freeipa

Clone
Source Code
GIT

#8712 Support new baseURL config option for ACME
Closed: fixed 3 years ago by abbra. Opened 3 years ago by rcritten.

Closed: fixed
Reopen Issue

Issue

ACME uses nonce values to prevent replay attacks. Since the ipa-ca name can go to any of the IPA servers in order to verify the nonce the servers need to know the value that was set which relies on replication. Sometimes the client is faster than replication so a request can fail.

The PKI team addressed this in upstream PR https://github.com/dogtagpki/pki/pull/3435

A new option was added, baseURL, so that upon discovery the ACME server returns the real hostname to bind the client to it.

We can add support now even prior to the upstream builds being available and the option will be ignored in the config file. Once the updated build is available then it should just work(tm).

master:

  • d2d487b Set the ACME baseURL in order to pin a client to a single IPA server
  • b1e72cb Add versions to the ACME config templates and update on upgrade
  • 3d2d067 Add some logging around initial ACME deployment

ipa-4-9:

  • a16dc59 Set the ACME baseURL in order to pin a client to a single IPA server
  • 31061c6 Add versions to the ACME config templates and update on upgrade
  • 6526ab4 Add some logging around initial ACME deployment

Metadata Update from @abbra:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)
3 years ago

Metadata Update from @rcritten:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1928900
3 years ago

Issue linked to Bugzilla: Bug 1928900

Login to comment on this ticket.

Metadata
None
None
None
normal
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
https://bugzilla.redhat.com/show_bug.cgi?id=1928900
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.