On Wed, May 03, 2023 at 05:08:20PM -0400, Rob Crittenden via FreeIPA-users wrote: > Djerk Geurts via FreeIPA-users wrote: > > Aware that ACME support is still relatively new. I'm looking at how the > > challenge works for an ACME client. DNS-01 seems superfluous as FreeIPA > > manages the DNS itself and HTTP-01 is often not an option, for example when > > using ACME on vSphere. > > Can you expand on why you think that because IPA can manage DNS then > that the DNS-01 challenge is superfluous? > > > If the DNS-01 verification is indeed fully local to a FreeIPA server with > > integrated DNS and CA then can't any machine that can reach the FreeIPA > > server request an internal certificate anonymously? Surely I'm missing > > something here? > > Not all IPA users can create DNS records. One needs to be able to create > the TXT entry for the challenge to succeed. >
...which fits in the general security model for the dns-01 challenge: anyone with authorization to add arbitrary TXT records to a DNS zone can acquire certificates for [sub]domains in that zone. Here's an example of using the dns-01 challenge with FreeIPA: https://frasertweedale.github.io/blog-redhat/posts/2020-05-13-ipa-acme-dns.html#certbot-and-freeipa-dns Cheers, Fraser _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
