Re: [Freeipa-users] FreeIPA and LetsEncrypt Question

2015-12-03 Thread Petr Spacek
On 2.12.2015 15:25, Günther J. Niederwimmer wrote:
> Hello All,
> 
> Am Wednesday 02 December 2015, 21:10:31 schrieb Fraser Tweedale:
>> On Mon, Nov 30, 2015 at 02:46:13PM +0200, Alexander Bokovoy wrote:
>>> On Mon, 30 Nov 2015, Günther J. Niederwimmer wrote:
 Hello ,

 I have the question, know any from the FreeIPA "Gurus" ;-), are the new
 upcoming LetsEncrypt Certificates compatible and working with FreeIPA?
>>>
>>> We have plans to support issuing certificates via Let's Encrypt.
>>
>> Günther, what are your specific wishes - to automatically acquire LE
>> certs for FreeIPA server's HTTP and LDAP?  Arbitrary hosts or
>> services that are managed by FreeIPA?
> 
> My wishes :-)).
> 
> when I can have wishes, I mean all ;-) 
> 
> But I nice Integration for IMAP, SMTP, LDAP, HTTPS ... was a dream.
> 
> Now I make a test with FreeIPA and "DANE" I hope this is working ?.

IPA allows you to DNSSEC-sign the domain, the rest is up to you. You have to
create TLSA records for your certificates, put these into DNSSEC-signed domain
and then get *clients* to respect them.

In other words, IPA does nothing except DNSSEC-signing of DNS domains.

>>> However, right now Let's encrypt only issues server certificates, not
>>> CA roots, so you cannot use them to bootstrap IPA CA.
>>
>> This will probably always be the case.

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] FreeIPA and LetsEncrypt Question

2015-12-02 Thread Günther J . Niederwimmer
Hello All,

Am Wednesday 02 December 2015, 21:10:31 schrieb Fraser Tweedale:
> On Mon, Nov 30, 2015 at 02:46:13PM +0200, Alexander Bokovoy wrote:
> > On Mon, 30 Nov 2015, Günther J. Niederwimmer wrote:
> > >Hello ,
> > >
> > >I have the question, know any from the FreeIPA "Gurus" ;-), are the new
> > >upcoming LetsEncrypt Certificates compatible and working with FreeIPA?
> > 
> > We have plans to support issuing certificates via Let's Encrypt.
> 
> Günther, what are your specific wishes - to automatically acquire LE
> certs for FreeIPA server's HTTP and LDAP?  Arbitrary hosts or
> services that are managed by FreeIPA?

My wishes :-)).

when I can have wishes, I mean all ;-) 

But I nice Integration for IMAP, SMTP, LDAP, HTTPS ... was a dream.

Now I make a test with FreeIPA and "DANE" I hope this is working ?.

 
> > However, right now Let's encrypt only issues server certificates, not
> > CA roots, so you cannot use them to bootstrap IPA CA.
> 
> This will probably always be the case.
> 
> Cheers,
> Fraser

-- 
mit freundlichen Grüßen / best regards,

  Günther J. Niederwimmer

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] FreeIPA and LetsEncrypt Question

2015-12-02 Thread Fraser Tweedale
On Mon, Nov 30, 2015 at 02:46:13PM +0200, Alexander Bokovoy wrote:
> On Mon, 30 Nov 2015, Günther J. Niederwimmer wrote:
> >Hello ,
> >
> >I have the question, know any from the FreeIPA "Gurus" ;-), are the new
> >upcoming LetsEncrypt Certificates compatible and working with FreeIPA?
> We have plans to support issuing certificates via Let's Encrypt.
> 
Günther, what are your specific wishes - to automatically acquire LE
certs for FreeIPA server's HTTP and LDAP?  Arbitrary hosts or
services that are managed by FreeIPA?

> However, right now Let's encrypt only issues server certificates, not
> CA roots, so you cannot use them to bootstrap IPA CA.
>
This will probably always be the case.

Cheers,
Fraser

> -- 
> / Alexander Bokovoy
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] FreeIPA and LetsEncrypt Question

2015-12-02 Thread Prasun Gera
Have a look at a recent thread that I had started. You might be able to do
it manually for http/ldap certs. However, there were some issues which I
haven't figured out yet. You might have better luck. Anyone should be able
to try it out given that LE enters public beta in a couple of days.

On Mon, Nov 30, 2015 at 4:46 AM, Alexander Bokovoy 
wrote:

> On Mon, 30 Nov 2015, Günther J. Niederwimmer wrote:
>
>> Hello ,
>>
>> I have the question, know any from the FreeIPA "Gurus" ;-), are the new
>> upcoming LetsEncrypt Certificates compatible and working with FreeIPA?
>>
> We have plans to support issuing certificates via Let's Encrypt.
>
> However, right now Let's encrypt only issues server certificates, not
> CA roots, so you cannot use them to bootstrap IPA CA.
> --
> / Alexander Bokovoy
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA and LetsEncrypt Question

2015-11-30 Thread Alexander Bokovoy

On Mon, 30 Nov 2015, Günther J. Niederwimmer wrote:

Hello ,

I have the question, know any from the FreeIPA "Gurus" ;-), are the new
upcoming LetsEncrypt Certificates compatible and working with FreeIPA?

We have plans to support issuing certificates via Let's Encrypt.

However, right now Let's encrypt only issues server certificates, not
CA roots, so you cannot use them to bootstrap IPA CA.
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


[Freeipa-users] FreeIPA and LetsEncrypt Question

2015-11-30 Thread Günther J . Niederwimmer
Hello ,

I have the question, know any from the FreeIPA "Gurus" ;-), are the new 
upcoming LetsEncrypt Certificates compatible and working with FreeIPA?

Thanks for a answer, 
-- 
mit freundlichen Grüßen / best regards,

  Günther J. Niederwimmer

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project