lsa.certbot/templates/letsencrypt-freeipa.sh.j2

#!/bin/bash
#
# LetsEncrypt Integration for FreeIPA with Backup and Recovery
#
# Linux-Server-Admin.com
#
{{ certbot_message | default (admin_message ) | comment }}
#
# This script obtains a Let’s Encrypt certificate for FreeIPA and integrates it.
# It also creates backups and provides instructions for recovery.
#
# USAGE:
#   sudo ./letsencrypt-freeipa.sh
#
# REQUIREMENTS:
#   - FreeIPA server with ipa-cacert-manage, ipa-certupdate, ipa-server-certinstall, and ipactl available.
#   - Certbot certificates must already be present in /etc/letsencrypt/live/$IPADOMAIN/.
#

set -euo pipefail

### VARIABLES ###
IPADOMAIN="{{ certbot_ipa_domain | default(inventory_hostname) }}"
TEMP_DIR="{{ certbot_temp_dir | default('/tmp/letsencrypt/') }}"
ADMIN_EMAIL="{{ certbot_admin_email | default('root@localhost') }}"

CERTS_URL="https://letsencrypt.org/certs/"
CERTS_BASE=("isrgrootx1.pem" "isrg-root-x2.pem")

CERTS_EXTRA_URL="https://letsencrypt.org/certs/2024/"
CERTS_EXTRA=("e5.pem" "e6.pem" "r10.pem" "r11.pem")

CERTDIR="/etc/letsencrypt/live/$IPADOMAIN/"

TIMESTAMP=$(date +%Y%m%d%H%M%S)
BACKUP_DIR="/var/lib/ipa-backups/${TIMESTAMP}"

### FUNCTIONS ###
# If something fails after we start modifying certs, you may need to restore.
restore_instructions() {
    echo "### ERROR DETECTED ###"
    echo "To restore from backups:"
    echo "- If only certs and private directories changed, restore from backups:"
    echo "  cp -r /var/lib/ipa/certs.bak.${TIMESTAMP} /var/lib/ipa/certs"
    echo "  cp -r /var/lib/ipa/private.bak.${TIMESTAMP} /var/lib/ipa/private"
    echo "  ipa-certupdate"
    echo "  ipactl restart"
    echo ""
    echo "- If the FreeIPA state is more severely disrupted, use ipa-restore:"
    echo "  ipa-restore --from-backup /var/lib/ipa/backup/${TIMESTAMP}"
    echo "You will need to confirm the restore when prompted."
    exit 1
}

trap restore_instructions ERR

### MAIN SCRIPT ###

echo "### Creating working directory"
mkdir -p "${TEMP_DIR}"
cd "${TEMP_DIR}"

echo "### Creating timestamped backups for IPA certs and private keys"
mkdir -p "${BACKUP_DIR}"

# Back up existing certs and keys
cp -r /var/lib/ipa/certs "/var/lib/ipa/certs.bak.${TIMESTAMP}"
cp -r /var/lib/ipa/private "/var/lib/ipa/private.bak.${TIMESTAMP}"

# Optional: Create a full FreeIPA backup for complete rollback if needed.
# Note: This can be commented out if you do not want a full backup.
echo "### Performing a full FreeIPA backup"
ipa-backup

echo "### Downloading Let’s Encrypt root certificates"
for CERT_BASE in "${CERTS_BASE[@]}"; do
    curl -fSLo "${TEMP_DIR}${CERT_BASE}" "${CERTS_URL}${CERT_BASE}"
done

echo "### Downloading additional Let’s Encrypt certificates"
for CERT_EXTRA in "${CERTS_EXTRA[@]}"; do
    curl -fSLo "${TEMP_DIR}${CERT_EXTRA}" "${CERTS_EXTRA_URL}${CERT_EXTRA}"
done

echo "### Installing Root Certificates into IPA CA Store"
for CERT_BASE in "${CERTS_BASE[@]}"; do
    ipa-cacert-manage install "${TEMP_DIR}${CERT_BASE}"
done

echo "### Installing Additional Certificates into IPA CA Store"
for CERT_EXTRA in "${CERTS_EXTRA[@]}"; do
    ipa-cacert-manage install "${TEMP_DIR}${CERT_EXTRA}"
done

echo "### Updating CA certificates in IPA"
ipa-certupdate

echo "### Installing Let’s Encrypt server certificates"
# Ensure that fullchain.pem and privkey.pem exist
if [[ ! -f "${CERTDIR}fullchain.pem" || ! -f "${CERTDIR}privkey.pem" ]]; then
    echo "ERROR: The Let's Encrypt certificates are not present in ${CERTDIR}"
    exit 1
fi

ipa-server-certinstall -w -d \
  "${CERTDIR}privkey.pem" \
  "${CERTDIR}fullchain.pem" \
  --pin=''

echo "### Restarting IPA services"
ipactl restart

echo "### Cleanup"
rm -rf "${TEMP_DIR}"

echo "### Done!"
echo "The Let’s Encrypt certificates have been installed successfully."
echo "If you need to restore at any point, follow the instructions in the error handler above."