On la, 27 touko 2017, Ivars Strazdiņš via FreeIPA-users wrote:
Hi there,
our IPA servers' https port is exposed to internet. I wanted to restrict access to Web UI by 
requesting a user certificate issued by IPA and enabling Apache setting "NSSVerifyClient 
require" (or "optional") in /etc/httpd/conf.d/nss.conf
This, however, broke "ipa" command, which now started to fail like:
[user@im conf.d]$ ipa user-show user
ipa: ERROR: cannot connect to 'https://a.b.c.d/ipa/json': 
(SSL_ERROR_BAD_CERT_ALERT) SSL peer cannot verify your certificate.

Is it possible for "ipa" command to present sertificate to Apache server?
Not possible yet. Note that it is not only an issue of 'ipa' command,
there are also other commands that are used for join operation and
also require access to the HTTPS end point.

Prior to FreeIPA 4.5 there is no way to enable certificate
authentication to web UI at all. In 4.5 we added ability to authenticate
with certificates to web UI. However, none of the enrollment tools and
'ipa' utility were changed to allow such method.

It would probably be good to open a ticket to make sure cert-based
authentication would be supported by 'ipa' and enrollment tools.

Anything else is going to break by such approach?
See above.
/ Alexander Bokovoy
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to