Hi,
Let's Encrypt new chain of trust is now the following:
- *ISRG Root X1*: *C = US, O = Internet Security Research Group, CN = ISRG
Root X1*
(was previsouly also cross signed by *DST Root CA X3*: *O = Digital
Signature Trust Co., CN = DST Root CA X3*)
- *R3*: *C = US, O = Let's Encrypt, CN = R3*
- your server cert
You mention that the cross-signed root certificate was removed with
ipa-cacert-manage, but did you also run ipa-certupdate before trying
ipa-server-certinstall? This step is mandatory in order to update the NSS
databases, as specified in the man page ipa-cacert-manage(1).
HTH,
flo
On Thu, Oct 7, 2021 at 11:44 PM Stefan Fleischmann via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
Hi! I've been using FreeIPA (installed without CA --no-pkinit)
with
letsencrypt certificate. Whenever the certificate gets renewed I install it
with
ipa-server-certinstall for both the LDAP and web server and that has been
working just fine. Recently the root certificate (DST Root CA X3)
expired as mentioned here
https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
Now when I try to install the new certificate I get this error:
---
CA certificate CN=DST Root CA X3,O=Digital Signature Trust Co. in
/etc/letsencrypt/live/XXX/cert.pem, /etc/letsencrypt/live/XXX/privkey.pem
is not valid: certutil: certificate is invalid: The certificate issuer's
certificate has expired. Check your system date and time.
The ipa-server-certinstall command failed.
---
I don't understand this error message at all since the `cert.pem` file
does not contain any reference to the X3 CA, so I suppose it must come from
somewhere else. Does someone have an idea how to fix this?
I've already removed the root certificate with ipa-cacert-manage and added
the self-signed X1 root cert, yet the same error message above keeps
showing up.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure