cert and Key (Not recommended)

If only interested in using Let’s Encrypt SSL on the browser pages, you can manually modify ssl.conf file and set the following directives:

$ sudo vim /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/letsencrypt/live/idm.example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/idm.example.com/privkey.pem

Restart httpd service:

sudo systemctl restart httpd

Check that the status is running:

$ systemctl status httpd
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
  Drop-In: /etc/systemd/system/httpd.service.d
           └─ipa.conf
   Active: active (running) since Thu 2021-07-29 23:00:51 EAT; 17s ago
     Docs: man:httpd.service(8)
  Process: 39925 ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy (code=exited, status=0/SUCCESS)
 Main PID: 39928 (httpd)
   Status: "Running, listening on: port 443, port 80"
    Tasks: 265 (limit: 101105)
   Memory: 332.4M
   CGroup: /system.slice/httpd.service
           ├─39928 /usr/sbin/httpd -DFOREGROUND
           ├─39929 /usr/sbin/httpd -DFOREGROUND
           ├─39930 (wsgi:kdcproxy) -DFOREGROUND
           ├─39931 (wsgi:kdcproxy) -DFOREGROUND
           ├─39932 (wsgi:ipa)      -DFOREGROUND
           ├─39933 (wsgi:ipa)      -DFOREGROUND
           ├─39934 (wsgi:ipa)      -DFOREGROUND
           ├─39935 (wsgi:ipa)      -DFOREGROUND
           ├─39936 /usr/sbin/httpd -DFOREGROUND
           ├─39937 /usr/sbin/httpd -DFOREGROUND
           └─39938 /usr/sbin/httpd -DFOREGROUND

Jul 29 23:00:51 idm.example.com systemd[1]: Starting The Apache HTTP Server...
Jul 29 23:00:51 idm.example.com ipa-httpd-kdcproxy[39925]: ipa: INFO: KDC proxy enabled
Jul 29 23:00:51 idm.example.com ipa-httpd-kdcproxy[39925]: ipa-httpd-kdcproxy: INFO     KDC proxy enabled
Jul 29 23:00:51 idm.example.com systemd[1]: Started The Apache HTTP Server.
Jul 29 23:00:52 idm.example.com httpd[39928]: Server configured, listening on: port 443, port 80

Renewal of FreeIPA Let’s Encrypt Certificate

Whenever SSL certificates are renewed run the commands below to updated on FreeIPA end:s

DOMAIN="idm.example.com" # Set correct IdM hostname
sudo ipa-server-certinstall -w -d /etc/letsencrypt/live/$DOMAIN/privkey.pem /etc/letsencrypt/live/$DOMAIN/cert.pem --pin=''

Enter Directory Manager password as required:

Directory Manager password:
The ipa-server-certinstall command was successful

Then proceed to restart FreeIPA services after installing certificate:

sudo ipactl restart

You should then have a working usage of Let’s Encrypt SSL on your FreeIPA Server setup. The SSL warnings on your browse when accessing FreeIPA web dashboard should vanish. We would love to do more content on FreeIPA Server administration and integration with third party services. Stay connected for updates!

More guides on FreeIPA:

coffee

Gravatar Image
A systems engineer with excellent skills in systems administration, cloud computing, systems deployment, virtualization, containers, and a certified ethical hacker.