Differences

This shows you the differences between two versions of the page.

--- решение_freeipa [2025/12/17 13:02]
val
+++ решение_freeipa [2025/12/29 08:57] (current)
val [Динамический DNS]
@@ Line 230: / Line 230: @@
 server# scp /opt/freeipa-data/keycloak.* kube1:/tmp/
+</code>
+==== Поддержка ACME ====
+  * [[https://www.freeipa.org/page/V4/ACME|FreeIPA Automated Certificate Management Environment]]
+<code>
+[root@freeipa-server /]#
+ipa-acme-manage enable
+ipa-acme-manage status
 </code>
 ===== Управление DNS =====
@@ Line 245: / Line 257: @@
   * [[Авторизация с использованием LDAP сервера]]
+===== Динамический DNS =====
+  * [[https://astrid.tech/2021/04/18/0/k8s-freeipa-dns/|How to set up Dynamic DNS on FreeIPA for your Kubernetes Cluster]]
+  * [[https://www.ipamworldwide.com/ipam/update-policy.html|BIND update-policy option]]
+<code>
+[root@freeipa-server ~]# tsig-keygen cert-manager | tee /data/etc/named/cert-manager.key
+server.corp13.un:~# cat /opt/freeipa-data/etc/named/ipa-ext.conf
+...
+include "/data/etc/named/cert-manager.key";
+[root@freeipa-server ~]# rndc reload
+Политика обновления BIND
+...; grant cert-manager subdomain corp13.un. TXT;
+[root@freeipa-server ~]# nsupdate -k /data/etc/named/cert-manager.key
+server 127.0.0.1
+zone corp13.un
+update add _acme-challenge.gitlab.corp13.un. 30 IN TXT "your_txt_record_data 1"
+send
+</code>
 ===== Отладка =====
+  * [[https://www.freeipa.org/page/Centralized_Logging|FreeIPA Centralized Logging]]
 <code>
 [root@freeipa-server /]# find /data/var/log/ -mmin -2 -type f -ls
@@ Line 320: / Line 358: @@
 -09-29T05:28:56Z ERROR No valid Negotiate header in server response
 -09-29T05:28:56Z ERROR The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information
+</code>
+==== Черновик ====
+<code>
+ipa dnsrecord-add corp26.un gitlab --a-rec="192.168.26.65"
+sleep 5
+ipa host-add gitlab.corp26.un
+ipa service-add HTTP/gitlab.corp26.un
+rndc-confgen -a -A hmac-sha512 -k cert-manager -c /data/etc/named/cert-manager.key
+[root@freeipa-server ~]# chown root:named /data/etc/named/cert-manager.key
+[root@freeipa-server ~]# chmod 640 /data/etc/named/cert-manager.key
+/data/etc/named/ipa-ext.conf
+...
+include "/data/etc/named/cert-manager.key";
+grant cert-manager subdomain corp26.un ANY;
+nsupdate -k /data/etc/named/cert-manager.key
+server 127.0.0.1
+server 172.18.0.2
+zone corp26.un
+update add _acme-challenge.gitlab.corp26.un. 30 IN TXT "your_txt_record_data 1"
+send
+update add test.corp26.un. 30 IN A 80.80.80.80
+freeipa TSIG error with server: tsig indicates error update failed: NOTAUTH(BADKEY)
+# > server 195.19.32.2
+# > zone _acme-challenge.anysite.bmstu.ru
+# > update add _acme-challenge.anysite.bmstu.ru. 30 IN TXT "your_txt_record_data 1"
+# > send
+# > update del _acme-challenge.anysite.bmstu.ru. 30 IN TXT "your_txt_record_data 1"
+# > send
+# > quit
+====
+ipa dnsrecord-add corp26.un keycloak --a-rec="192.168.26.64"
+sleep 5
+ipa host-add keycloak.corp26.un
+ipa service-add HTTP/keycloak.corp26.un
+openssl genrsa -out /data/keycloak.key 2048
+openssl req -new -key /data/keycloak.key -subj '/CN=keycloak.corp26.un/O=CORP26.UN' -addext 'subjectAltName=DNS:keycloak.corp26.un' -out /data/keycloak.req
+ipa cert-request /data/keycloak.req --principal=HTTP/keycloak.corp26.un --certificate-out=/data/keycloak.crt
+===============
+ipa dnsrecord-add corp26.un apwebd --a-rec="192.168.26.64"
+sleep 5
+ipa host-add apwebd.corp26.un
+ipa service-add HTTP/apwebd.corp26.un
 </code>

Методические материалы Лохтурова Вячеслава

User Tools

Site Tools

Differences

Page Tools