>
> I hope this has clarified the situation for you.
Perfectly, thank you!
Thanks,
Djerk
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of
On Wed, May 03, 2023 at 10:17:03PM -, Djerk Geurts via FreeIPA-users wrote:
> > Not all IPA users can create DNS records. One needs to be able to create
> > the TXT entry for the challenge to succeed.
>
> I think this is the crux of it. How does an anonymous ACME client
> authorise anything?
>
On Wed, May 03, 2023 at 05:08:20PM -0400, Rob Crittenden via FreeIPA-users
wrote:
> Djerk Geurts via FreeIPA-users wrote:
> > Aware that ACME support is still relatively new. I'm looking at how the
> > challenge works for an ACME client. DNS-01 seems superfluous as FreeIPA
> > manages the DNS
Interestingly I've just found this, which includes a provision for specifying
IPA account credentials when Kerberos isn't available.
https://github.com/HeMan/ipa-dns-hook
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To
> Can you expand on why you think that because IPA can manage DNS then
> that the DNS-01 challenge is superfluous?
Because I'm not sure how an acme client like acme.sh would validate itself
against Dogtag on FreeIPA. This is the bit I can't find in the documentation.
> Not all IPA users can
Djerk Geurts via FreeIPA-users wrote:
> Aware that ACME support is still relatively new. I'm looking at how the
> challenge works for an ACME client. DNS-01 seems superfluous as FreeIPA
> manages the DNS itself and HTTP-01 is often not an option, for example when
> using ACME on vSphere.
Can