On to, 13 huhti 2023, Loi Do via FreeIPA-users wrote:
Hello all,
I'm seeking for a clarity advice rather than fixing an issue since I
don't think it's an issue - do let me know otherwise. I recently tried
to install an SSL certificate for my FreeIPA server to get rid of the
"SSL error" shown on my web browser. I used the official FreeIPA Let's
Encrypt management script
(
https://github.com/freeipa/freeipa-letsencrypt) to install the cert
but did not succeed. I'm getting the following error:
Requesting a certificate for newvipa.homelab.internal
An unexpected error occurred:
The server will not issue certificates for the identifier :: Error
creating new order :: Cannot issue for "newvipa.homelab.internal":
Domain name does not end with a valid public suffix (TLD)
It appears my domain suffix is not acceptable as it's not a public
suffix. This is normal because the domain is intended for internal use.
My question is, should I be using .com suffix for my domain
(
homelab.com) and create a subdomain (
sub.homelab.com) for internal use
so I can use the ssl cert? I know it isn't necessary to use the SSL
cert if the server is only meant for internal use - I know it's my
server and I can trust it. I'm just more curious if my current domain
is following best practice for internal use and I should only be
concerned with the issue if it's for public use.
You have two choices, really:
- plug into a public DNS system which is what public CAs are expecting
you to do
- maintain your own CA hierarchy that allows you to issue certificates
for your own SAN DNS names.
All public CAs assume and attempt to resolve SAN DNS records in the
certificate requests through the DNS resolvers they have access to.
Obviously, their DNS resolvers have no knowledge of your internal DNS
domain. You simply cannot force them doing otherwise.
FreeIPA integrates with Dogtag PKI CA exactly for the second choice. A
down-side is that you'd need to distribute CA certificate chains around
so that applications which access resources protected by the
certificates issued by IPA's integrated CA can trust those. This is what
we do by default on IPA-enrolled hosts.
If you want to use Let's Encrypt or other public ACME services, you need
to plug into the public DNS system. How is your domain called is less
relevant, though.
My personal FreeIPA deployment uses a combination of public DNS domain
for which I aquire public TLS certificates and an integrated IPA CA for
internal needs. I do not use subdomains for this purpose, though, but
this is simply because I don't have too many hosts to deal with.
Occasionally, I add subdomains and register them in my public DNS zone
purely to allow services running at different locations (home, cloud) to
share the same namespace and be resolvable without additional tricks.
Access to those resources is still limited through VPN routes, though.
As always, thank you all for assistance.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland