Skip to content
Helper integration to allow certmonger to communicate with the Let's Encrypt CA
Python Shell
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


Certbot plugin and CertMonger Helper


CertLet is both a Certbot plugin to allow IPA (FreeIPA/Redhat Satellite) DNS authentication for authentication of and a Certmonger Helper to allow FreeIPA to use Let's Encrypt certificates.

This allows hosts in FreeIPA to automatically get publicly trusted certificates for all purposes and allows hosts to get valid certificates for multiple domain names.

Due to using DNS based authentication certificates can be issued for private servers as well as public ones without any service interruptions. This also allows certificates to include multiple principals or up to 99 host/DNS names.

Steps to install

sudo getcert add-ca -c LetsEncrypt -e $(which cerlet)

Steps to set up a development environment on a Fedora box:

umask 0002 sudo dnf update -y sudo dnf -y install wget git gcc openldap-devel krb5-devel libffi-devel sudo dnf -y install ca-certificates sudo dnf install python3-virtualenv sudo wget -O /etc/pki/ca-trust/source/anchors/isrgrootx2.pem sudo update-ca-trust force-enable && sudo update-ca-trust extract sudo ipa-client-install --ca-cert-file=/etc/pki/ca-trust/source/anchors/isrgrootx1.pem mkdir -p $HOME/Revisions && cd $HOME/Revisions git clone && cd $HOME/Revisions/cerlet virtualenv-3.6 -p python3.6 /home/vagrant/Virtualenv source /home/vagrant/Virtualenv/bin/activate python develop kinit && cerlet


What does it mean when I get an error like:

KerberosError: No valid Negotiate header in server response

This means you don't have a valid kerberos ticket to communicate with FreeIPA and perform the required API calls to modify DNS entries as required. Try using kinit to get a valid kerberos ticket with the permissions to modify DNS entries.

How does the following error mean:

ipalib.errors.KerberosError: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529638949): Clock skew too great

This is usually because you're using a virtual machine and it's been suspended for a while, this causes the clock on the virtual machine to go out of sync and will need to be re-adjusted, if NTP is installed the easiest way to update the clock is: sudo ntpdate -u

You can’t perform that action at this time.