[Freeipa-users] FreeIPA and LetsEncrypt Question
Petr Spacek
pspacek at redhat.com
Thu Dec 3 08:02:11 UTC 2015
On 2.12.2015 15:25, Günther J. Niederwimmer wrote:
> Hello All,
>
> Am Wednesday 02 December 2015, 21:10:31 schrieb Fraser Tweedale:
>> On Mon, Nov 30, 2015 at 02:46:13PM +0200, Alexander Bokovoy wrote:
>>> On Mon, 30 Nov 2015, Günther J. Niederwimmer wrote:
>>>> Hello ,
>>>>
>>>> I have the question, know any from the FreeIPA "Gurus" ;-), are the new
>>>> upcoming LetsEncrypt Certificates compatible and working with FreeIPA?
>>>
>>> We have plans to support issuing certificates via Let's Encrypt.
>>
>> Günther, what are your specific wishes - to automatically acquire LE
>> certs for FreeIPA server's HTTP and LDAP? Arbitrary hosts or
>> services that are managed by FreeIPA?
>
> My wishes :-)).
>
> when I can have wishes, I mean all ;-)
>
> But I nice Integration for IMAP, SMTP, LDAP, HTTPS ... was a dream.
>
> Now I make a test with FreeIPA and "DANE" I hope this is working ?.
IPA allows you to DNSSEC-sign the domain, the rest is up to you. You have to
create TLSA records for your certificates, put these into DNSSEC-signed domain
and then get *clients* to respect them.
In other words, IPA does nothing except DNSSEC-signing of DNS domains.
>>> However, right now Let's encrypt only issues server certificates, not
>>> CA roots, so you cannot use them to bootstrap IPA CA.
>>
>> This will probably always be the case.
--
Petr^2 Spacek
More information about the Freeipa-users
mailing list