[Freeipa-users] let's encrypt integration and best practices for mod_nss/mod_ssl
Fraser Tweedale
ftweedal at redhat.com
Thu Nov 5 00:44:59 UTC 2015
On Wed, Nov 04, 2015 at 03:20:22PM -0800, Prasun Gera wrote:
> I'm using idm (4.1.x) on a RHEL 7.1 with the webui accessible publicly. I'm
> using a stock configuration which uses the certs signed by ipa's CA for the
> webui. This is mostly for convenience since it manages renewals seamlessly.
> This, however, requires users to add the CA as trusted to their browsers. A
> promising alternative to this is https://letsencrypt.org/, which issues
> browser trusted certs, and will manage auto renewals too (in the future).
> As a feature request, it would be nice to have closer integration between
> ipa and the letsencrypt client which would make managing certs simple. I'm
> about to set this up manually right now using the external ssl certs guide.
>
Let's Encrypt is on our radar. I like the idea of being able to
install FreeIPA with publicly-trusted certs for HTTP and LDAP from
the beginning. This would require some work in ipa-server-install
in addition to certmonger support and a good, stable Let's Encrypt /
ACME client implementation for Apache on Fedora.
Installing publicly-trusted HTTP / LDAP certs is a common activity
so I filed a ticket: https://fedorahosted.org/freeipa/ticket/5431
Cheers,
Fraser
> Secondly, since the webui uses mod_nss, how would one set it up to prefer
> security over compatibility with older clients ? The vast majority of
> documentation online (for eg.
> https://mozilla.github.io/server-side-tls/ssl-config-generator/) is about
> mod_ssl and I think the configuration doesn't transfer directly to mod_nss.
> Since this is the only web facing component, I would like to set it up to
> use stringent requirements. Right now, a test on
> https://www.ssllabs.com/ssltest/ and https://weakdh.org/sysadmin.html
> identifies
> several issues. Since these things are not really my area of expertise, I
> would like some documentation regarding this. Also, would manually
> modifying any of the config files be overwritten by a yum update ?
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list