Centralize enable/disable of the ACME service

The initial implementation of ACME in dogtag and IPA required that ACME be manually enabled on each CA. dogtag added a REST API that can be access directly or through the `pki acme` CLI tool to enable or disable the service. It also abstracted the database connection and introduced the concept of a realm which defines the DIT for ACME users and groups, the URL and the identity. This is configured in realm.conf. A new group was created, Enterprise ACME Administrators, that controls the users allowed to modify ACME configuration. The IPA RA is added to this group for the ipa-acme-manage tool to authenticate to the API to enable/disable ACME. Related dogtag installation documentation: https://github.com/dogtagpki/pki/blob/master/docs/installation/acme/Configuring_ACME_Database.md https://github.com/dogtagpki/pki/blob/master/docs/installation/acme/Configuring_ACME_Realm.md https://github.com/dogtagpki/pki/blob/master/docs/installation/acme/Installing_PKI_ACME_Responder.md ACME REST API: https://github.com/dogtagpki/pki/wiki/PKI-ACME-Enable-REST-API https://pagure.io/freeipa/issue/8524 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Fraser Tweedale <ftweedal@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
2025-02-25 18:55:28 -06:00 · 2020-10-06 15:17:15 -04:00
parent e13d058a06
commit c0d55ce6de
11 changed files with 109 additions and 32 deletions
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -106,6 +106,7 @@ dist_app_DATA =				\
 	pki-acme-database.conf.template	\
 	pki-acme-engine.conf.template	\
 	pki-acme-issuer.conf.template	\
+	pki-acme-realm.conf.template	\
 	ldbm-tuning.ldif		\
 	$(NULL)

--- a/install/share/pki-acme-engine.conf.template
+++ b/install/share/pki-acme-engine.conf.template
@@ -1,2 +1,11 @@
+# Parameters read by ACMEEngineConfigFileSource, i.e. these are
+# expected to be in the file pointed to by the 'filename' directive
+# above.
+#
+# IPA only sets the values it uses.
+#
+# Whether to enable the ACME service:
 enabled=false
-wildcard=false
+
+# Whether to accept wildcard DNS identifiers:
+policy.wildcard=false
--- a/install/share/pki-acme-issuer.conf.template
+++ b/install/share/pki-acme-issuer.conf.template
@@ -1,5 +1,5 @@
 class=org.dogtagpki.acme.issuer.PKIIssuer
 url=https://$FQDN:8443
-profile=acmeServerCert
+profile=acmeIPAServerCert
 username=$USER
 password=$PASSWORD
--- a/install/share/pki-acme-realm.conf.template
+++ b/install/share/pki-acme-realm.conf.template
@@ -0,0 +1,8 @@
+authType=BasicAuth
+class=org.dogtagpki.acme.realm.DSRealm
+groupsDN=ou=groups,o=ipaca
+usersDN=ou=people,o=ipaca
+url=ldaps://$FQDN:636
+configFile=/etc/pki/pki-tomcat/ca/CS.cfg
+username=$USER
+password=$PASSWORD
--- a/install/share/profiles/Makefile.am
+++ b/install/share/profiles/Makefile.am
@@ -7,7 +7,7 @@ app_DATA =				\
 	caIPAserviceCert.UPGRADE.cfg	\
 	IECUserRoles.cfg		\
 	KDCs_PKINIT_Certs.cfg		\
-	acmeServerCert.cfg		\
+	acmeIPAServerCert.cfg		\
 	$(NULL)

 EXTRA_DIST =				\
--- a/install/share/profiles/acmeIPAServerCert.cfg
+++ b/install/share/profiles/acmeIPAServerCert.cfg
@@ -1,4 +1,4 @@
-profileId=acmeServerCert
+profileId=acmeIPAServerCert
 classId=caEnrollImpl
 desc=ACME profile for use in IPA deployments
 visible=true