[Freeipa-users] let's encrypt integration and best practices for mod_nss/mod_ssl

[Prasun Gera]

I'm using idm (4.1.x) on a RHEL 7.1 with the webui accessible publicly. I'm
using a stock configuration which uses the certs signed by ipa's CA for the
webui. This is mostly for convenience since it manages renewals seamlessly.
This, however, requires users to add the CA as trusted to their browsers. A
promising alternative to this is https://letsencrypt.org/, which issues
browser trusted certs, and will manage auto renewals too (in the future).
As a feature request, it would be nice to have closer integration between
ipa and the letsencrypt client which would make managing certs simple. I'm
about to set this up manually right now using the external ssl certs guide.

Secondly, since the webui uses mod_nss, how would one set it up to prefer
security over compatibility with older clients ? The vast majority of
documentation online (for eg.
https://mozilla.github.io/server-side-tls/ssl-config-generator/) is about
mod_ssl and I think the configuration doesn't transfer directly to mod_nss.
Since this is the only web facing component, I would like to set it up to
use stringent requirements. Right now, a test on
https://www.ssllabs.com/ssltest/ and https://weakdh.org/sysadmin.html
identifies
several issues. Since these things are not really my area of expertise, I
would like some documentation regarding this. Also, would manually
modifying any of the config files be overwritten by a yum update ?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20151104/8bc8f90e/attachment.htm>