Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1255765
Description of problem: When you install a new server, a certificate is generated for use on the administrative web interface. Since this is self-signed, it can be MITM'ed when connecting from non-localhost Since we are setting up the DNS (and even populate it already with sshfp records, good job!) we should also add the TLSA record for that to _443._tcp.[KDC SERVER] This can be done with the "tlsa" tool that is part of hash-slinger: [root@kdc ~]# yum install hash-slinger [...] [root@kdc ~]# tlsa kdc.ipa.nohats.ca Error: Answer was not DNSSEC-secure Error: Answer was not DNSSEC-secure [root@kdc ~]# tlsa --insecure kdc.ipa.nohats.ca Warning: query data is not secure. Warning: query data is not secure. Got a certificate with Subject: /O=IPA.NOHATS.CA/CN=kdc.ipa.nohats.ca _443._tcp.kdc.ipa.nohats.ca. IN TLSA 3 0 1 7f08fc198712cbf288d2748cd2fbf2f3ad6db8cd861a6ff98a04de3655ee224f Got a certificate with Subject: /O=IPA.NOHATS.CA/CN=kdc.ipa.nohats.ca _443._tcp.kdc.ipa.nohats.ca. IN TLSA 3 0 1 7f08fc198712cbf288d2748cd2fbf2f3ad6db8cd861a6ff98a04de3655ee224f
Metadata Update from @pvoborni: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.5 backlog
Login to comment on this ticket.