Red Hat Summit29.9. Using Ansible to install an IdM server with integrated eDNS and an external root CA
You can use the ipaserver role available in the ansible-freeipa package to install an Identity Management (IdM) server with DNS-over-TLS (DoT) enabled.
You can select either the enforced or relaxed policy. By default, the installer uses the relaxed policy, which attempts DoT but allows fallback to standard, unencrypted DNS if a secure connection cannot be established. To apply the enforced policy, set the ipaserver_dns_policy variable to enforced in the vars section of the Ansible playbook.
You can use a certificate issued by the integrated IdM Certificate Authority (CA) or provide a custom certificate issued by an external CA. If you do not provide a certificate, the IdM CA automatically issues a DoT certificate during the installation.
Prerequisites
- You are using Ansible version 2.15 or later.
-
You have installed the
ansible-freeipapackage. -
The example assumes that the
secret.ymlAnsible vault stores youripaadmin_passwordand that you have access to a file that stores the password protecting thesecret.ymlfile. - You have reviewed the steps outlined in Preparing the system for IdM server installation.
-
For
enforcedDoT, you have completed the steps in Configuring client and replica systems to use DoT exclusively.
Procedure
Optional: To use a custom PEM-formatted certificate and key for DoT issued by an external certificate authority:
SSH to the host where you are going to install the IdM server:
$ ssh root@server.idm.example.comCreate the two files and assign ownership to the
nameddaemon:# openssl req \ -newkey rsa:2048 \ -nodes \ -keyout /etc/pki/tls/certs/privkey.pem \ -x509 \ -days 36500 \ -out /etc/pki/tls/certs/certificate.pem \ -subj "/C=<country_code>/ST=<state>/L=<location>/O=<organization>/OU=<organizational_unit>/CN=<idm_server_fqdn>/emailAddress=<email>" && \ chown named:named /etc/pki/tls/certs/privkey.pem /etc/pki/tls/certs/certificate.pemExit the SSH session on the IdM server:
# exit
On the Ansible controller, create a playbook file named
install-server-external-ca-step1.ymlwith the instructions to install an IdM server with an external CA:--- - name: Playbook to configure IPA server Step 1: generate CSR for IdM external CA setup hosts: ipaserver become: true vars_files: - /home/user_name/MyPlaybooks/secret.yml vars: ipaserver_domain: idm.example.com ipaserver_realm: IDM.EXAMPLE.COM ipaserver_hostname: server.idm.example.com ipaadmin_password: "{{ vault_admin_password }}" ipadm_password: "{{ vault_dm_password }}" ipaserver_setup_dns: true ipaserver_dot_forwarders: - "<server_ip>#<dns_server_hostname>" ipaserver_external_ca: true ipaserver_dns_over_tls: true ipaserver_no_dnssec_validation: true ipaserver_auto_reverse: true roles: - role: freeipa.ansible_freeipa.ipaserver post_tasks: - name: Copy CSR /root/ipa.csr from node to "{{ groups.ipaserver[0] + '-ipa.csr' }}" fetch: src: /root/ipa.csr dest: "{{ groups.ipaserver[0] + '-ipa.csr' }}" flat: trueIf you are using a custom PEM-formatted certificate and key for DoT issued by an external certificate authority, add the following in the
varssection:ipaserver_dns_over_tls_cert: /etc/pki/tls/certs/certificate.pem ipaserver_dns_over_tls_key: /etc/pki/tls/certs/privkey.pemRun the Ansible playbook with the instructions for the first step of the installation:
$ ansible-playbook --vault-password-file=password_file -v -i ~/MyPlaybooks/inventory ~/MyPlaybooks/install-server-external-ca-step1.yml-
Locate the
ipa.csrcertificate signing request file on the controller and submit it to the external CA. - Place the IdM CA certificate signed by the external CA and the CA certificate chain in the controller file system so that the playbook in the next step can find it.
Create a new Ansible playbook, for example
install-server-external-ca-step2.yml, for the second step of IdM server installation with the following content:--- - name: Playbook to configure IdM server Step 2: import certificates and finalize installation hosts: ipaserver become: true vars_files: - /home/user_name/MyPlaybooks/secret.yml vars: ipaserver_domain: idm.example.com ipaserver_realm: IDM.EXAMPLE.COM ipaserver_hostname: server.idm.example.com ipaadmin_password: "{{ vault_admin_password }}" ipadm_password: "{{ vault_dm_password }}" ipaserver_setup_dns: true ipaserver_dot_forwarders: - "<server_ip>#<dns_server_hostname>" ipaserver_external_ca: true ipaserver_dns_over_tls: true ipaserver_no_dnssec_validation: true ipaserver_auto_reverse: true ipaserver_external_cert_files: - servercert20240601.pem - cacert.pem pre_tasks: - name: Copy "{{ groups.ipaserver[0] }}-{{ item }}" to "/root/{{ item }}" on node ansible.builtin.copy: src: "{{ groups.ipaserver[0] }}-{{ item }}" dest: "/root/{{ item }}" force: true with_items: - servercert20240601.pem - cacert.pem roles: - role: freeipa.ansible_freeipa.ipaserver state: presentRun the Ansible playbook with the instructions for the final step of the installation:
$ ansible-playbook --vault-password-file=password_file -v -i ~/MyPlaybooks/inventory ~/MyPlaybooks/install-server-external-ca-step2.yml
Troubleshooting
SSHto the IdM server:# ssh root@server.idm.example.comEnable detailed logging for the
unboundservice:# unbound-control verbosity 3Restart the
unboundservice to apply the updated configuration:# systemctl restart unboundMonitor real-time logs of the
unboundservice:$ journalctl -u unbound -f
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}