URL:
https://github.com/freeipa/freeipa/pull/5170
Author: rcritten
Title: #5170: Centralize enable/disable of the ACME service
Action: opened
PR body:
"""
Centralize enable/disable of the ACME service
The initial implementation of ACME in dogtag and IPA required
that ACME be manually enabled on each CA.
dogtag added a REST API that can be access directly or through
the `pki acme` CLI tool to enable or disable the service.
It also abstracted the database connection and introduced the
concept of a realm which defines the DIT for ACME users and
groups, the URL and the identity. This is configured in realm.conf.
A new group was created, Enterprise ACME Administrators, that
controls the users allowed to modify ACME configuration.
The IPA RA is added to this group for the ipa-acme-manage tool
to authenticate to the API to enable/disable ACME.
Two ACME configuration templates were removed so that the dogtag
defaults would be used, configsources.conf and engine.conf.
Related dogtag installation documentation:
https://github.com/dogtagpki/pki/blob/master/docs/installation/acme/Confi...
https://github.com/dogtagpki/pki/blob/master/docs/installation/acme/Confi...
https://github.com/dogtagpki/pki/blob/master/docs/installation/acme/Insta...
ACME REST API:
https://github.com/dogtagpki/pki/wiki/PKI-ACME-Enable-REST-API
https://pagure.io/freeipa/issue/8524
"""
To pull the PR as Git branch:
git remote add ghfreeipa
https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5170/head:pr5170
git checkout pr5170