[Freeipa-users] FreeIPA 4.1.0 server behind apache/mod_proxy
Rob Crittenden
rcritten at redhat.com
Wed Jun 17 21:03:39 UTC 2015
Piotr Baranowski wrote:
> ----- 17 cze 2015 o 15:51, Alexander Bokovoy abokovoy at redhat.com napisał(a):
>
>> On Wed, 17 Jun 2015, Piotr Baranowski wrote:
>>> ----- Oryginalna wiadomość -----
>>>> Od: "Alexander Bokovoy" <abokovoy at redhat.com>
>>>> So you have two different certificates in use here and your client
>>>> doesn't know about the other certificate (from your proxy). You need
>>>> either to deliver that certificate to the client by yourself or change
>>>> your proxying technology to something different.
>>>>
>>>> For example, you can use sniproxy which doesn't require in-the-middle
>>>> certificate. https://github.com/dlundquist/sniproxy
>>>
>>> Thanks for that hint. I'll have a look at that.
>>>
>>> However I have an Idea:
>>> If I could export ipa's mod_nss cert+key and then use them on my proxy running
>>> mod_ssl that probably could solve the issue.
>>>
>>> Right?
>> Sort of. Now you would have an issue of maintaining the certificate in
>> multiple locations which would make rotation of it "interesting", so to
>> say.
>
> Those would be only TWO certificates to manage. What's the challenge here?
When the cert on the IPA master expires it will be automatically renewed
by certmonger.
when the cert on your reverse proxy expires all requests will be denied
due to an expired cert until you pull the updated cert from the IPA
master and put it onto the proxy server and restart.
In other words, two years from now, at 3 in the morning on a Sunday
(it's always Sunday) it will expire and lots of things will break first
thing Monday morning, before your coffee.
rob
More information about the Freeipa-users
mailing list