[Freeipa-users] FreeIPA 4.1.0 server behind apache/mod_proxy

[Alexander Bokovoy]

On Wed, 17 Jun 2015, Piotr Baranowski wrote:
>----- 17 cze 2015 o 15:51, Alexander Bokovoy abokovoy at redhat.com napisał(a):
>
>> On Wed, 17 Jun 2015, Piotr Baranowski wrote:
>>>----- Oryginalna wiadomość -----
>>>> Od: "Alexander Bokovoy" <abokovoy at redhat.com>
>>>> So you have two different certificates in use here and your client
>>>> doesn't know about the other certificate (from your proxy). You need
>>>> either to deliver that certificate to the client by yourself or change
>>>> your proxying technology to something different.
>>>>
>>>> For example, you can use sniproxy which doesn't require in-the-middle
>>>> certificate. https://github.com/dlundquist/sniproxy
>>>
>>>Thanks for that hint. I'll have a look at that.
>>>
>>>However I have an Idea:
>>>If I could export ipa's mod_nss cert+key and then use them on my proxy running
>>>mod_ssl that probably could solve the issue.
>>>
>>>Right?
>> Sort of. Now you would have an issue of maintaining the certificate in
>> multiple locations which would make rotation of it "interesting", so to
>> say.
>
>Those would be only TWO certificates to manage. What's the challenge here?
FreeIPA uses certmonger to rotate certificates when time approaches
their expiration. Certmonger requests new certificate from the CA. In
case you copied the certificate to some other server, you would need to
manually maintain the other copy and there will be a period when IPA
webserver's certificate would already be rotated but yours isn't.

Setting certmonger to rotate the same certificate from two locations
wouldn't work.

I'm not saying it is hard, just that you should know what you are
dealing with and accept window of blackout.
-- 
/ Alexander Bokovoy