Re: [Freeipa-users] FreeIPA and LetsEncrypt Question
On 2.12.2015 15:25, Günther J. Niederwimmer wrote: > Hello All, > > Am Wednesday 02 December 2015, 21:10:31 schrieb Fraser Tweedale: >> On Mon, Nov 30, 2015 at 02:46:13PM +0200, Alexander Bokovoy wrote: >>> On Mon, 30 Nov 2015, Günther J. Niederwimmer wrote: Hello , I have the question, know any from the FreeIPA "Gurus" ;-), are the new upcoming LetsEncrypt Certificates compatible and working with FreeIPA? >>> >>> We have plans to support issuing certificates via Let's Encrypt. >> >> Günther, what are your specific wishes - to automatically acquire LE >> certs for FreeIPA server's HTTP and LDAP? Arbitrary hosts or >> services that are managed by FreeIPA? > > My wishes :-)). > > when I can have wishes, I mean all ;-) > > But I nice Integration for IMAP, SMTP, LDAP, HTTPS ... was a dream. > > Now I make a test with FreeIPA and "DANE" I hope this is working ?. IPA allows you to DNSSEC-sign the domain, the rest is up to you. You have to create TLSA records for your certificates, put these into DNSSEC-signed domain and then get *clients* to respect them. In other words, IPA does nothing except DNSSEC-signing of DNS domains. >>> However, right now Let's encrypt only issues server certificates, not >>> CA roots, so you cannot use them to bootstrap IPA CA. >> >> This will probably always be the case. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA and LetsEncrypt Question
Hello All, Am Wednesday 02 December 2015, 21:10:31 schrieb Fraser Tweedale: > On Mon, Nov 30, 2015 at 02:46:13PM +0200, Alexander Bokovoy wrote: > > On Mon, 30 Nov 2015, Günther J. Niederwimmer wrote: > > >Hello , > > > > > >I have the question, know any from the FreeIPA "Gurus" ;-), are the new > > >upcoming LetsEncrypt Certificates compatible and working with FreeIPA? > > > > We have plans to support issuing certificates via Let's Encrypt. > > Günther, what are your specific wishes - to automatically acquire LE > certs for FreeIPA server's HTTP and LDAP? Arbitrary hosts or > services that are managed by FreeIPA? My wishes :-)). when I can have wishes, I mean all ;-) But I nice Integration for IMAP, SMTP, LDAP, HTTPS ... was a dream. Now I make a test with FreeIPA and "DANE" I hope this is working ?. > > However, right now Let's encrypt only issues server certificates, not > > CA roots, so you cannot use them to bootstrap IPA CA. > > This will probably always be the case. > > Cheers, > Fraser -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA and LetsEncrypt Question
Have a look at a recent thread that I had started. You might be able to do it manually for http/ldap certs. However, there were some issues which I haven't figured out yet. You might have better luck. Anyone should be able to try it out given that LE enters public beta in a couple of days. On Mon, Nov 30, 2015 at 4:46 AM, Alexander Bokovoy wrote: > On Mon, 30 Nov 2015, Günther J. Niederwimmer wrote: > >> Hello , >> >> I have the question, know any from the FreeIPA "Gurus" ;-), are the new >> upcoming LetsEncrypt Certificates compatible and working with FreeIPA? >> > We have plans to support issuing certificates via Let's Encrypt. > > However, right now Let's encrypt only issues server certificates, not > CA roots, so you cannot use them to bootstrap IPA CA. > -- > / Alexander Bokovoy > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA and LetsEncrypt Question
On Mon, Nov 30, 2015 at 02:46:13PM +0200, Alexander Bokovoy wrote: > On Mon, 30 Nov 2015, Günther J. Niederwimmer wrote: > >Hello , > > > >I have the question, know any from the FreeIPA "Gurus" ;-), are the new > >upcoming LetsEncrypt Certificates compatible and working with FreeIPA? > We have plans to support issuing certificates via Let's Encrypt. > Günther, what are your specific wishes - to automatically acquire LE certs for FreeIPA server's HTTP and LDAP? Arbitrary hosts or services that are managed by FreeIPA? > However, right now Let's encrypt only issues server certificates, not > CA roots, so you cannot use them to bootstrap IPA CA. > This will probably always be the case. Cheers, Fraser > -- > / Alexander Bokovoy > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA and LetsEncrypt Question
On Mon, 30 Nov 2015, Günther J. Niederwimmer wrote: Hello , I have the question, know any from the FreeIPA "Gurus" ;-), are the new upcoming LetsEncrypt Certificates compatible and working with FreeIPA? We have plans to support issuing certificates via Let's Encrypt. However, right now Let's encrypt only issues server certificates, not CA roots, so you cannot use them to bootstrap IPA CA. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project