When using 3rd-party signed HTTP certificate in a CA-ful deployment, check that the certificate contains the ipa-ca.$DOMAIN dNSName so that ACME will work.
We do not need to enforce this on CA-less deployments.
@ftweedal I'm trying to decide how we want to enforce it. I can see a couple of options.
#1 is far easier to implement but I think #2 is probably more user-friendly.
I prefer #2, but there is an even looser option: not to prevent anything, only warn about it. e.g. if ACME is enabled and CA server HTTP cert does not have ipa-ca.$DOMAIN DNS-ID, then it becomes a health check warning.
My thinking here is that when there is LDAP-based configuration, ACME service enablement will be propagated topology-wide due to LDAP replication, but a proactive topology-wide check is not possible. So to me it makes sense to have a healthcheck check, and also a warning where possible, but not actually enforce anything (because it can't be done consistently anyway).
Approaches #2 and "#2.5" also acknowledge the scenario of existing deployment using 3rd-party HTTP cert. i.e. we can't prevent those certs being installed because they are already installed.
Yes, global enablement could be a problem since we can't check all certs. A healthcheck would certainly mitigate that, or at least alert users to it. Troubleshooting that would be interesting as perhaps at random some requests would be fine and others would fail with likely cryptic errors.
I can certainly alert users that install their own certs that if they ever want to consider enabling ACME then they'll need to do additional stuff if a SAN is not included.
healthcheck issue https://github.com/freeipa/freeipa-healthcheck/issues/152
Metadata Update from @rcritten:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)
to comment on this ticket.