Solved but took some research...

Found a way for FreeIPA to print out the key passphrase that it generated when installing. Not sure how safe this is :) but the following command printed out the passphrase for the httpd key:

bash -x /usr/libexec/ipa/ipa-httpd-pwdreader $HOSTNAME:443 RSA

• USAGE='./ipa-pwdreader host:port RSA|DSA|ECC|number'
• '[' 2 -ne 2 ']'
• fname=ipa1.lab..org-443-RSA
• pwdpath=/var/lib/ipa/passwds/ipa1.lab..org-443-RSA
  ++ /usr/bin/realpath -e /var/lib/ipa/passwds/ipa1.lab..org-443-RSA
• checkpath=/var/lib/ipa/passwds/ipa1.lab..org-443-RSA
• '[' /var/lib/ipa/passwds/ipa1.lab..org-443-RSA == /var/lib/ipa/passwds/ipa1.lab..org-443-RSA ']
• cat /var/lib/ipa/passwds/ipa1.lab..org-443-RSA
  xxxxxxxxxx <-- my passphrase --> xxxxxxxxxxxx

from freeipa-letsencrypt.

I solved this by adding -passin file:$OPENSSL_PASSWD_FILE to the openssl command when that file (/var/lib/ipa/passwds/$HOSTNAME-443-RSA) is present. See the commit in my fork: thinkmassive@b682c6e

from freeipa-letsencrypt.

So sorry, can't seem to get the output to wrap the newlines.

This is the error line by itself

Enter pass phrase for /var/lib/ipa/private/httpd.key:

unable to load Private Key

from freeipa-letsencrypt.

Doing some investigation out loud here...

So maybe there already is a key for the httpd service and it is trying to read that key in.

When I look in the web UI, I see a service for HTTP/[email protected] but how could that impact me using the LetsEncrypt scripts?? Hmmmm.

from freeipa-letsencrypt.

You need to apply the changes in this PR #16

from freeipa-letsencrypt.

@mkosek @rcritten Hi Martin and Rob. Thanks for the help to the noob. I went and cloned Martin's repo and ran that. It made more progress but then I hit this error...

`ipaplatform.redhat.tasks: INFO: Systemwide CA database updated.

ipalib.backend: DEBUG: Destroyed connection context.rpcclient_140147645009152

ipapython.admintool: INFO: The ipa-certupdate command was successful

certutil: could not authenticate to token NSS Certificate DB.: SEC_ERROR_IO: An I/O error occurred during security authorization.

certutil: Server-Cert is neither a key-type nor a nickname nor a key-id: SEC_ERROR_IO: An I/O error occurred during security authorization.
`

Do you think this might be user error? I did: sudo su; kinit admin; ./setup.sh

from freeipa-letsencrypt.

Here is my full log of output
https://github.com/HeneryH/dropbox/blob/master/full_log

from freeipa-letsencrypt.

It's not clear where that error is coming from. Given the setup seems to have worked I'd try running this directly for more output:

bash -x ./renew-le.sh" "--first-time"

from freeipa-letsencrypt.

@rcritten your copy/paste has some weird stuff with quotes but if I am to assume you mean

bash -x ./renew-le.sh --first-time

+ set -o nounset -o errexit
+ WORKDIR=/root/ipa-le
+ EMAIL=
+ '[' --first-time '!=' --first-time ']'
+ rm -f '/root/ipa-le/*.pem'
+ rm -f /root/ipa-le/httpd-csr.der
++ hostname -f
++ hostname -f
+ certutil -R -d /etc/httpd/alias/ -k Server-Cert -f /etc/httpd/alias/pwdfile.txt -s CN=ipa1.lab.<mydomain>.org --extSAN dns:ipa1.lab.<mydomain>.org -o /root/ipa-le/httpd-csr.der
certutil: could not authenticate to token NSS Certificate DB.: SEC_ERROR_IO: An I/O error occurred during security authorization.
certutil: Server-Cert is neither a key-type nor a nickname nor a key-id: SEC_ERROR_IO: An I/O error occurred during security authorization.

from freeipa-letsencrypt.

Perhaps refresh from current master. The code you have is no longer upstream. renew-le.sh doesn't call certutil at all in HEAD.

from freeipa-letsencrypt.

I couldn't figure out how to get how to get mkoseks PR into my file system due to my lack of skill with git :) so I just cloned his whole forked repo.

I'll try again later. Thanks Rob!

from freeipa-letsencrypt.

This will do it:

git clone https://github.com/mkosek/freeipa-letsencrypt
cd freeipa-letsencrypt/
git checkout fix-workdir

from freeipa-letsencrypt.

I may have been on the wrong path here...

There is a key in /var/lib/ipa/private/httpd.key that has a time stamp of when I installed the system and FreeIPA. When I test the passphrase it is telling me that the passphrase I entered is incorrect. I only ever use one or two go-to passphrases for this sort of testing so I can't imagine I used a different one. I have to go back to the installation and try to figure out what that passphrase might have been.

from freeipa-letsencrypt.

@rcritten , since I did not see objections, I merged the respective PR to this repo, so that it is not that complicated.

from freeipa-letsencrypt.

@HeneryH thank you, this solved my issue as well.
Should this password be auto-entered in the generation script, and if not, will this issue affect renewals of the lets automate cert in 90 days?

from freeipa-letsencrypt.

Hi, this seams to do the trick at least for me ! So I would like to se that change merged ?

I am not sure how to go about that but seams I can create a PR ? Hope thats is fine with @thinkmassive ?

(Centos8 btw ..)

from freeipa-letsencrypt.

bash -x /usr/libexec/ipa/ipa-httpd-pwdreader $HOSTNAME:443 RSA

I have try to run this bash command but get the following errors.
I am on fedora 33.

+ 'mod_ssl password reader
This program is a handler written for Apache mod_ssl'\''s SSLPassPhraseDialog.

If you'\''d like to write your custom binary providing passwords to mod_ssl,
see the documentation of the aforementioned directive of the mod_ssl module.
'
/usr/libexec/ipa/ipa-httpd-pwdreader: line 7: $'mod_ssl password reader\nThis program is a handler written for Apache mod_ssl\'s SSLPassPhraseDialog.\n\nIf you\'d like to write your custom binary providing passwords to mod_ssl,\nsee the documentation of the aforementioned directive of the mod_ssl module.\n': command not found
+ import argparse
/usr/libexec/ipa/ipa-httpd-pwdreader: line 8: import: command not found
+ import os
/usr/libexec/ipa/ipa-httpd-pwdreader: line 9: import: command not found
+ from ipaplatform.paths import paths
/usr/libexec/ipa/ipa-httpd-pwdreader: line 11: from: command not found
/usr/libexec/ipa/ipa-httpd-pwdreader: line 13: syntax error near unexpected token `('
/usr/libexec/ipa/ipa-httpd-pwdreader: line 13: `HTTPD_PASSWD_DIR = os.path.realpath('
[root@ipa ~]# cat /var/lib/ipa/passwds/ipa1.lab..org-443-RSA
cat: /var/lib/ipa/passwds/ipa1.lab..org-443-RSA: No such file or directory

from freeipa-letsencrypt.

The script ipa-httpd-pwdreader is written in python, so you don't need to use bash -x to run it.

from freeipa-letsencrypt.

The script ipa-httpd-pwdreader is written in python, so you don't need to use bash -x to run it.

Thanks for your quick respond. I was trying to get the key passphrase, like @HeneryH was showing as a solution.

from freeipa-letsencrypt.

So execute python /usr/libexec/ipa/ipa-httpd-pwdreader instead (or python3 or whatever your distro uses).

Or look directly in /var/lib/ipa/passwds/

from freeipa-letsencrypt.