Friday, April 7, 2023

[389-users] Re: ACME certificate and NSS databases

Yep. That was the question. I've been hacking on dehydrated hook-scripts, and am pretty close to where I want to be.

I'm using DNS-01 challenge (so needed to write the handlers for that)

I find NSS databases to be a PITA, so in the deploy_cert handler, I'm

+ building a new NSS
+ importing the Let's Encrypt intermediates
+ importing the new cert and key under the expected name

Then I'll just replace the old NSS with the new

--  Do things because you should, not just because you can.     John Thurston    907-465-8591  Department of Administration  State of Alaska
On 4/5/2023 10:32 AM, Rob Crittenden wrote:
I think he was asking if a script exists that will work with ACME and  NSS databases. It is quite a broad question because it does depend on  the client used.    I think I would use certbot and leave the private key and certificates  in the flat filesystem and use a post-hook to stop 389, load the updated  cert using certutil, restart 389.    I'm lazy so after the first request I'd manually create a PKCS#12 out of  it and load that into the 389 NSS db. All subsequent calls with the  post-hook should work fine as long as the private key is retained.    But I haven't tried it.

No comments:

Post a Comment