Techmail via FreeIPA-users wrote:

Hello!

I'm setting up a RabbitMQ server on our internal network, and I thought now would be a good time to figure out how to use FreeIPA to issue certs for services to enable TLS. (Only internal systems with the IPA cert will access the system.) However, I'm running into a couple of problems.

I'm following the FreeIPA PKI Docs [1] on how to setup an automated cert request with Certmonger which will put cert renewal on autopilot, hopefully, and I'm getting stuck on step #6 of the instructions where I'm supposed to import the IPA `ca.crt` into the nssdb which was created for RabbitMQ.

Command and results of step #6:

[me@rabbitserver.sub.domain.tld]# certutil -A -d /etc/rabbitmq/nssdb -n
'SUB.DOMAIN.TLD IPA CA' -t CT,, -a < /etc/ipa/ca.crt
Enter Password or Pin for "NSS Certificate DB":

I don't know what password or pin it would like.

The password is whatever you set when you created /etc/rabbitmq/nssdb.

I don't remember RabbitMQ using NSS. Doesn't it need separate PEM files for the cert and key?

I read something which suggested `/etc/dirsrv/slapd-DOMAIN-TLD/pin.txt` on the IPA server contained the magic words which would unlock the database, so I copied the token which is not what certutil wants to unlock `/etc/ipa/nssdb`.

Each NSS database typically has its own password.

Example contents of `/etc/ipa/nssdb/pin.txt` on IPA server:

Internal (Software) Token:<thispartiswhaticopied>

Here are the problems:

1. I don't know the PIN or password for `/etc/ipa/nssdb`.

/etc/ipa/nssdb/pwdfile.txt

But you aren't using /etc/ipa/nssdb. It's apples and oranges.

2. Would like the cert to be auto managed.

certmonger does that.

3. FreeIPA docs and RHEL docs disagree. [2][3]

They do not. You are comparing a very specific use-case, requesting a web server cert for use with mod_nss which uses NSS, vs more generic cases of requesting a cert for a service.

IPA Server:

• CentOS 7
• ipa-server: 4.6.8-5.el7.centos

Rabbit Server:

• CentOS Stream 8
• ipa-client: 4.9.0-1.module_el8.4.0+635+535c2b80

You probably want something like this will which generate PEM files which IIRC is what RabbitMQ needs.

Create a rabbitmq service for the rabbit server in IPA. You can name it whatever you want but naming it similar to the service is helpful. Every cert needs to be stored in a bucket.

# kinit admin # ipa service-add rabbitmq/mq.example.test

Request a cert for mq.example.test *on* mq.example.test (you need no special IPA credentials for this. The host handles the request):

# ipa-getcert request -f /etc/pki/tls/certs/rabbitmq.pem -k /etc/pki/tls/private/rabbitmq.key -K rabbitmq/mq.example.test -D mq.example.test

I think that should do it. You can extend the request with anything special you need, like a post-install command to restart the service for you.

You can put the cert and key some place else if you want but be aware of SELinux policy.

rob

1: https://www.freeipa.org/page/PKI#Automated_certificate_requests_with_Certmon...

2: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/htm...

3: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...

---

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure