When the letsencrypt certificate was renewed a couple of months ago,
a problem occurred.
I found this guide and tried to follow it:
https://yyhh.org/blog/2021/01/fix-freeipa-httpd-lets-encrypt-certificate-...
But it seems I have messed up something, and I would like some hints how to solve my
problem.
ipa-server: 4.6.8
Among other things I get this error message:
ipa-server-certinstall -w fullchain.pem privkey.pem
Directory Manager password:
Enter private key unlock password:
Peer's certificate issuer is not trusted (certutil: certificate is invalid:
Peer's Certificate issuer is not recognized.
). Please run ipa-cacert-manage install and ipa-certupdate to install the CA
certificate.
The ipa-server-certinstall command failed.
, R3 is now
cross-signed from DST RootCA X3 and ISRG Root X1. You can check the
content of your fullchain.pem and see what is the exact cert chain for
your new certificate (keytool -printcert -v -file fullchain.pem).
I would try adding ISRG Root X1 using ipa-cacert-manage install (on one
of the servers) + ipa-certupdate (on all servers/replicas/clients), then
retry installing the certificate with ipa-server-certinstall.
Note: if you need to add more than 1 CA cert, start from the bottom (the
intermediate), and go up to the root CA for ipa-cacert-manage install
command.
flo
Below are outputs from some important commands with my domain
replaced with
example.net:
certutil -L -d /etc/httpd/alias/
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Signing-Cert u,u,u
DSTRootCAX3 C,,
EXAMPLE.NET IPA CA CT,C,C
letsencryptx3 C,,
CN=ipa.example.net u,u,u
ldapsearch -Y GSSAPI -Q -b cn=certificates,cn=ipa,cn=etc,dc=example,dc=net
# extended LDIF
#
# LDAPv3
# base <cn=certificates,cn=ipa,cn=etc,dc=example,dc=net> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# certificates, ipa, etc,
example.net
dn: cn=certificates,cn=ipa,cn=etc,dc=example,dc=net
objectClass: nsContainer
objectClass: top
cn: certificates
#
EXAMPLE.NET IPA CA, certificates, ipa, etc,
example.net
dn:
cn=EXAMPLE.NET IPA CA,cn=certificates,cn=ipa,cn=etc,dc=example,dc=net
ipaConfigString: ipaCa
ipaConfigString: compatCA
ipaCertSubject: CN=Certificate
Authority,O=EXAMPLE.NET
ipaKeyTrust: trusted
cACertificate;binary:: Replaced with XXX
ipaPublicKey:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1nIS8VuSpvUaTucptnP
BDEXQYh4cxPT5qkHbuaBrZ7z8TvS2V5K2HCB/Gm6kkyZghxQFMm7zZdDNJQSu9pXUb2HDwv2wdBf6
ZBLxAZNYWJ4qTCXG5RhY13xcORnxzflXkQsMk1Pz4BZb6yEjZx9UvGXVWcdzoKVC9u1YF+jHdcKyQ
4o4K/mcy7PR/F73j3VVAyUXB7WIHT6KLaIp13Ir2byRAHHSPrIa3RBvodrRLQPuHQZZhO5O4BRXPR
6v1rwTgF+EI1Ua3w+mRmP7fHgCQcehvwkXy7zV7GMtaSchcDUf4EluWarG0UsclbLG9orVBnX6kBu
T++1Zs/nVnMAE8wIDAQAB
ipaCertIssuerSerial: CN=Certificate Authority,O=EXAMPLE.NET;1
objectClass: ipaCertificate
objectClass: pkiCA
objectClass: ipaKeyPolicy
objectClass: top
cn:
EXAMPLE.NET IPA CA
ipaKeyExtUsage: 1.3.6.1.5.5.7.3.1
ipaKeyExtUsage: 1.3.6.1.5.5.7.3.2
ipaKeyExtUsage: 1.3.6.1.5.5.7.3.3
ipaKeyExtUsage: 1.3.6.1.5.5.7.3.4
# DSTRootCAX3, certificates, ipa, etc,
example.net
dn: cn=DSTRootCAX3,cn=certificates,cn=ipa,cn=etc,dc=example,dc=net
ipaKeyExtUsage: 1.3.6.1.5.5.7.3.1
cn: DSTRootCAX3
objectClass: ipaCertificate
objectClass: pkiCA
objectClass: ipaKeyPolicy
objectClass: top
ipaCertSubject: CN=DST Root CA X3,O=Digital Signature Trust Co.
ipaPublicKey:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA36/pl1AIg1e0zGJl9pC
C7MfTLGswylvs2cN9x0DBGBSL4Ogzdkkq4z8hSZOsTg6vPkjLZe780yEPZdIq2TKPjOX3d7ASe7WV
wImjqbrtcy56DAYyg6J+ihQwzRGg4So4uXkKMf1QvYBl37dRY4PI4ohh6kthgexSa7mi4ksaKJ9Io
54M2gmOPhcuHt0g31vGKoqrLr1wrcULGiWQdHLFe2qrNNYwif/laBN7VAvI1q7sWpySHj1ks4zG37
/JQXDsFnLVJuw4VTlD0Pz9GFxA8Zfr1ZqbjR262iW5xtjfwRUCOqvabvE+LvVcCJw81oNp5BCbGSq
2KVfj5T2bn/ACXQIDAQAB
cACertificate;binary:: Replaced with XXX
ipaKeyTrust: trusted
ipaCertIssuerSerial: CN=DST Root CA X3,O=Digital Signature Trust Co.;912997355
75339953335919266965803778155
# letsencryptx3, certificates, ipa, etc,
example.net
dn: cn=letsencryptx3,cn=certificates,cn=ipa,cn=etc,dc=example,dc=net
ipaKeyExtUsage: 1.3.6.1.5.5.7.3.1
cn: letsencryptx3
objectClass: ipaCertificate
objectClass: pkiCA
objectClass: ipaKeyPolicy
objectClass: top
ipaCertSubject: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US
ipaPublicKey:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7N
oYzDq1zUmGSXhvb418XCSL7e4S0EFq6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdx
yGkOlZHP/uaZ6WA8SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQD
IZ0Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWAa6xK8xuQSX
gvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj/PIzark5McWvxI0NHWQWM6r
6hCm21AvA2H3DkwIDAQAB
cACertificate;binary:: Replaced with XXX
ipaKeyTrust: trusted
ipaCertIssuerSerial: CN=DST Root CA X3,O=Digital Signature Trust Co.;132987958
40390663119752826058995181320
# letsencryptr3-cross, certificates, ipa, etc,
example.net
dn: cn=letsencryptr3-cross,cn=certificates,cn=ipa,cn=etc,dc=example,dc=net
ipaKeyExtUsage: 1.3.6.1.5.5.7.3.1
cn: letsencryptr3-cross
objectClass: ipaCertificate
objectClass: pkiCA
objectClass: ipaKeyPolicy
objectClass: top
ipaCertSubject: CN=R3,O=Let's Encrypt,C=US
ipaPublicKey:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuwIVKMz2oJTTDxLsjVW
Sw/iC8ZmmekKIp10mqrUrucVMsa+Oa/l1yKPXD0eUFFU1V4yeqKI5GfWCPEKpTm71O8Mu243AsFzz
WTjn7c9p8FoLG77AlCQlh/o3cbMT5xys4Zvv2+Q7RVJFlqnBU840yFLuta7tj95gcOKlVKu2bQ6Xp
UA0ayvTvGbrZjR8+muLj1cpmfgwF126cm/7gcWt0oZYPRfH5wm78Sv3htzB2nFd1EbjzK0lwYi8YG
d1ZrPxGPeiXOZT/zqItkel/xMY6pgJdz+dU/nPAeX1pnAXFK9jpP+Zs5Od3FOnBv5IhR2haa4ldbs
TzFID9e1RoYvbFQIDAQAB
cACertificate;binary:: Replaced with XXX
ipaKeyTrust: trusted
ipaCertIssuerSerial: CN=DST Root CA X3,O=Digital Signature Trust Co.;850781574
26496920958827089468591623647
# search result
search: 4
result: 0 Success
# numResponses: 6
# numEntries: 5
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure