#8498 Check 3rd-party IPA server HTTP cert for ipa-ca.$DOMAIN dnsName on CA replicas
Closed: fixed 5 months ago by rcritten. Opened 7 months ago by rcritten.


When using 3rd-party signed HTTP certificate in a CA-ful deployment, check that the certificate contains the ipa-ca.$DOMAIN dNSName so that ACME will work.

We do not need to enforce this on CA-less deployments.

@ftweedal I'm trying to decide how we want to enforce it. I can see a couple of options.

  1. Strict: Always require ipa-ca as a SAN. This could be a pain for existing users of 3rd party certs as they might be re-using the same CSR over and over, and may have no intention of ever using ACME.
  2. Loose: Not enforcing it unless ACME is enabled, either at time of cert installation and/or if the user tries to enable the service using ipa-acme-manage enable

#1 is far easier to implement but I think #2 is probably more user-friendly.

I prefer #2, but there is an even looser option: not to prevent anything, only warn about it. e.g. if ACME is enabled and CA server HTTP cert does not have ipa-ca.$DOMAIN DNS-ID, then it becomes a health check warning.

My thinking here is that when there is LDAP-based configuration, ACME service enablement will be propagated topology-wide due to LDAP replication, but a proactive topology-wide check is not possible. So to me it makes sense to have a healthcheck check, and also a warning where possible, but not actually enforce anything (because it can't be done consistently anyway).

Approaches #2 and "#2.5" also acknowledge the scenario of existing deployment using 3rd-party HTTP cert. i.e. we can't prevent those certs being installed because they are already installed.

Yes, global enablement could be a problem since we can't check all certs. A healthcheck would certainly mitigate that, or at least alert users to it. Troubleshooting that would be interesting as perhaps at random some requests would be fine and others would fail with likely cryptic errors.

I can certainly alert users that install their own certs that if they ever want to consider enabling ACME then they'll need to do additional stuff if a SAN is not included.

healthcheck issue https://github.com/freeipa/freeipa-healthcheck/issues/152


  • 2768b0d Require an ipa-ca SAN on 3rd party certs if ACME is enabled
  • e0ff82c Change the return codes of ipa-acme-manage
  • c8f13cd ipatests: Add tests for requiring ipa-ca SAN when ACME is enabled

Metadata Update from @rcritten:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

5 months ago

Login to comment on this ticket.