Can you expand on why you think that because IPA can manage DNS then
that the DNS-01 challenge is superfluous?
Because I'm not sure how an acme client like acme.sh would validate itself against
Dogtag on FreeIPA. This is the bit I can't find in the documentation.
Not all IPA users can create DNS records. One needs to be able to
create
the TXT entry for the challenge to succeed.
I think this is the crux of it. How does an anonymous ACME client authorise anything? Or
can an ACME client only be used from an enrolled host? In which case Certmonger is already
available.
My reason for asking is that I'm looking into whether I can use acme.sh from an
appliance like VMware vCenter, which would not be an enrolled host. I've used another
ACME client (dehydrated) and set it to update DNS via RFC2136 for Let's Encrypt
certificates. Where the authorisation was done through the TSIG key for the DNS-01 update
on the DNS server.
What mechanism other than Kerberos is available to authorise ACME certificate requests
from FreeIPA?
Looking at things like this example which uses HTTP-01. It looks like any FreeIPA host can
request a certificate as long as the DNS entry matches. However, as I type this I guess
the requirement is still to have a Service Principal configured? As you can see, the more
I think about this the more questions I have...
- HTTP-01 auth ensures the ACME client can verify it has control of the service that hosts
the FQDN for the certificate.
- I assume that a Service Principal is still a requirement for an ACME client request, as
it is for Certmonger requests. It is likely a stupid question, but worth asking IMHO.
- DNS-01 auth, how does an ACME client signal it has the privileges required to request a
certificate for the FQDN in question? I can guess, but when it comes to security I think
it's best not to.