[Freeipa-users] FreeIPA 4.1.0 server behind apache/mod_proxy
Piotr Baranowski
piotr.baranowski at osec.pl
Wed Jun 17 13:57:57 UTC 2015
----- 17 cze 2015 o 15:51, Alexander Bokovoy abokovoy at redhat.com napisał(a):
> On Wed, 17 Jun 2015, Piotr Baranowski wrote:
>>----- Oryginalna wiadomość -----
>>> Od: "Alexander Bokovoy" <abokovoy at redhat.com>
>>> So you have two different certificates in use here and your client
>>> doesn't know about the other certificate (from your proxy). You need
>>> either to deliver that certificate to the client by yourself or change
>>> your proxying technology to something different.
>>>
>>> For example, you can use sniproxy which doesn't require in-the-middle
>>> certificate. https://github.com/dlundquist/sniproxy
>>
>>Thanks for that hint. I'll have a look at that.
>>
>>However I have an Idea:
>>If I could export ipa's mod_nss cert+key and then use them on my proxy running
>>mod_ssl that probably could solve the issue.
>>
>>Right?
> Sort of. Now you would have an issue of maintaining the certificate in
> multiple locations which would make rotation of it "interesting", so to
> say.
Those would be only TWO certificates to manage. What's the challenge here?
Piotr
More information about the Freeipa-users
mailing list