I'm using idm (4.1.x) on a RHEL 7.1 with the webui accessible publicly. I'm using a stock configuration which uses the certs signed by ipa's CA for the webui. This is mostly for convenience since it manages renewals seamlessly. This, however, requires users to add the CA as trusted to their browsers. A promising alternative to this is https://letsencrypt.org/, which issues browser trusted certs, and will manage auto renewals too (in the future). As a feature request, it would be nice to have closer integration between ipa and the letsencrypt client which would make managing certs simple. I'm about to set this up manually right now using the external ssl certs guide.
Secondly, since the webui uses mod_nss, how would one set it up to prefer security over compatibility with older clients ? The vast majority of documentation online (for eg. https://mozilla.github.io/server-side-tls/ssl-config-generator/) is about mod_ssl and I think the configuration doesn't transfer directly to mod_nss. Since this is the only web facing component, I would like to set it up to use stringent requirements. Right now, a test on https://www.ssllabs.com/ssltest/ and https://weakdh.org/sysadmin.html identifies several issues. Since these things are not really my area of expertise, I would like some documentation regarding this. Also, would manually modifying any of the config files be overwritten by a yum update ?
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project