So, I did it. FreeIPA installs without any user intervention after you kick of the Linode server build from Stackscripts. I use a Comodo (Sectigo) SSL certificate purchased via the Namecheap DNS registrar. The chain certificate that defines the trust relationship in various certificates all the way up to the root certificate-- where the "Subject" and the "Issuer" fields are the same, that certificate I got from my registrar was missing the root certificate. You can see it built supposedly properly in the script. Using a different Certificate Authority(CA) may or may not need the partial chain fortified all the way up to the Root CA certificate. FreeIPA doesn't seem to allow any certificates with an incomplete chain certificate.
There is a caveat-- the SSL certificates. I did not find a way I liked to import the certificates into the script in the same manner as the hostname, domain, and various passwords-- so they are hardcoded in. Sub-optimal. An inline expect script was the best I could do to respond to the kinit requested input of AdminUserPassword.
I am quasi-satisfied as it is. Time to show it off and receive the proper criticisms. Thank you in advance to everyone who was grumpy and doesn't hold back. I won't be better if I don't get the proper WTF admonishings...
There is a caveat-- the SSL certificates. I did not find a way I liked to import the certificates into the script in the same manner as the hostname, domain, and various passwords-- so they are hardcoded in. Sub-optimal. An inline expect script was the best I could do to respond to the kinit requested input of AdminUserPassword.
I am quasi-satisfied as it is. Time to show it off and receive the proper criticisms. Thank you in advance to everyone who was grumpy and doesn't hold back. I won't be better if I don't get the proper WTF admonishings...
================== Linode Stack Script ======================= #!/usr/bin/env bash date +%s > /tmp/start.txt #<UDF name="hostname" label="The new Linode's Host Name" default="ipa"> # HOSTNAME= #<UDF name="domain" label="The new Linode's Domain" default="example.com"> # DOMAIN= #<UDF name="kerberospass" label="The password for the Kerberos database" default="KerberosPassword"> # KERBEROSPASS= #<UDF name="ADMINUSERPASS" label="The password for the IPA Admin User" default="AdminUserPassword"> # ADMINUSERPASS= #<UDF name="DIRMGRPASS" label="The password for the Directory Manager" default="DirectoryManagerPassword"> # DIRMGRPASS= #<UDF name="P12CERTPASS" label="The password for the pkcs12 certificate" default="p12-cert-password"> # P12CERTPASS= cat << EOF > /etc/ssl/certs/${HOSTNAME}.${DOMAIN}.csr -----BEGIN CERTIFICATE REQUEST----- MIICqTCCAZECAQAwZDELMAkGA1UEBhMCVVMxDTALBgNVBAgMBE9ISU8xETAPBgNV BAcMCEVBU1RMQUtFMRAwDgYDVQQKDAdFWEFNUExFMQswCQYDVQQLDAJJVDEUMBIG A1UEAwwLRVhBTVBMRS5DT00wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQC54Z91je+HQ1U8jcQDJOCIMeDxub6EtraWMdolj+3d5CxIqaXDTcTbiBO3wwKw 1rATnhN6gr/sj2/eyZjcp1J51Ss0Ibvpkw5png/3A+mLfP2BU+8l2qUtC9zqJjuU s4sC0LfQcoTMbYNGwvpijh0xOM74irJAt3nr9+82emVThERaAMeQXWMpl9ZerA4E i94xM/NNVS4gnTBln2HiZBAPkED+fSW8knhWSm3tUKDNS2uhi+hExy4q1SflMTWX FdylXfUzFt4a/L+ivbS7QZUThlbO5B0gPVF0s1wwgr+MXGaCSSm70jMoF+w9B3Iv JPPwlx3myWQWKYlX6FpBV/GFAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEAtL9z NT0zLCB9JA7IQvuUHle4bYcG/aMSiXZVYsU7qvmhDP48czjx4EQGWT2KuzDKrc0l J2IdhLqWR7WNC4ToCEpOjVVBrmUOoB01GbjmuCqJZhCTvFPPHW0LSxRh2elzGLFz 2BaEzq8lwGo8rZ+/pS8zVdlIg5GwWxQxu0sErrrT71bnRCsbMYLtRQa/R7inAwT1 AOy511wLqJPcQVs+cI5UTZu8J5QVd8Z/xjHI0Nf0EiCdsyzGJUrN8Rw8TDafp0XL LgSMqydkfCrfNmiTtd1AZJlK59pZ6XHdIyM6j3bA+zoniSIxA3Vbi2C0Qry9ltcI sd4WPW1LF4aN1ZOD6Q== -----END CERTIFICATE REQUEST-----" EOF cat << EOF > /etc/ssl/certs/addtrust.root.chain.crt -----BEGIN CERTIFICATE----- MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290 MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9 uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0 WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0 Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5 6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ= -----END CERTIFICATE----- EOF cat << EOF > /etc/ssl/certs/usertrust.chain.crt -----BEGIN CERTIFICATE----- MIIFdzCCBF+gAwIBAgIQE+oocFv07O0MNmMJgGFDNjANBgkqhkiG9w0BAQwFADBv MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF eHRlcm5hbCBDQSBSb290MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFow gYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5MRQwEgYDVQQHEwtK ZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMS4wLAYD VQQDEyVVU0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIICIjAN BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgBJlFzYOw9sIs9CsVw127c0n00yt UINh4qogTQktZAnczomfzD2p7PbPwdzx07HWezcoEStH2jnGvDoZtF+mvX2do2NC tnbyqTsrkfjib9DsFiCQCT7i6HTJGLSR1GJk23+jBvGIGGqQIjy8/hPwhxR79uQf jtTkUcYRZ0YIUcuGFFQ/vDP+fmyc/xadGL1RjjWmp2bIcmfbIWax1Jt4A8BQOujM 8Ny8nkz+rwWWNR9XWrf/zvk9tyy29lTdyOcSOk2uTIq3XJq0tyA9yn8iNK5+O2hm AUTnAU5GU5szYPeUvlM3kHND8zLDU+/bqv50TmnHa4xgk97Exwzf4TKuzJM7UXiV Z4vuPVb+DNBpDxsP8yUmazNt925H+nND5X4OpWaxKXwyhGNVicQNwZNUMBkTrNN9 N6frXTpsNVzbQdcS2qlJC9/YgIoJk2KOtWbPJYjNhLixP6Q5D9kCnusSTJV882sF qV4Wg8y4Z+LoE53MW4LTTLPtW//e5XOsIzstAL81VXQJSdhJWBp/kjbmUZIO8yZ9 HE0XvMnsQybQv0FfQKlERPSZ51eHnlAfV1SoPv10Yy+xUGUJ5lhCLkMaTLTwJUdZ +gQek9QmRkpQgbLevni3/GcV4clXhB4PY9bpYrrWX1Uu6lzGKAgEJTm4Diup8kyX HAc/DVL17e8vgg8CAwEAAaOB9DCB8TAfBgNVHSMEGDAWgBStvZh6NLQm9/rEJlTv A73gJMtUGjAdBgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rIDZsswDgYDVR0PAQH/ BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wEQYDVR0gBAowCDAGBgRVHSAAMEQGA1Ud HwQ9MDswOaA3oDWGM2h0dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9BZGRUcnVzdEV4 dGVybmFsQ0FSb290LmNybDA1BggrBgEFBQcBAQQpMCcwJQYIKwYBBQUHMAGGGWh0 dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb20wDQYJKoZIhvcNAQEMBQADggEBAJNl9jeD lQ9ew4IcH9Z35zyKwKoJ8OkLJvHgwmp1ocd5yblSYMgpEg7wrQPWCcR23+WmgZWn RtqCV6mVksW2jwMibDN3wXsyF24HzloUQToFJBv2FAY7qCUkDrvMKnXduXBBP3zQ YzYhBx9G/2CkkeFnvN4ffhkUyWNnkepnB2u0j4vAbkN9w6GAbLIevFOFfdyQoaS8 Le9Gclc1Bb+7RrtubTeZtv8jkpHGbkD4jylW6l/VXxRTrPBPYer3IsynVgviuDQf Jtl7GQVoP7o81DgGotPmjw7jtHFtQELFhLRAlSv0ZaBIefYdgWOWnU914Ph85I6p 0fKtirOMxyHNwu8= -----END CERTIFICATE----- EOF cat << EOF > /etc/ssl/certs/sectigo.chain.crt -----BEGIN CERTIFICATE----- MIIGEzCCA/ugAwIBAgIQfVtRJrR2uhHbdBYLvFMNpzANBgkqhkiG9w0BAQwFADCB iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTgx MTAyMDAwMDAwWhcNMzAxMjMxMjM1OTU5WjCBjzELMAkGA1UEBhMCR0IxGzAZBgNV BAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEYMBYGA1UE ChMPU2VjdGlnbyBMaW1pdGVkMTcwNQYDVQQDEy5TZWN0aWdvIFJTQSBEb21haW4g VmFsaWRhdGlvbiBTZWN1cmUgU2VydmVyIENBMIIBIjANBgkqhkiG9w0BAQEFAAOC AQ8AMIIBCgKCAQEA1nMz1tc8INAA0hdFuNY+B6I/x0HuMjDJsGz99J/LEpgPLT+N TQEMgg8Xf2Iu6bhIefsWg06t1zIlk7cHv7lQP6lMw0Aq6Tn/2YHKHxYyQdqAJrkj eocgHuP/IJo8lURvh3UGkEC0MpMWCRAIIz7S3YcPb11RFGoKacVPAXJpz9OTTG0E oKMbgn6xmrntxZ7FN3ifmgg0+1YuWMQJDgZkW7w33PGfKGioVrCSo1yfu4iYCBsk Haswha6vsC6eep3BwEIc4gLw6uBK0u+QDrTBQBbwb4VCSmT3pDCg/r8uoydajotY uK3DGReEY+1vVv2Dy2A0xHS+5p3b4eTlygxfFQIDAQABo4IBbjCCAWowHwYDVR0j BBgwFoAUU3m/WqorSs9UgOHYm8Cd8rIDZsswHQYDVR0OBBYEFI2MXsRUrYrhd+mb +ZsF4bgBjWHhMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/AgEAMB0G A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAbBgNVHSAEFDASMAYGBFUdIAAw CAYGZ4EMAQIBMFAGA1UdHwRJMEcwRaBDoEGGP2h0dHA6Ly9jcmwudXNlcnRydXN0 LmNvbS9VU0VSVHJ1c3RSU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDB2Bggr BgEFBQcBAQRqMGgwPwYIKwYBBQUHMAKGM2h0dHA6Ly9jcnQudXNlcnRydXN0LmNv bS9VU0VSVHJ1c3RSU0FBZGRUcnVzdENBLmNydDAlBggrBgEFBQcwAYYZaHR0cDov L29jc3AudXNlcnRydXN0LmNvbTANBgkqhkiG9w0BAQwFAAOCAgEAMr9hvQ5Iw0/H ukdN+Jx4GQHcEx2Ab/zDcLRSmjEzmldS+zGea6TvVKqJjUAXaPgREHzSyrHxVYbH 7rM2kYb2OVG/Rr8PoLq0935JxCo2F57kaDl6r5ROVm+yezu/Coa9zcV3HAO4OLGi H19+24rcRki2aArPsrW04jTkZ6k4Zgle0rj8nSg6F0AnwnJOKf0hPHzPE/uWLMUx RP0T7dWbqWlod3zu4f+k+TY4CFM5ooQ0nBnzvg6s1SQ36yOoeNDT5++SR2RiOSLv xvcRviKFxmZEJCaOEDKNyJOuB56DPi/Z+fVGjmO+wea03KbNIaiGCpXZLoUmGv38 sbZXQm2V0TP2ORQGgkE49Y9Y3IBbpNV9lXj9p5v//cWoaasm56ekBYdbqbe4oyAL l6lFhd2zi+WJN44pDfwGF/Y4QA5C5BIG+3vzxhFoYt/jmPQT2BVPi7Fp2RBgvGQq 6jG35LWjOhSbJuMLe/0CjraZwTiXWTb2qHSihrZe68Zk6s+go/lunrotEbaGmAhY LcmsJWTyXnW0OMGuf1pGg+pRyrbxmRE1a6Vqe8YAsOf4vmSyrcjC8azjUeqkk+B5 yOGBQMkKW+ESPMFgKuOXwIlCypTPRpgSabuY0MLTDXJLR27lk8QyKGOHQ+SwMj4K 00u/I5sUKUErmgQfky3xxzlIPK1aEn8= -----END CERTIFICATE----- EOF # the one place where I could NOT abuse the 'cat' command... but DID ANYWAYS! cat << EOF > /etc/ssl/certs/full.chain.crt -----BEGIN CERTIFICATE----- MIIGEzCCA/ugAwIBAgIQfVtRJrR2uhHbdBYLvFMNpzANBgkqhkiG9w0BAQwFADCB iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTgx MTAyMDAwMDAwWhcNMzAxMjMxMjM1OTU5WjCBjzELMAkGA1UEBhMCR0IxGzAZBgNV BAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEYMBYGA1UE ChMPU2VjdGlnbyBMaW1pdGVkMTcwNQYDVQQDEy5TZWN0aWdvIFJTQSBEb21haW4g VmFsaWRhdGlvbiBTZWN1cmUgU2VydmVyIENBMIIBIjANBgkqhkiG9w0BAQEFAAOC AQ8AMIIBCgKCAQEA1nMz1tc8INAA0hdFuNY+B6I/x0HuMjDJsGz99J/LEpgPLT+N TQEMgg8Xf2Iu6bhIefsWg06t1zIlk7cHv7lQP6lMw0Aq6Tn/2YHKHxYyQdqAJrkj eocgHuP/IJo8lURvh3UGkEC0MpMWCRAIIz7S3YcPb11RFGoKacVPAXJpz9OTTG0E oKMbgn6xmrntxZ7FN3ifmgg0+1YuWMQJDgZkW7w33PGfKGioVrCSo1yfu4iYCBsk Haswha6vsC6eep3BwEIc4gLw6uBK0u+QDrTBQBbwb4VCSmT3pDCg/r8uoydajotY uK3DGReEY+1vVv2Dy2A0xHS+5p3b4eTlygxfFQIDAQABo4IBbjCCAWowHwYDVR0j BBgwFoAUU3m/WqorSs9UgOHYm8Cd8rIDZsswHQYDVR0OBBYEFI2MXsRUrYrhd+mb +ZsF4bgBjWHhMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/AgEAMB0G A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAbBgNVHSAEFDASMAYGBFUdIAAw CAYGZ4EMAQIBMFAGA1UdHwRJMEcwRaBDoEGGP2h0dHA6Ly9jcmwudXNlcnRydXN0 LmNvbS9VU0VSVHJ1c3RSU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDB2Bggr BgEFBQcBAQRqMGgwPwYIKwYBBQUHMAKGM2h0dHA6Ly9jcnQudXNlcnRydXN0LmNv bS9VU0VSVHJ1c3RSU0FBZGRUcnVzdENBLmNydDAlBggrBgEFBQcwAYYZaHR0cDov L29jc3AudXNlcnRydXN0LmNvbTANBgkqhkiG9w0BAQwFAAOCAgEAMr9hvQ5Iw0/H ukdN+Jx4GQHcEx2Ab/zDcLRSmjEzmldS+zGea6TvVKqJjUAXaPgREHzSyrHxVYbH 7rM2kYb2OVG/Rr8PoLq0935JxCo2F57kaDl6r5ROVm+yezu/Coa9zcV3HAO4OLGi H19+24rcRki2aArPsrW04jTkZ6k4Zgle0rj8nSg6F0AnwnJOKf0hPHzPE/uWLMUx RP0T7dWbqWlod3zu4f+k+TY4CFM5ooQ0nBnzvg6s1SQ36yOoeNDT5++SR2RiOSLv xvcRviKFxmZEJCaOEDKNyJOuB56DPi/Z+fVGjmO+wea03KbNIaiGCpXZLoUmGv38 sbZXQm2V0TP2ORQGgkE49Y9Y3IBbpNV9lXj9p5v//cWoaasm56ekBYdbqbe4oyAL l6lFhd2zi+WJN44pDfwGF/Y4QA5C5BIG+3vzxhFoYt/jmPQT2BVPi7Fp2RBgvGQq 6jG35LWjOhSbJuMLe/0CjraZwTiXWTb2qHSihrZe68Zk6s+go/lunrotEbaGmAhY LcmsJWTyXnW0OMGuf1pGg+pRyrbxmRE1a6Vqe8YAsOf4vmSyrcjC8azjUeqkk+B5 yOGBQMkKW+ESPMFgKuOXwIlCypTPRpgSabuY0MLTDXJLR27lk8QyKGOHQ+SwMj4K 00u/I5sUKUErmgQfky3xxzlIPK1aEn8= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIFdzCCBF+gAwIBAgIQE+oocFv07O0MNmMJgGFDNjANBgkqhkiG9w0BAQwFADBv MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF eHRlcm5hbCBDQSBSb290MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFow gYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5MRQwEgYDVQQHEwtK ZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMS4wLAYD VQQDEyVVU0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIICIjAN BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgBJlFzYOw9sIs9CsVw127c0n00yt UINh4qogTQktZAnczomfzD2p7PbPwdzx07HWezcoEStH2jnGvDoZtF+mvX2do2NC tnbyqTsrkfjib9DsFiCQCT7i6HTJGLSR1GJk23+jBvGIGGqQIjy8/hPwhxR79uQf jtTkUcYRZ0YIUcuGFFQ/vDP+fmyc/xadGL1RjjWmp2bIcmfbIWax1Jt4A8BQOujM 8Ny8nkz+rwWWNR9XWrf/zvk9tyy29lTdyOcSOk2uTIq3XJq0tyA9yn8iNK5+O2hm AUTnAU5GU5szYPeUvlM3kHND8zLDU+/bqv50TmnHa4xgk97Exwzf4TKuzJM7UXiV Z4vuPVb+DNBpDxsP8yUmazNt925H+nND5X4OpWaxKXwyhGNVicQNwZNUMBkTrNN9 N6frXTpsNVzbQdcS2qlJC9/YgIoJk2KOtWbPJYjNhLixP6Q5D9kCnusSTJV882sF qV4Wg8y4Z+LoE53MW4LTTLPtW//e5XOsIzstAL81VXQJSdhJWBp/kjbmUZIO8yZ9 HE0XvMnsQybQv0FfQKlERPSZ51eHnlAfV1SoPv10Yy+xUGUJ5lhCLkMaTLTwJUdZ +gQek9QmRkpQgbLevni3/GcV4clXhB4PY9bpYrrWX1Uu6lzGKAgEJTm4Diup8kyX HAc/DVL17e8vgg8CAwEAAaOB9DCB8TAfBgNVHSMEGDAWgBStvZh6NLQm9/rEJlTv A73gJMtUGjAdBgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rIDZsswDgYDVR0PAQH/ BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wEQYDVR0gBAowCDAGBgRVHSAAMEQGA1Ud HwQ9MDswOaA3oDWGM2h0dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9BZGRUcnVzdEV4 dGVybmFsQ0FSb290LmNybDA1BggrBgEFBQcBAQQpMCcwJQYIKwYBBQUHMAGGGWh0 dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb20wDQYJKoZIhvcNAQEMBQADggEBAJNl9jeD lQ9ew4IcH9Z35zyKwKoJ8OkLJvHgwmp1ocd5yblSYMgpEg7wrQPWCcR23+WmgZWn RtqCV6mVksW2jwMibDN3wXsyF24HzloUQToFJBv2FAY7qCUkDrvMKnXduXBBP3zQ YzYhBx9G/2CkkeFnvN4ffhkUyWNnkepnB2u0j4vAbkN9w6GAbLIevFOFfdyQoaS8 Le9Gclc1Bb+7RrtubTeZtv8jkpHGbkD4jylW6l/VXxRTrPBPYer3IsynVgviuDQf Jtl7GQVoP7o81DgGotPmjw7jtHFtQELFhLRAlSv0ZaBIefYdgWOWnU914Ph85I6p 0fKtirOMxyHNwu8= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290 MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9 uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0 WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0 Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5 6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ= -----END CERTIFICATE----- EOF cat << EOF > /etc/ssl/certs/${HOSTNAME}.${DOMAIN}.crt -----BEGIN CERTIFICATE----- MIIDnjCCAoagAwIBAgIJAKB7jY2KwQ3eMA0GCSqGSIb3DQEBCwUAMGQxCzAJBgNV BAYTAlVTMQ0wCwYDVQQIDARPSElPMREwDwYDVQQHDAhFQVNUTEFLRTEQMA4GA1UE CgwHRVhBTVBMRTELMAkGA1UECwwCSVQxFDASBgNVBAMMC0VYQU1QTEUuQ09NMB4X DTIwMDExMTA4MzMyNVoXDTIwMDIxMDA4MzMyNVowZDELMAkGA1UEBhMCVVMxDTAL BgNVBAgMBE9ISU8xETAPBgNVBAcMCEVBU1RMQUtFMRAwDgYDVQQKDAdFWEFNUExF MQswCQYDVQQLDAJJVDEUMBIGA1UEAwwLRVhBTVBMRS5DT00wggEiMA0GCSqGSIb3 DQEBAQUAA4IBDwAwggEKAoIBAQC68zZBgZ/NLH74iuQI1zKgahaFFpSWkQlVUbU1 LEqq+3TuV+IGr98ztk2YY8eoBirXneD/umClfn2EMZttQqXJMv2MEGVhUUKwY6mK wp92B/COIeY+LxUioA12IPDHahAf1EbgCL3FDQ7As6e/kUI/NKSeQbmWY/mnwFbB mWoztbe2aegwRXHSWHiEk0SbizTYvyrNe6czhMznxKTpr66u+5CX2neR0Wu+vWLA tgikn2Wl5qfu3TIZEvUw49Lwe1VFcrfnJIp6fBBtfRHLW+A9KSm5G5yW2f/2asKn Tl880r5WHZ5u6sAFaUQK/kO5IQht5TqtZJRdk72LOFgeL6djAgMBAAGjUzBRMB0G A1UdDgQWBBQ5uhlDtZ3WlJX8I2fq0Ss/3SxsoTAfBgNVHSMEGDAWgBQ5uhlDtZ3W lJX8I2fq0Ss/3SxsoTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IB AQCkzQ5IIIE4jYx1bKRGCsPESNSxEpuv9wIeG8BU2F/XMqp5Pm1odkKr6AKRb0RU 44qhM6tlsorCBCGnEN3ij07Ctuu+hbvVzfyKrhtFK/NC6wQx24aWiBuhhkZZgBTV yPtslEZwNfMKuXlNhajea7f4HrB6pfxEVUAlhF2XCLlaQ7DNx6pL39zItWVBAvHA 50Xns1sIR9V7RRm49ilsU3+P7hcXP2WmmpXYZn0ObtTC6IIOEeDLMNf4G8tGganx qSaOfpZjuM+E3LMlMf5vKJQI0LtrJqY12uD6JaoP8JW1MVske2YpPe7h2hL5Sz8B B2wrROUQ8M1HMMFt5RdcHD1U -----END CERTIFICATE----- EOF cat << EOF > /etc/ssl/certs/${HOSTNAME}.${DOMAIN}.pkey -----BEGIN PRIVATE KEY----- MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC54Z91je+HQ1U8 jcQDJOCIMeDxub6EtraWMdolj+3d5CxIqaXDTcTbiBO3wwKw1rATnhN6gr/sj2/e yZjcp1J51Ss0Ibvpkw5png/3A+mLfP2BU+8l2qUtC9zqJjuUs4sC0LfQcoTMbYNG wvpijh0xOM74irJAt3nr9+82emVThERaAMeQXWMpl9ZerA4Ei94xM/NNVS4gnTBl n2HiZBAPkED+fSW8knhWSm3tUKDNS2uhi+hExy4q1SflMTWXFdylXfUzFt4a/L+i vbS7QZUThlbO5B0gPVF0s1wwgr+MXGaCSSm70jMoF+w9B3IvJPPwlx3myWQWKYlX 6FpBV/GFAgMBAAECggEBAJPaPH1D/e/ohgcZeH1LuvF6Q0PjDAECWK+VTcCtAHaM BRFzJ6/2zwwT7CMyEZTZ38pq5XGASOsAmOpsDpQM35SbE7du0cqTt1YZbPd9fCoA rKBPRB0nElWHZxw0dxXrzjnaDSvXu3vj7BTACGuWQPAjELYvlGPXzTn9x5/csXZA lEaBLtX5hNJD7J3YU/kVxcJUFEcZvegakcBjba5JR5khUFHeaKjgMqswnWAVGKos Zwtbr8E2ULirfkHAO6I0HvVZ1WvdY44iUSK1nozm/32orHmjbeEJvPJl4EWKxHDo Yi+yAvkBtwzpgX9v9mDIX9R0ASvHGIRMKCjSNMmMY4ECgYEA99Cit10jvQUKuO3N iUA+wGre/xB4ZWcoCXnT9kKneBtJDURyVWdHYsbGTLaEz+p+IMh+kuhjSCCB+eZ6 dgDGdYgumRa2O/JbQuJdqylA+ZdFMnIvaJ7IfJOJSoqTLnWpaqLAd0uH2Pf+fjlE DwPQSNePnfNq1xCE9x5v2KpvveECgYEAwAVQ705gM1UA3EZDN6dm4S8CI3/Sh7R4 gcNT9SjteOaOuh4LSt+R7lceN1HIu7Bven6Zgms5xzb4A6HlQzJsfT18Jw9YSuyG 6cNrzXfeanEj6qmZ45qRUdnvtaF2N/jmlQnmN4EOyawDYLif0ZUHdM3EB+epE8Ag NybuKI5hgCUCgYEAqX4xTGiPwQBpzQIYyf7+7GwsCRgiwHhFkfWZW51LHYLL/B8M dA0nbg+2IVHUlMA1dAatS51WCkbxnxJcP8lX85spA9vc2DNy59QbbK3SmuMzmMUw V8YCKfJevHT7JZOkRCL8sJsgVu2HSp2wRvS8yJVmzQln0aCi0MIojXBE7QECgYBx gbL6AsZzEYhUrWQGffoemn8VJPX6KgAiFKiIfw0BLqin9CKQu9+zl+PQp5OU/xKm wjdUFLYuwJuS6hxvwFrJHZNKM5Ppli+Z916+MmFTYlXs3RyOokvMqps8LpmHNKZ4 60UfAjcPl5LXlctDRGkH7qo2UgZsGmHwuB6H8sJH0QKBgQCrdGnuCxiOi1zPu6Ii ESEbarDy+R/q/aUZgVXIDyZRZ4ce5BIhUslftkhr/T9FDR7KxHcV1wYO6BngLOA3 51HgSNtuILtd7VWBphBVdsJEiH3Q66K2MeIOkWVitQrDuf/g29nIqd/c5Z911f2H PRST/vdUhCgnw4dbO4uy9+sLEw== -----END PRIVATE KEY----- EOF hostnamectl set-hostname $HOSTNAME.$DOMAIN IPADDR=$(hostname --ip-address) echo "$IPADDR $HOSTNAME.$DOMAIN $HOSTNAME" > /etc/hosts DEBIAN_FRONTEND=noninteractive echo "deb http://deb.debian.org/debian/ unstable main contrib non-free" > /etc/apt/sources.list echo "" >> /etc/apt/sources.list echo "#deb http://ftp.us.debian.org/debian bullseye main contrib non-free" >> /etc/apt/sources.list echo "##deb http://security.debian.org/ bullseye/updates main contrib non-free" >> /etc/apt/sources.list echo "#deb http://ftp.us.debian.org/debian bullseye-updates main contrib non-free" >> /etc/apt/sources.list apt update echo 'libc6 libraries/restart-without-asking boolean true' | debconf-set-selections echo 'samba-common samba-common/dhcp boolean false' | debconf-set-selections DEBIAN_FRONTEND=noninteractive apt -y dist-upgrade DEBIAN_FRONTEND=noninteractive apt install -y rng-tools ssh ufw vim echo 'HRNGDEVICE=/dev/urandom' >> /etc/default/rng-tools #Roughly three minutes to this point... systemctl enable ssh systemctl start ssh systemctl enable ufw systemctl start ufw for i in 80 88 389 443 464 636; do ufw allow proto tcp from any to any port $i; done for i in 88 123 464 123; do ufw allow proto udp from any to any port $i; done ufw reload apt install -y debconf-utils tree echo '[libdefaults]' > /etc/krb5.conf echo "default_realm = ${DOMAIN^^}" >> /etc/krb5.conf echo 'kdc_timesync = 1' >> /etc/krb5.conf echo 'ccache_type = 4' >> /etc/krb5.conf echo 'forwardable = true' >> /etc/krb5.conf echo 'proxiable = true' >> /etc/krb5.conf echo 'fcc-mit-ticketflags = true' >> /etc/krb5.conf echo '[realms]' >> /etc/krb5.conf echo "${DOMAIN^^} = {" >> /etc/krb5.conf echo "kdc = ${HOSTNAME}.${DOMAIN}" >> /etc/krb5.conf echo "admin_server = ${HOSTNAME}.${DOMAIN}" >> /etc/krb5.conf echo "default_domain = ${DOMAIN}" >> /etc/krb5.conf echo '}' >> /etc/krb5.conf echo '[domain_realm]' >> /etc/krb5.conf echo ".${DOMAIN} = ${DOMAIN^^}" >> /etc/krb5.conf echo "${DOMAIN} = ${DOMAIN^^}" >> /etc/krb5.conf cd /etc tree > /tmp/etc-tree-before.txt debconf-get-selections > /tmp/debconf-selections-before.txt echo "krb5-admin-server krb5-admin-server/newrealm note" | debconf-set-selections echo "krb5-config krb5-config/add_servers boolean false" | debconf-set-selections echo "krb5-config krb5-config/add_servers_realm string ${DOMAIN^^}" | debconf-set-selections echo "krb5-config krb5-config/admin_server string ${HOSTNAME}" | debconf-set-selections echo "krb5-config krb5-config/default_realm string ${DOMAIN^^}" | debconf-set-selections echo "krb5-config krb5-config/kerberos_servers string ${HOSTNAME}" | debconf-set-selections echo "krb5-config krb5-config/read_conf boolean true" | debconf-set-selections echo "krb5-kdc krb5-kdc/debconf boolean true" | debconf-set-selections echo "krb5-kdc krb5-kdc/purge_data_too boolean true" | debconf-set-selections cd /etc tree > /tmp/etc-tree-middle.txt debconf-get-selections > /tmp/debconf-selections-middle.txt DEBIAN_FRONTEND=noninteractive apt install -y krb5-kdc krb5-admin-server krb5-config softhsm expect cd /etc tree > /tmp/etc-tree-between.txt debconf-get-selections > /tmp/debconf-selections-between.txt kdb5_util create -s -r ${DOMAIN^^} -P ${KERBEROSPASS} echo "krb5-admin-server krb5-admin-server/newrealm note" | debconf-set-selections echo "krb5-config krb5-config/add_servers boolean false" | debconf-set-selections echo "krb5-config krb5-config/add_servers_realm string ${DOMAIN^^}" | debconf-set-selections echo "krb5-config krb5-config/admin_server string ${HOSTNAME}" | debconf-set-selections echo "krb5-config krb5-config/default_realm string ${DOMAIN^^}" | debconf-set-selections echo "krb5-config krb5-config/kerberos_servers string ${HOSTNAME}" | debconf-set-selections echo "krb5-config krb5-config/read_conf boolean true" | debconf-set-selections echo "krb5-kdc krb5-kdc/debconf boolean true" | debconf-set-selections echo "krb5-kdc krb5-kdc/purge_data_too boolean true" | debconf-set-selections DEBIAN_FRONTEND=noninteractive apt install -y freeipa-server ipa-server-install --realm=${DOMAIN^^} --domain=${DOMAIN} --ds-password=${DIRMGRPASS} --admin-password=${ADMINUSERPASS} --hostname=${HOSTNAME}.${DOMAIN} --unattended > /tmp/ipa-install-output.txt cd /etc tree > /tmp/etc-tree-after.txt debconf-get-selections > /tmp/debconf-selections-after.txt date +%s > /tmp/ipa-installed.txt expect <(cat <<'EOD' spawn kinit admin expect "*:" send -- "${ADMINUSERPASS}\r" sleep 1 send -- "\r\n" EOD ) ipa-cacert-manage install /etc/ssl/certs/addtrust.root.chain.crt ipa-certupdate ipa-cacert-manage install /etc/ssl/certs/usertrust.chain.crt ipa-certupdate ipa-cacert-manage install /etc/ssl/certs/sectigo.chain.crt ipa-certupdate openssl pkcs12 -export -chain -CAfile /etc/ssl/certs/full.chain.crt -in /etc/ssl/certs/${HOSTNAME}.${DOMAIN}.crt -inkey /etc/ssl/certs/${HOSTNAME}.${DOMAIN}.pkey -name ${HOSTNAME}.${DOMAIN} -out /etc/ssl/certs/${HOSTNAME}.${DOMAIN}.p12 -password pass:${P12CERTPASS} # Be sure to back up the CA certificates stored in /root/cacert.p12 ipactl restart ipa-server-certinstall -w -d /etc/ssl/certs/${HOSTNAME}.${DOMAIN}.p12 --pin=${P12CERTPASS} --dirman-password ${DIRMGRPASS} ipactl restart date +%s > /tmp/certs-installed.txt apt remove -y expect debconf-utils tree apt autoremove -y # https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/T5AHK6FTTUWVBIDU5HSOYKRIKMWUZ3OH/
No comments:
Post a Comment