Hello Guys, I'm would like to use custom ssl certificates for http and ldap, I saw the following: https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP But I wonder how would this be done when using freeipa in a docker/podman container. I mean the container is started with "--read-only" flag. So it's not clear to me what the correct approach here would be. I hope it's not that you have to re-build an own image with the ssl certificates every time? Background Info: I'm using acme.sh in a VM, which creates my wildcard letsencrypt certificates and puts them on an nfs share. Freeipa should simply use that certificates for http and ldap and that's it. No renewing as this is done by the acme.sh VM itself.

I'm a bit confused by the time stamps of the messages, is @Jan's approach working, was the "it isn't that simple..." for me only? As for now If @Jan is right, I would copy the certificates into the container via "/tmp" or "/data" and then go into the container and execute only "ipa-server-certinstall -w -d mysite.key mysite.crt" and restart the container. That's should be all right, I don't need the other commands?

I thought I had it running correctly, at the beginning it was working, but unfortunately the certificates were not updated/replaced. So I got the expired certificate warning when trying to access the freeipa UI. I’m running on docker based freeipa-server:rocky-9-4.10.0 and tried the following setup/files. 1-get-ca-certs.sh file: #!/bin/bash mkdir -p /srv/freeipa/ssl/{live,ca} CERTS=("isrgrootx1.pem" "isrg-root-x2.pem" "lets-encrypt-r3.pem" "lets-encrypt-e1.pem" "lets-encrypt-r4.pem" "lets-encrypt-e2.pem") for CERT in "${CERTS[@]}" do curl -o /srv/freeipa/ssl/ca/$CERT "https://letsencrypt.org/certs/$CERT" done Then executed: . /1-get-ca-certs.sh podman cp /srv/freeipa/ssl/ freeipa-server:/tmp/ 2-install-ca-certs.sh file: CERTS=("isrgrootx1.pem" "isrg-root-x2.pem" "lets-encrypt-r3.pem" "lets-encrypt-e1.pem" "lets-encrypt-r4.pem" "lets-encrypt-e2.pem") for CERT in "${CERTS[@]}" do podman exec freeipa-server ipa-cacert-manage install /tmp/ssl/ca/$CERT done Then executed: ./2-install-ca-certs.sh: podman exec freeipa-server ipa-certupdate ipa-server-certinstall.sh file: #!/bin/bash runuser -l MYUSER -c 'podman exec -i freeipa-server ipa-server-certinstall -w -d /tmp/ssl/live/my-domain.com.key /tmp/ssl/live/my-domain.com.cer' And an auto expect script, which was used in a cron job to utilise ipa-server-certinstall.sh. But obviously “podman cp /srv/freeipa/ssl/ freeipa-server:/tmp/“ (copy over ssl files into the container) and ”/usr/bin/expect /root/ipa-server-certinstall.exp” (execute ipa-server-certinstall.sh) wasn’t enough otherwise the cert wouldn’t expire. When I execute it manually I get: “cannot connect to 'https://freeipa1.my-domain.com:443/acme/directory': [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1129) The ipa-server-certinstall command failed.” How can I renew the expired certificate?

I was googling too, but couldn't really find anything helpful. To me, it looks like a big pain in the ass, this custom certificate handling in freeipa, especially when using freeipa inside docker. I haven't even updated it in a while, who knows what other issues I will face when trying that.

Do you know, how (if even possible) to revert all that ssl cert stuff back to the default behaviour, I think it was with freeipa self signed certificates?