Installation

To install IPA, refer to the official IPA documentation.

Add the following rules into /etc/httpd/conf.d/ipa-pki-proxy.conf:

<LocationMatch "^/acme">
    SSLOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
    SSLVerifyClient optional
    ProxyPassMatch ajp://localhost:8009
    ProxyPassReverse ajp://localhost:8009
</LocationMatch>

<LocationMatch "^/openssl">
    SSLOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
    SSLVerifyClient optional
    ProxyPassMatch ajp://localhost:8009
    ProxyPassReverse ajp://localhost:8009
</LocationMatch>

Then restart HTTP server:

$ systemctl restart httpd

Installing ACME Responder

To install ACME responder in IPA:

$ pki-server acme-create
$ pki-server acme-deploy

Requesting a Certificate

To request a certificate from the ACME responder:

$ certbot certonly --manual \
    -d server.example.com \
    --server http://$HOSTNAME/acme/directory \
    --register-unsafely-without-email

The certificate will be stored at /etc/letsencrypt/live/server.example.com/cert.pem.

To inspect the certificate:

$ openssl x509 -text -noout -in /etc/letsencrypt/live/server.example.com/cert.pem

ACME Responder - dogtagpki/freeipa GitHub Wiki

Installation

Installing ACME Responder

Requesting a Certificate

See Also

⚠️ GitHub.com Fallback ⚠️

ACME Responder - dogtagpki/freeipa GitHub Wiki

Installation

Installing ACME Responder

Requesting a Certificate

See Also

⚠️ **GitHub.com Fallback** ⚠️

⚠️ GitHub.com Fallback ⚠️