On 2.12.2015 15:25, Günther J. Niederwimmer wrote: > Hello All, > > Am Wednesday 02 December 2015, 21:10:31 schrieb Fraser Tweedale: >> On Mon, Nov 30, 2015 at 02:46:13PM +0200, Alexander Bokovoy wrote: >>> On Mon, 30 Nov 2015, Günther J. Niederwimmer wrote: >>>> Hello , >>>> >>>> I have the question, know any from the FreeIPA "Gurus" ;-), are the new >>>> upcoming LetsEncrypt Certificates compatible and working with FreeIPA? >>> >>> We have plans to support issuing certificates via Let's Encrypt. >> >> Günther, what are your specific wishes - to automatically acquire LE >> certs for FreeIPA server's HTTP and LDAP? Arbitrary hosts or >> services that are managed by FreeIPA? > > My wishes :-)). > > when I can have wishes, I mean all ;-) > > But I nice Integration for IMAP, SMTP, LDAP, HTTPS ... was a dream. > > Now I make a test with FreeIPA and "DANE" I hope this is working ?.
IPA allows you to DNSSEC-sign the domain, the rest is up to you. You have to create TLSA records for your certificates, put these into DNSSEC-signed domain and then get *clients* to respect them. In other words, IPA does nothing except DNSSEC-signing of DNS domains. >>> However, right now Let's encrypt only issues server certificates, not >>> CA roots, so you cannot use them to bootstrap IPA CA. >> >> This will probably always be the case. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
