Re: ACME certificate and NSS databases

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

John Thurston wrote:
> Yep. That was the question. I've been hacking on /dehydrated
> /hook-scripts, and am pretty close to where I want to be.
> 
> I'm using DNS-01 challenge (so needed to write the handlers for that)
> 
> I find NSS databases to be a PITA, so in the deploy_cert handler, I'm
> 
> + building a new NSS
> + importing the Let's Encrypt intermediates
> + importing the new cert and key under the expected name
> 
> Then I'll just replace the old NSS with the new

That can work just be aware that if you want to use the database for
anything else (e.g. replication client certificates) you could break
your install.

rob

> 
> 
> 
> 
> --
> Do things because you should, not just because you can. 
> 
> John Thurston    907-465-8591
> John.Thurston@xxxxxxxxxx
> Department of Administration
> State of Alaska
> 
> On 4/5/2023 10:32 AM, Rob Crittenden wrote:
>> I think he was asking if a script exists that will work with ACME and
>> NSS databases. It is quite a broad question because it does depend on
>> the client used.
>>
>> I think I would use certbot and leave the private key and certificates
>> in the flat filesystem and use a post-hook to stop 389, load the updated
>> cert using certutil, restart 389.
>>
>> I'm lazy so after the first request I'd manually create a PKCS#12 out of
>> it and load that into the 389 NSS db. All subsequent calls with the
>> post-hook should work fine as long as the private key is retained.
>>
>> But I haven't tried it.
> 
> _______________________________________________
> 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
> Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
> 
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux