#5249 [RFE] installer should generate TLSA record and put in the DNS zone for the webgui
Opened 8 years ago by pvoborni. Modified 7 years ago

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1255765

Description of problem:

When you install a new server, a certificate is generated for use on the
administrative web interface. Since this is self-signed, it can be MITM'ed when
connecting from non-localhost

Since we are setting up the DNS (and even populate it already with sshfp
records, good job!) we should also add the TLSA record for that to
_443._tcp.[KDC SERVER]

This can be done with the "tlsa" tool that is part of hash-slinger:

[root@kdc ~]# yum install hash-slinger
[...]
[root@kdc ~]# tlsa kdc.ipa.nohats.ca
Error: Answer was not DNSSEC-secure
Error: Answer was not DNSSEC-secure
[root@kdc ~]# tlsa --insecure kdc.ipa.nohats.ca
Warning: query data is not secure.
Warning: query data is not secure.
Got a certificate with Subject: /O=IPA.NOHATS.CA/CN=kdc.ipa.nohats.ca
_443._tcp.kdc.ipa.nohats.ca. IN TLSA 3 0 1
7f08fc198712cbf288d2748cd2fbf2f3ad6db8cd861a6ff98a04de3655ee224f
Got a certificate with Subject: /O=IPA.NOHATS.CA/CN=kdc.ipa.nohats.ca
_443._tcp.kdc.ipa.nohats.ca. IN TLSA 3 0 1
7f08fc198712cbf288d2748cd2fbf2f3ad6db8cd861a6ff98a04de3655ee224f

Metadata Update from @pvoborni:
- Issue assigned to someone
- Issue set to the milestone: FreeIPA 4.5 backlog

7 years ago

Login to comment on this ticket.

Metadata