Let's Encrypt is a free, public, publicly trusted CA. The ACME protocol is used for automated Domain Validation, cert issuance and renewal.
Because users replacing HTTP / LDAP certs with publicly trusted certs is a common activity, it could be worthwhile to provide an option to acquire these certs from Let's Encrypt and install them.
Certmonger should be able to renew the certs at the Let's Encrypt CA as well.
See also freeipa-users thread: https://www.redhat.com/archives/freeipa-users/2015-November/msg00048.html
Just to note: the Fedora Server SIG discussed Let's Encrypt today and indicated a strong interest in this.
See also Certmonger ticket: https://fedorahosted.org/certmonger/ticket/37
Thesis topic is open for students: https://diplomky.redhat.com/topic/show/460/lets-encrypt-certificate-authority-support-for-freeipa
Certs signed by Let's Encrypt are recognized by web browsers with no special effort, whereas certs signed by an org's CA system are recognized the org's system clients.
LE certs cross-signed by the org's CA would be recognized by both type of clients. The extra value this would add to FreeIPA being able to manage LE certs makes this project extra worthwhile, IMO. ;)
Cross-signing should not be necessary. LE certs are publicly trusted, either directly (LE is beginning to be included in important trust stores i.e. mozilla, apple, etc), or indirectly (cross-signed by IdenTrust).
FreeIPA clients can trust the IPA CA alongside the usually-trusted roots. If necessary, the LE root cert can be explicitly added to IPA as a trusted CA, which will push the root cert out to clients.
Metadata Update from @ftweedal: - Issue assigned to someone - Issue set to the milestone: Future Releases
Login to comment on this ticket.