On to, 13 huhti 2023, Loi Do via FreeIPA-users wrote:
Hello all,
I'm seeking for a clarity advice rather than fixing an issue since I don't think it's an issue - do let me know otherwise. I recently tried to install an SSL certificate for my FreeIPA server to get rid of the "SSL error" shown on my web browser. I used the official FreeIPA Let's Encrypt management script (https://github.com/freeipa/freeipa-letsencrypt) to install the cert but did not succeed. I'm getting the following error:
Requesting a certificate for newvipa.homelab.internal An unexpected error occurred: The server will not issue certificates for the identifier :: Error creating new order :: Cannot issue for "newvipa.homelab.internal": Domain name does not end with a valid public suffix (TLD)
It appears my domain suffix is not acceptable as it's not a public suffix. This is normal because the domain is intended for internal use. My question is, should I be using .com suffix for my domain (homelab.com) and create a subdomain (sub.homelab.com) for internal use so I can use the ssl cert? I know it isn't necessary to use the SSL cert if the server is only meant for internal use - I know it's my server and I can trust it. I'm just more curious if my current domain is following best practice for internal use and I should only be concerned with the issue if it's for public use.
You have two choices, really:
- plug into a public DNS system which is what public CAs are expecting you to do
- maintain your own CA hierarchy that allows you to issue certificates for your own SAN DNS names.
All public CAs assume and attempt to resolve SAN DNS records in the certificate requests through the DNS resolvers they have access to. Obviously, their DNS resolvers have no knowledge of your internal DNS domain. You simply cannot force them doing otherwise.
FreeIPA integrates with Dogtag PKI CA exactly for the second choice. A down-side is that you'd need to distribute CA certificate chains around so that applications which access resources protected by the certificates issued by IPA's integrated CA can trust those. This is what we do by default on IPA-enrolled hosts.
If you want to use Let's Encrypt or other public ACME services, you need to plug into the public DNS system. How is your domain called is less relevant, though.
My personal FreeIPA deployment uses a combination of public DNS domain for which I aquire public TLS certificates and an integrated IPA CA for internal needs. I do not use subdomains for this purpose, though, but this is simply because I don't have too many hosts to deal with. Occasionally, I add subdomains and register them in my public DNS zone purely to allow services running at different locations (home, cloud) to share the same namespace and be resolvable without additional tricks. Access to those resources is still limited through VPN routes, though.
As always, thank you all for assistance. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue