FreeIPA Support

I have tried to setup FreeIPA in various different configurations to work with Caddy, but because of the various TLS interconnections I am yet to figure out a way to set it up. There are 3 possible configurations documented, and I would like to ask the community if it can provide some hints on which one is most likely to work and how to set it up:

  1. Native FreeIPA key management:
  • FreeIPA manages it’s own local TLS certificates for both HTTP and LDAP. This is easy to install, but hard to configure together with Caddy
  • Problem: During authentication, FreeIPA checks against it’s own certificates in order to authenticate. So even in reverse proxy on an HTTP port, authentication fails.
  • Possible solution: Make caddy use FreeIPA TLS certs. There is a guide on how to achieve this, but I am still stuck at the section of generating the Cert files using certutil. This would most likely be the best approach, but I do not know how to debug this. One concern I have is whether I would have to manually repeat these steps when the certificate expires.
  1. Have FreeIPA use external CA:
  • I am not sure what exactly this does and if it is viable in a reverse-proxy environment, but it might be easier to setup
  • Problem: I need to sign the CSR with the external CA, but there is no guide on how to do so.
  1. CA-less FreeIPA:
  • Despite the name, I still need to provide it with both HTTP and a LDAP cert files.
  • Problem: During the LDAP configuration I get such an error if I were to naively use the same certificates:
slapd_extract_cert - SERVER CERT NAME: Unknown CA
  • This is most likely an issue with needing to manually generate the key/cert for LDAP, but it would still be difficult to manage and learn how to do so. Another concern is when the certificates are regenerated/moved I would lose access to the server and reinstalling the certificates becomes problematic.

If anyone has some insight on what I should try I would love to figure it out. Manually installing and configuring LDAP is going over my head, and I would like to use FreeIPA to manage all of these.

I should add to this topic: I have had a quick conversation on the FreeIPA subreddit, and at least some of the developers are against the idea of supporting running a webserver (asside from the one managed by their service) on the same machine that is running the FreeIPA service, due to understandable security concerns. So there will not likely be official support from them.