Aware that ACME support is still relatively new. I'm looking at how the challenge works for an ACME client. DNS-01 seems superfluous as FreeIPA manages the DNS itself and HTTP-01 is often not an option, for example when using ACME on vSphere.
If the DNS-01 verification is indeed fully local to a FreeIPA server with integrated DNS and CA then can't any machine that can reach the FreeIPA server request an internal certificate anonymously? Surely I'm missing something here?