#4751 Implement ACME certificate enrolment
Closed: fixed a year ago by rcritten. Opened 6 years ago by ftweedal.

The Automatic Certificate Management Environment (ACME) protocol has been
proposed by the letsencrypt initiative as a standard protocol for domain
validation and certificate issuance. The overview from the spec[1]:

ACME allows a client to request certificate management actions using
a set of JSON messages carried over HTTPS. It is a prerequisite for
this process that the client be configured with the HTTPS URI for the
server. ACME messages MUST NOT be carried over "plain" HTTP, without
HTTPS semantics.

[1] https://raw.githubusercontent.com/letsencrypt/acme-spec/master/draft-barnes-acme.txt

If this initiative gains traction, FreeIPA (and/or Dogtag) should provide an
ACME server for certificate issuance. Which challenge types it makes sense
to support will need to be investigated.


This initiative already gained huge traction and is entering public beta today. The first thing I was checking for is if there's FreeIPA support. Will help with testing.

Replying to [comment:3 rmarko]:

This initiative already gained huge traction and is entering public beta today. The first thing I was checking for is if there's FreeIPA support. Will help with testing.

rmarko: this ticket for implementing ACME enrolment to the IPA CA, not enrolment under Let's Encrypt CA.
Please outline your expectations for getting certificates from Let's Encrypt CA in #5431.

Metadata Update from @ftweedal:
- Issue assigned to someone
- Issue set to the milestone: FreeIPA 4.5 backlog

4 years ago

Metadata Update from @ftweedal:
- Issue assigned to ftweedal (was: someone)
- Issue close_status updated to: None
- Issue set to the milestone: None (was: FreeIPA 4.5 backlog)

2 years ago

Metadata Update from @ftweedal:
- Issue marked as depending on: #8186

2 years ago

Created and linked ticket https://pagure.io/freeipa/issue/8186 for the "add ipa-ca.$DOMAIN dnsname to IPA server HTTP certs" part.

master:

  • 0711c4a certmonger: avoid mutable default argument
  • e0fb381 certmonger: move 'criteria' description to module docstring
  • 18ebd11 certmonger: support dnsname as request search criterion
  • 4cf9c86 httpinstance: add fqdn and ipa-ca alias to Certmonger request
  • f7c4564 cert-request: allow ipa-ca.$DOMAIN dNSName for IPA servers
  • 4d5b5a9 httpinstance: add ipa-ca.$DOMAIN alias in initial request
  • cf4c2c6 upgrade: add ipa-ca.$DOMAIN alias to HTTP certificate
  • 45b5384 (HEAD) ipatests: check HTTP certificate contains ipa-ca.$DOMAIN dnsname

ipa-4-8:

  • 0e9b777 certmonger: avoid mutable default argument
  • ff7d066 certmonger: move 'criteria' description to module docstring
  • b127bad certmonger: support dnsname as request search criterion
  • 5287358 httpinstance: add fqdn and ipa-ca alias to Certmonger request
  • 4b24129 cert-request: allow ipa-ca.$DOMAIN dNSName for IPA servers
  • 5275342 httpinstance: add ipa-ca.$DOMAIN alias in initial request
  • c445cef upgrade: add ipa-ca.$DOMAIN alias to HTTP certificate
  • 8e92190 ipatests: check HTTP certificate contains ipa-ca.$DOMAIN dnsname

Metadata Update from @ftweedal:
- Custom field design adjusted to https://www.freeipa.org/page/V4/ACME
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/4723 (was: 0)
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1851835 (was: todo)

a year ago

master:

  • 2b6faa3 acme: ipa-pki-proxy: proxy /acme to Dogtag
  • dd301a4 acme: set up ACME service when configuring CA
  • 5883cff dogtaginstance: extract user creation to subroutine.
  • a21823d dogtaginstance: add ensure_group method
  • b356529 acme: create ACME RA account
  • c309d4a acme: add Dogtag ACL to allow ACME agents to revoke certs
  • 3c8352f acme: add certificate profile
  • d15000b acme: configure ACME service on upgrade
  • 00a8446 acme: configure engine.conf and disable by default
  • 083c6ae acme: add ipa-acme-manage command
  • 7b00035 acme: add integration test
  • ab7226d acme: add integration test to nightly CI
  • bb6d849 acme: add integration tests to gating
  • 85d0272 acme: add mod_md integration test
  • f9f3b3b acme: handle alternative schema ldif location
  • e976dde acme: add revocation test
  • a83eaa8 acme: add certbot dns script
  • 678b8e6 acme: add certbot dns-01 test
  • 525b946 acme: enable mod_md tests on Fedora
  • 1f72056 acme: delete ACME RA account on server uninstall

Metadata Update from @rcritten:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

a year ago

Created a separate ticket for deployment-wide (replicated) configuration of ACME service: https://pagure.io/freeipa/issue/8410 .

master:

  • 9dccf17 External-CA scenarios for ACME service
  • cbbfcd9 PEP8 fixes for test_acme.py
  • c4a6b0e Move acme client installation part to classmethod

Metadata Update from @rcritten:
- Custom field changelog adjusted to Configure the Automatic Certificate Management Environment (ACME) protocol support provided by the dogtag CA.

10 months ago

master:

  • d2ca791 ipatests: Test if ACME renews the issued cert with cerbot

ipa-4-9:

  • a7ff408 ipatests: Test if ACME renews the issued cert with cerbot

Login to comment on this ticket.

Metadata