John Thurston wrote:
> Yep. That was the question. I've been hacking on /dehydrated
> /hook-scripts, and am pretty close to where I want to be.
>
> I'm using DNS-01 challenge (so needed to write the handlers for that)
>
> I find NSS databases to be a PITA, so in the deploy_cert handler, I'm
>
> + building a new NSS
> + importing the Let's Encrypt intermediates
> + importing the new cert and key under the expected name
>
> Then I'll just replace the old NSS with the new
That can work just be aware that if you want to use the database for
anything else (e.g. replication client certificates) you could break
your install.
rob
>
>
>
>
> --
> Do things because you should, not just because you can.
>
> John Thurston 907-465-8591
> John.Thurston@alaska.gov
> Department of Administration
> State of Alaska
>
> On 4/5/2023 10:32 AM, Rob Crittenden wrote:
>> I think he was asking if a script exists that will work with ACME and
>> NSS databases. It is quite a broad question because it does depend on
>> the client used.
>>
>> I think I would use certbot and leave the private key and certificates
>> in the flat filesystem and use a post-hook to stop 389, load the updated
>> cert using certutil, restart 389.
>>
>> I'm lazy so after the first request I'd manually create a PKCS#12 out of
>> it and load that into the 389 NSS db. All subsequent calls with the
>> post-hook should work fine as long as the private key is retained.
>>
>> But I haven't tried it.
>
> _______________________________________________
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
> Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
>
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
No comments:
Post a Comment