I have tried to setup
FreeIPA in various different configurations to work with Caddy, but because of the various TLS interconnections I am yet to figure out a way to set it up. There are 3 possible configurations documented, and I would like to ask the community if it can provide some hints on which one is most likely to work and how to set it up:
FreeIPAmanages it’s own local TLS certificates for both HTTP and LDAP. This is easy to install, but hard to configure together with
- Problem: During authentication,
FreeIPAchecks against it’s own certificates in order to authenticate. So even in reverse proxy on an HTTP port, authentication fails.
- Possible solution: Make caddy use
FreeIPATLS certs. There is a guide on how to achieve this, but I am still stuck at the section of generating the Cert files using
certutil. This would most likely be the best approach, but I do not know how to debug this. One concern I have is whether I would have to manually repeat these steps when the certificate expires.
- I am not sure what exactly this does and if it is viable in a reverse-proxy environment, but it might be easier to setup
- Problem: I need to sign the CSR with the external CA, but there is no guide on how to do so.
- Despite the name, I still need to provide it with both HTTP and a LDAP cert files.
- Problem: During the LDAP configuration I get such an error if I were to naively use the same certificates:
slapd_extract_cert - SERVER CERT NAME: Unknown CA
- This is most likely an issue with needing to manually generate the key/cert for LDAP, but it would still be difficult to manage and learn how to do so. Another concern is when the certificates are regenerated/moved I would lose access to the server and reinstalling the certificates becomes problematic.
If anyone has some insight on what I should try I would love to figure it out. Manually installing and configuring LDAP is going over my head, and I would like to use
FreeIPA to manage all of these.