Djerk Geurts via FreeIPA-users wrote:
Aware that ACME support is still relatively new. I'm looking at how the challenge works for an ACME client. DNS-01 seems superfluous as FreeIPA manages the DNS itself and HTTP-01 is often not an option, for example when using ACME on vSphere.
Can you expand on why you think that because IPA can manage DNS then that the DNS-01 challenge is superfluous?
If the DNS-01 verification is indeed fully local to a FreeIPA server with integrated DNS and CA then can't any machine that can reach the FreeIPA server request an internal certificate anonymously? Surely I'm missing something here?
Not all IPA users can create DNS records. One needs to be able to create the TXT entry for the challenge to succeed.
rob