FreeIPA - Identity Management - Revision history

Admin at 19:25, 25 October 2025

2025-10-25T19:25:49Z

← Older revision		Revision as of 19:25, 25 October 2025
Line 133:		Line 133:

	Then just run <code>sudo ipactl restart</code> to restart the FreeIPA services.		Then just run <code>sudo ipactl restart</code> to restart the FreeIPA services.


			== Additional ==

			Check currently installed certs on Fedora with:

			trust list --filter=ca-anchors

			See only Let's Encrypt and ISGR certs:

			trust list --filter=ca-anchors \| grep -E 'Let.s Encrypt\|Internet Security Research' -i -A 2 -B 3

Admin at 19:19, 25 October 2025

2025-10-25T19:19:21Z

← Older revision		Revision as of 19:19, 25 October 2025
Line 100:		Line 100:
	wget -O /etc/pki/ca-trust/source/anchors/r13.crt https://letsencrypt.org/certs/2024/r13.pem		wget -O /etc/pki/ca-trust/source/anchors/r13.crt https://letsencrypt.org/certs/2024/r13.pem

	# Update as os level		# Update at os level
	update-ca-trust		update-ca-trust

Admin at 19:17, 25 October 2025

2025-10-25T19:17:21Z

← Older revision		Revision as of 19:17, 25 October 2025
Line 81:		Line 81:

	set -x		set -x
	if ! [[ -d /~~usr~~/~~local/share~~/ca-~~certificates~~/~~extra~~ ]]; then		if ! [[ -d /etc/pki/ca-trust/source/anchors ]]; then
	mkdir -p /~~usr/local~~/~~share~~/ca-~~certificates~~/~~extra~~		mkdir -p /etc/pki/ca-trust/source/anchors
	fi		fi

Admin at 19:16, 25 October 2025

2025-10-25T19:16:24Z

← Older revision		Revision as of 19:16, 25 October 2025
Line 85:		Line 85:
	fi		fi

	wget -O /~~usr~~/~~local/share~~/ca-~~certificates~~/~~extra~~/isrgrootx1.crt https://letsencrypt.org/certs/isrgrootx1.pem		wget -O /etc/pki/ca-trust/source/anchors/isrgrootx1.crt https://letsencrypt.org/certs/isrgrootx1.pem
	wget -O /~~usr~~/~~local/share~~/ca-~~certificates~~/~~extra~~/isrg-root-x2.crt https://letsencrypt.org/certs/isrg-root-x2.pem		wget -O /etc/pki/ca-trust/source/anchors/isrg-root-x2.crt https://letsencrypt.org/certs/isrg-root-x2.pem
	wget -O /~~usr/local~~/~~share~~/ca-~~certificates~~/~~extra~~/lets-encrypt-r3.crt https://letsencrypt.org/certs/lets-encrypt-r3.pem		wget -O /etc/pki/ca-trust/source/anchors/lets-encrypt-r3.crt https://letsencrypt.org/certs/lets-encrypt-r3.pem
	wget -O /~~usr~~/~~local/share~~/ca-~~certificates~~/~~extra~~/lets-encrypt-e1.crt https://letsencrypt.org/certs/lets-encrypt-e1.pem		wget -O /etc/pki/ca-trust/source/anchors/lets-encrypt-e1.crt https://letsencrypt.org/certs/lets-encrypt-e1.pem
	wget -O /~~usr~~/~~local/share~~/ca-~~certificates~~/~~extra~~/lets-encrypt-r4.crt https://letsencrypt.org/certs/lets-encrypt-r4.pem		wget -O /etc/pki/ca-trust/source/anchors/lets-encrypt-r4.crt https://letsencrypt.org/certs/lets-encrypt-r4.pem
	wget -O /~~usr~~/~~local/share~~/ca-~~certificates~~/~~extra~~/lets-encrypt-e2.crt https://letsencrypt.org/certs/lets-encrypt-e2.pem		wget -O /etc/pki/ca-trust/source/anchors/lets-encrypt-e2.crt https://letsencrypt.org/certs/lets-encrypt-e2.pem
	wget -O /~~usr~~/~~local/share~~/ca-~~certificates~~/~~extra~~/e5.crt https://letsencrypt.org/certs/2024/e5.pem		wget -O /etc/pki/ca-trust/source/anchors/e5.crt https://letsencrypt.org/certs/2024/e5.pem
	wget -O /~~usr~~/~~local/share~~/ca-~~certificates~~/~~extra~~/e6.crt https://letsencrypt.org/certs/2024/e6.pem		wget -O /etc/pki/ca-trust/source/anchors/e6.crt https://letsencrypt.org/certs/2024/e6.pem
	wget -O /~~usr~~/~~local~~/~~share~~/ca-~~certificates~~/~~extra~~/r10.crt https://letsencrypt.org/certs/2024/r10.pem		wget -O /etc/pki/ca-trust/source/anchors/e7.crt https://letsencrypt.org/certs/2024/e7.pem
	wget -O /~~usr/local~~/~~share~~/ca-~~certificates~~/~~extra~~/r11.crt https://letsencrypt.org/certs/2024/r11.pem		wget -O /etc/pki/ca-trust/source/anchors/e8.crt https://letsencrypt.org/certs/2024/e8.pem
			wget -O /etc/pki/ca-trust/source/anchors/r10.crt https://letsencrypt.org/certs/2024/r10.pem
			wget -O /etc/pki/ca-trust/source/anchors/r11.crt https://letsencrypt.org/certs/2024/r11.pem
			wget -O /etc/pki/ca-trust/source/anchors/r12.crt https://letsencrypt.org/certs/2024/r12.pem
			wget -O /etc/pki/ca-trust/source/anchors/r13.crt https://letsencrypt.org/certs/2024/r13.pem

			# Update as os level
			update-ca-trust

			# Update certs for ipa
			ipa-certupdate

			# List em cause why not
			ipa-cacert-manage list

	~~update-ca-certificates~~
	</syntaxhighlight>		</syntaxhighlight>

Admin at 22:09, 28 November 2024

2024-11-28T22:09:36Z

← Older revision		Revision as of 22:09, 28 November 2024
Line 105:		Line 105:
	=== Renewing an expired cert ===		=== Renewing an expired cert ===

	If the cert for the FreeIPA server expires you can still use the <code>ipa-server-certinstall</code> tool to renew it, like you normally would. However, there's a catch. You have prepend your command with the <code>faketime</code> util and set the date to a time before when the current certificate expired.		If the cert for the FreeIPA server expires you can still use the <code>ipa-server-certinstall</code> tool to renew it, like you normally would. However, there's a catch. You have to prepend your command with the <code>faketime</code> util and set the date to a time before when the current certificate expired.

	EXPIRED!		EXPIRED!

Admin at 21:38, 28 November 2024

2024-11-28T21:38:28Z

← Older revision		Revision as of 21:38, 28 November 2024
Line 73:		Line 73:
	Made / borrowed this script do get them all.		Made / borrowed this script do get them all.

	<~~pre~~>		<syntaxhighlight lang="bash" line>
	#!/bin/bash		#!/bin/bash
	# Fetches LE CA certs for FreeIPA & runs update-ca-certificates.		# Fetches LE CA certs for FreeIPA & runs update-ca-certificates.
Line 97:		Line 97:

	update-ca-certificates		update-ca-certificates
	</~~pre~~>		</syntaxhighlight>

	[https://github.com/freeipa/freeipa-letsencrypt/issues/25 Original Source]		[https://github.com/freeipa/freeipa-letsencrypt/issues/25 Original Source]

Admin: Created page with "== Overview == https://raw.githubusercontent.com/freeipa/freeipa.github.io/main/src/_static/freeipa-logo-small.png FreeIPA is an identity management & single sign on solution for Linux / Unix Networks. Its somewhat comparable to active directory in the Windows world. == How it Works == Under the hood FreeIPA is really just wraps up a Kerberos KDC/KTG Server with an LDAP backend and a nice pretty web interface. Access to hosts on the network are controlled via Host B..."

2024-11-28T20:59:38Z

Created page with "== Overview == https://raw.githubusercontent.com/freeipa/freeipa.github.io/main/src/_static/freeipa-logo-small.png FreeIPA is an identity management & single sign on solution for Linux / Unix Networks. Its somewhat comparable to active directory in the Windows world. == How it Works == Under the hood FreeIPA is really just wraps up a Kerberos KDC/KTG Server with an LDAP backend and a nice pretty web interface. Access to hosts on the network are controlled via Host B..."

New page

== Overview ==

https://raw.githubusercontent.com/freeipa/freeipa.github.io/main/src/_static/freeipa-logo-small.png

FreeIPA is an identity management & single sign on solution for Linux / Unix Networks. Its somewhat comparable to active directory in the Windows world.

== How it Works ==

Under the hood FreeIPA is really just wraps up a Kerberos KDC/KTG Server with an LDAP backend and a nice pretty web interface.

Access to hosts on the network are controlled via Host Based Access (HBA) Control Rules, which say what users are allowed access (via ssh) to what hosts.

== Restarting All IPA Services ==

You can use the command below to restart all FreeIPA services.

sudo ipactl restart

There's also a systemd daemon for the main ipa service.

sudo systemctl restart ipa

== Resetting The Admin Password ==

I've had to do this once when restoring from a backup after changing the admin pass and loosing the old one. So I might have to do it again some day.

<pre>
root@freeipa:~# export LDAPTLS_CACERT=/etc/ipa/ca.crt
root@freeipa:~# ldappasswd -ZZ -D 'cn=directory manager' -W -S uid=admin,cn=users,cn=accounts,dc=yourdomain,dc=net -H ldap://freeipa.yourdomain.net
New password:
Re-enter new password:
Enter LDAP Password:
</pre>

For <code>Enter LDAP Password:</code> use the Directory Manager password there (aka ldap admin).

[https://serverfault.com/questions/731024/freeipa-admin-password-reset Source]

== Let's Encrypt SSL Configuration ==

=== Basic Overview ===

My FreeIPA server uses Let's Encrypt certificates.

Here are the instructions for setting up a 3rd party cert for the ldap server & https web interface.

https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP

To get the CA certs loaded for LE see the section below.

=== Adding Let's Encrypt CA Authorities ===

I'm using let's encrypt for the certs for the FreeIPA server. Because of how SSL works, FreeIPA will not accept the LE certs unless it has the CA certs too. This is how you can add a CA cert for LE in Fedora/FreeIPA.

Where it started: I found the basic commands on [https://gist.github.com/lijikun/8b2b3350bce9aed7df3009e76541929c this github writeup link] and modified them.

My Commands to add the R3 CA Authority.

<pre>
wget https://letsencrypt.org/certs/lets-encrypt-r3.pem
ipa-cacert-manage install lets-encrypt-r3.pem -n R3 -t C,,
ipa-certupdate
</pre>

Found the latest ca cert file here: https://letsencrypt.org/certificates/

Then I was able to use the <code>ipa-server-certinstall</code> to install the cert.

ipa-server-certinstall -w -d "/etc/letsencrypt/live/freeipa.yourdomain.net/fullchain.pem" "/etc/letsencrypt/live/freeipa.yourdomain.net/privkey.pem"

<span style="color:orange"><b>Update</b></span>: Needs even more cert authorities.

Made / borrowed this script do get them all.

<pre>
#!/bin/bash
# Fetches LE CA certs for FreeIPA & runs update-ca-certificates.
# John R., Oct. 2024.

[[ $EUID -ne 0 ]] && echo "Run as root!" && exit 23

set -x
if ! [[ -d /usr/local/share/ca-certificates/extra ]]; then
mkdir -p /usr/local/share/ca-certificates/extra
fi

wget -O /usr/local/share/ca-certificates/extra/isrgrootx1.crt https://letsencrypt.org/certs/isrgrootx1.pem
wget -O /usr/local/share/ca-certificates/extra/isrg-root-x2.crt https://letsencrypt.org/certs/isrg-root-x2.pem
wget -O /usr/local/share/ca-certificates/extra/lets-encrypt-r3.crt https://letsencrypt.org/certs/lets-encrypt-r3.pem
wget -O /usr/local/share/ca-certificates/extra/lets-encrypt-e1.crt https://letsencrypt.org/certs/lets-encrypt-e1.pem
wget -O /usr/local/share/ca-certificates/extra/lets-encrypt-r4.crt https://letsencrypt.org/certs/lets-encrypt-r4.pem
wget -O /usr/local/share/ca-certificates/extra/lets-encrypt-e2.crt https://letsencrypt.org/certs/lets-encrypt-e2.pem
wget -O /usr/local/share/ca-certificates/extra/e5.crt https://letsencrypt.org/certs/2024/e5.pem
wget -O /usr/local/share/ca-certificates/extra/e6.crt https://letsencrypt.org/certs/2024/e6.pem
wget -O /usr/local/share/ca-certificates/extra/r10.crt https://letsencrypt.org/certs/2024/r10.pem
wget -O /usr/local/share/ca-certificates/extra/r11.crt https://letsencrypt.org/certs/2024/r11.pem

update-ca-certificates
</pre>

[https://github.com/freeipa/freeipa-letsencrypt/issues/25 Original Source]

[https://github.com/BlueSquare23/Misc_Bash_Scripts/blob/master/fetch-ca-certs.sh Modified Version on my Github]

=== Renewing an expired cert ===

If the cert for the FreeIPA server expires you can still use the <code>ipa-server-certinstall</code> tool to renew it, like you normally would. However, there's a catch. You have prepend your command with the <code>faketime</code> util and set the date to a time before when the current certificate expired.

EXPIRED!
Not After: Mon, 25 Nov 2024 02:26:25 GMT

<pre>
sudo faketime '2024-11-24 08:15:42' ipa-server-certinstall -w -d "/etc/letsencrypt/live/freeipa.yourdomain.net/fullchain.pem" "/etc/letsencrypt/live/freeipa.yourdomain.net/privkey.pem"
Directory Manager password:

Enter private key unlock password:

Please restart ipa services after installing certificate (ipactl restart)
The ipa-server-certinstall command was successful
</pre>

Then just run <code>sudo ipactl restart</code> to restart the FreeIPA services.