Djerk Geurts via FreeIPA-users wrote:
Aware that ACME support is still relatively new. I'm looking at
how the challenge works for an ACME client. DNS-01 seems superfluous as FreeIPA manages
the DNS itself and HTTP-01 is often not an option, for example when using ACME on vSphere.
Can you expand on why you think that because IPA can manage DNS then
that the DNS-01 challenge is superfluous?
If the DNS-01 verification is indeed fully local to a FreeIPA server
with integrated DNS and CA then can't any machine that can reach the FreeIPA server
request an internal certificate anonymously? Surely I'm missing something here?
Not all IPA users can create DNS records. One needs to be able to create
the TXT entry for the challenge to succeed.
rob