Aware that ACME support is still relatively new. I'm looking at how the challenge
works for an ACME client. DNS-01 seems superfluous as FreeIPA manages the DNS itself and
HTTP-01 is often not an option, for example when using ACME on vSphere.
If the DNS-01 verification is indeed fully local to a FreeIPA server with integrated DNS
and CA then can't any machine that can reach the FreeIPA server request an internal
certificate anonymously? Surely I'm missing something here?