On Wed, May 03, 2023 at 05:08:20PM -0400, Rob Crittenden via FreeIPA-users wrote:
Djerk Geurts via FreeIPA-users wrote:
Aware that ACME support is still relatively new. I'm looking at how the challenge works for an ACME client. DNS-01 seems superfluous as FreeIPA manages the DNS itself and HTTP-01 is often not an option, for example when using ACME on vSphere.
Can you expand on why you think that because IPA can manage DNS then that the DNS-01 challenge is superfluous?
If the DNS-01 verification is indeed fully local to a FreeIPA server with integrated DNS and CA then can't any machine that can reach the FreeIPA server request an internal certificate anonymously? Surely I'm missing something here?
Not all IPA users can create DNS records. One needs to be able to create the TXT entry for the challenge to succeed.
...which fits in the general security model for the dns-01 challenge: anyone with authorization to add arbitrary TXT records to a DNS zone can acquire certificates for [sub]domains in that zone.
Here's an example of using the dns-01 challenge with FreeIPA: https://frasertweedale.github.io/blog-redhat/posts/2020-05-13-ipa-acme-dns.h...
Cheers, Fraser