8:31 a.m.
Aware that ACME support is still relatively new. I'm looking at how the challenge
works for an ACME client. DNS-01 seems superfluous as FreeIPA manages the DNS itself and
HTTP-01 is often not an option, for example when using ACME on vSphere.
If the DNS-01 verification is indeed fully local to a FreeIPA server with integrated DNS
and CA then can't any machine that can reach the FreeIPA server request an internal
certificate anonymously? Surely I'm missing something here?
4:08 p.m.
New subject: ACME client certificate request from FreeIPA with DNS-01 challenge
Djerk Geurts via FreeIPA-users wrote:
Aware that ACME support is still relatively new. I'm looking at
how the challenge works for an ACME client. DNS-01 seems superfluous as FreeIPA manages
the DNS itself and HTTP-01 is often not an option, for example when using ACME on vSphere.
Can you expand on why you think that because IPA can manage DNS then
that the DNS-01 challenge is superfluous?
If the DNS-01 verification is indeed fully local to a FreeIPA server
with integrated DNS and CA then can't any machine that can reach the FreeIPA server
request an internal certificate anonymously? Surely I'm missing something here?
Not all IPA users can create DNS records. One needs to be able to create
the TXT entry for the challenge to succeed.
rob
5:17 p.m.
New subject: ACME client certificate request from FreeIPA with DNS-01 challenge
Can you expand on why you think that because IPA can manage DNS then
that the DNS-01 challenge is superfluous?
Because I'm not sure how an acme client like acme.sh would validate itself against
Dogtag on FreeIPA. This is the bit I can't find in the documentation.
Not all IPA users can create DNS records. One needs to be able to
create
the TXT entry for the challenge to succeed.
I think this is the crux of it. How does an anonymous ACME client authorise anything? Or
can an ACME client only be used from an enrolled host? In which case Certmonger is already
available.
My reason for asking is that I'm looking into whether I can use acme.sh from an
appliance like VMware vCenter, which would not be an enrolled host. I've used another
ACME client (dehydrated) and set it to update DNS via RFC2136 for Let's Encrypt
certificates. Where the authorisation was done through the TSIG key for the DNS-01 update
on the DNS server.
What mechanism other than Kerberos is available to authorise ACME certificate requests
from FreeIPA?
Looking at things like this example which uses HTTP-01. It looks like any FreeIPA host can
request a certificate as long as the DNS entry matches. However, as I type this I guess
the requirement is still to have a Service Principal configured? As you can see, the more
I think about this the more questions I have...
- HTTP-01 auth ensures the ACME client can verify it has control of the service that hosts
the FQDN for the certificate.
- I assume that a Service Principal is still a requirement for an ACME client request, as
it is for Certmonger requests. It is likely a stupid question, but worth asking IMHO.
- DNS-01 auth, how does an ACME client signal it has the privileges required to request a
certificate for the FQDN in question? I can guess, but when it comes to security I think
it's best not to.
6:24 p.m.
New subject: ACME client certificate request from FreeIPA with DNS-01 challenge
On Wed, May 03, 2023 at 10:17:03PM -0000, Djerk Geurts via FreeIPA-users wrote:
> Not all IPA users can create DNS records. One needs to be able
to create
> the TXT entry for the challenge to succeed.
I think this is the crux of it. How does an anonymous ACME client
authorise anything?
Yes the http-01 challenge. Examples:
-
https://frasertweedale.github.io/blog-redhat/posts/2020-05-06-ipa-acme-in...
- https://frasertweedale.github.io/blog-redhat/posts/2020-05-07-ipa-acme-mo...
Or can an ACME client only be used from an
enrolled host? In which case Certmonger is already available.
My reason for asking is that I'm looking into whether I can use
acme.sh from an appliance like VMware vCenter, which would not be
an enrolled host. I've used another ACME client (dehydrated) and
set it to update DNS via RFC2136 for Let's Encrypt certificates.
Where the authorisation was done through the TSIG key for the
DNS-01 update on the DNS server.
What mechanism other than Kerberos is available to authorise ACME
certificate requests from FreeIPA?
FreeIPA/Dogtag ACME service supports http-01 and dns-01 challenges.
http-01 does not involve communication between the ACME client and
IPA server. The ACME client need not be IPA enrolled.
dns-01 requires the client to communicate with a DNS provider. If
that happens to be the IPA server, then the client does need an IPA
account + privileges to manage the DNS entries, and will use
Kerberos authentication.
Looking at things like this example which uses HTTP-01. It looks
like any FreeIPA host can request a certificate as long as the DNS
entry matches. However, as I type this I guess the requirement is
still to have a Service Principal configured? As you can see, the
more I think about this the more questions I have...
- HTTP-01 auth ensures the ACME client can verify it has control
of the service that hosts the FQDN for the certificate.
- I assume that a Service Principal is still a requirement for an
ACME client request, as it is for Certmonger requests. It is
likely a stupid question, but worth asking IMHO.
IPA principal is NOT required to use ACME.
- DNS-01 auth, how does an ACME client signal it has the
privileges required to request a certificate for the FQDN in
question?
The ACME server offers the challenges - in the default configuration
*both* http-01 and dns-01 are offered. The client chooses which to
attempt. The client then "sets up" the required info - either
preparing a particular HTTP resource (http-01), or creating a
particular DNS resource (dns-01). If the client successfully
completes the set-up, it then informs that such-and-such challenge
was completed and should be validated. If the server successfully
validates the challenge, then the corresponding identifier (i.e. DNS
name) is authorized for that client.
The only scenario where this would involve the ACME client
authenticating to IPA server is when using dns-01 challenge and IPA
DNS provider.
I can guess, but when it comes to security I think it's
best not to.
I hope this has clarified the situation for you.
Cheers,
Fraser
5:27 p.m.
New subject: ACME client certificate request from FreeIPA with DNS-01 challenge
Interestingly I've just found this, which includes a provision for specifying IPA
account credentials when Kerberos isn't available.
https://github.com/HeMan/ipa-dns-hook
6:02 p.m.
New subject: ACME client certificate request from FreeIPA with DNS-01 challenge
On Wed, May 03, 2023 at 05:08:20PM -0400, Rob Crittenden via FreeIPA-users wrote:
Djerk Geurts via FreeIPA-users wrote:
> Aware that ACME support is still relatively new. I'm looking at how the
challenge works for an ACME client. DNS-01 seems superfluous as FreeIPA manages the DNS
itself and HTTP-01 is often not an option, for example when using ACME on vSphere.
Can you expand on why you think that because IPA can manage DNS then
that the DNS-01 challenge is superfluous?
> If the DNS-01 verification is indeed fully local to a FreeIPA server with integrated
DNS and CA then can't any machine that can reach the FreeIPA server request an
internal certificate anonymously? Surely I'm missing something here?
Not all IPA users can create DNS records. One needs to be able to create
the TXT entry for the challenge to succeed.
...which fits in the general security model for the dns-01
challenge: anyone with authorization to add arbitrary TXT records to
a DNS zone can acquire certificates for [sub]domains in that zone.
Here's an example of using the dns-01 challenge with FreeIPA:
https://frasertweedale.github.io/blog-redhat/posts/2020-05-13-ipa-acme-dn...
Cheers,
Fraser
409
days inactive
410
days old
freeipa-users@lists.fedorahosted.org
6 comments
3 participants
participants (3)
-
Djerk Geurts -
Fraser Tweedale -
Rob Crittenden