[Freeipa-users] Re: Updating Letsencrypt certificate fails

Monday, 19 April 2021

On 4/19/21 10:14 AM, Reino Wallin via FreeIPA-users wrote:
...
 When the letsencrypt certificate was renewed a couple of months ago,
a problem occurred.

 I found this guide and tried to follow it:

 https://yyhh.org/blog/2021/01/fix-freeipa-httpd-lets-encrypt-certificate-...

 But it seems I have messed up something, and I would like some hints how to solve my
problem.

 ipa-server: 4.6.8

 Among other things I get this error message:

 ipa-server-certinstall -w fullchain.pem privkey.pem
 Directory Manager password:

 Enter private key unlock password:

 Peer's certificate issuer is not trusted (certutil: certificate is invalid:
Peer's Certificate issuer is not recognized.
 ). Please run ipa-cacert-manage install and ipa-certupdate to install the CA
certificate.
 The ipa-server-certinstall command failed.

  Hi,
according to https://letsencrypt.org/certificates/, R3 is now 
cross-signed from DST RootCA X3 and ISRG Root X1. You can check the 
content of your fullchain.pem and see what is the exact cert chain for 
your new certificate (keytool -printcert -v -file fullchain.pem).

I would try adding ISRG Root X1 using ipa-cacert-manage install (on one 
of the servers) + ipa-certupdate (on all servers/replicas/clients), then 
retry installing the certificate with ipa-server-certinstall.

Note: if you need to add more than 1 CA cert, start from the bottom (the 
intermediate), and go up to the root CA for ipa-cacert-manage install 
command.

flo

...
 Below are outputs from some important commands with my domain
replaced with example.net:

 certutil -L -d /etc/httpd/alias/

 Certificate Nickname                                         Trust Attributes
                                                               SSL,S/MIME,JAR/XPI

 Signing-Cert                                                 u,u,u
 DSTRootCAX3                                                  C,,
 EXAMPLE.NET IPA CA                                           CT,C,C
 letsencryptx3                                                C,,
 CN=ipa.example.net                                           u,u,u

 ldapsearch -Y GSSAPI -Q -b  cn=certificates,cn=ipa,cn=etc,dc=example,dc=net
 # extended LDIF
 #
 # LDAPv3
 # base <cn=certificates,cn=ipa,cn=etc,dc=example,dc=net> with scope subtree
 # filter: (objectclass=*)
 # requesting: ALL
 #

 # certificates, ipa, etc, example.net
 dn: cn=certificates,cn=ipa,cn=etc,dc=example,dc=net
 objectClass: nsContainer
 objectClass: top
 cn: certificates

 # EXAMPLE.NET IPA CA, certificates, ipa, etc, example.net
 dn: cn=EXAMPLE.NET IPA CA,cn=certificates,cn=ipa,cn=etc,dc=example,dc=net
 ipaConfigString: ipaCa
 ipaConfigString: compatCA
 ipaCertSubject: CN=Certificate Authority,O=EXAMPLE.NET
 ipaKeyTrust: trusted
 cACertificate;binary:: Replaced with XXX
 ipaPublicKey:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1nIS8VuSpvUaTucptnP
   BDEXQYh4cxPT5qkHbuaBrZ7z8TvS2V5K2HCB/Gm6kkyZghxQFMm7zZdDNJQSu9pXUb2HDwv2wdBf6
   ZBLxAZNYWJ4qTCXG5RhY13xcORnxzflXkQsMk1Pz4BZb6yEjZx9UvGXVWcdzoKVC9u1YF+jHdcKyQ
   4o4K/mcy7PR/F73j3VVAyUXB7WIHT6KLaIp13Ir2byRAHHSPrIa3RBvodrRLQPuHQZZhO5O4BRXPR
   6v1rwTgF+EI1Ua3w+mRmP7fHgCQcehvwkXy7zV7GMtaSchcDUf4EluWarG0UsclbLG9orVBnX6kBu
   T++1Zs/nVnMAE8wIDAQAB
 ipaCertIssuerSerial: CN=Certificate Authority,O=EXAMPLE.NET;1
 objectClass: ipaCertificate
 objectClass: pkiCA
 objectClass: ipaKeyPolicy
 objectClass: top
 cn: EXAMPLE.NET IPA CA
 ipaKeyExtUsage: 1.3.6.1.5.5.7.3.1
 ipaKeyExtUsage: 1.3.6.1.5.5.7.3.2
 ipaKeyExtUsage: 1.3.6.1.5.5.7.3.3
 ipaKeyExtUsage: 1.3.6.1.5.5.7.3.4

 # DSTRootCAX3, certificates, ipa, etc, example.net
 dn: cn=DSTRootCAX3,cn=certificates,cn=ipa,cn=etc,dc=example,dc=net
 ipaKeyExtUsage: 1.3.6.1.5.5.7.3.1
 cn: DSTRootCAX3
 objectClass: ipaCertificate
 objectClass: pkiCA
 objectClass: ipaKeyPolicy
 objectClass: top
 ipaCertSubject: CN=DST Root CA X3,O=Digital Signature Trust Co.
 ipaPublicKey:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA36/pl1AIg1e0zGJl9pC
   C7MfTLGswylvs2cN9x0DBGBSL4Ogzdkkq4z8hSZOsTg6vPkjLZe780yEPZdIq2TKPjOX3d7ASe7WV
   wImjqbrtcy56DAYyg6J+ihQwzRGg4So4uXkKMf1QvYBl37dRY4PI4ohh6kthgexSa7mi4ksaKJ9Io
   54M2gmOPhcuHt0g31vGKoqrLr1wrcULGiWQdHLFe2qrNNYwif/laBN7VAvI1q7sWpySHj1ks4zG37
   /JQXDsFnLVJuw4VTlD0Pz9GFxA8Zfr1ZqbjR262iW5xtjfwRUCOqvabvE+LvVcCJw81oNp5BCbGSq
   2KVfj5T2bn/ACXQIDAQAB
 cACertificate;binary:: Replaced with XXX
 ipaKeyTrust: trusted
 ipaCertIssuerSerial: CN=DST Root CA X3,O=Digital Signature Trust Co.;912997355
   75339953335919266965803778155

 # letsencryptx3, certificates, ipa, etc, example.net
 dn: cn=letsencryptx3,cn=certificates,cn=ipa,cn=etc,dc=example,dc=net
 ipaKeyExtUsage: 1.3.6.1.5.5.7.3.1
 cn: letsencryptx3
 objectClass: ipaCertificate
 objectClass: pkiCA
 objectClass: ipaKeyPolicy
 objectClass: top
 ipaCertSubject: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US
 ipaPublicKey:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7N
   oYzDq1zUmGSXhvb418XCSL7e4S0EFq6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdx
   yGkOlZHP/uaZ6WA8SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQD
   IZ0Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWAa6xK8xuQSX
   gvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj/PIzark5McWvxI0NHWQWM6r
   6hCm21AvA2H3DkwIDAQAB
 cACertificate;binary:: Replaced with XXX
 ipaKeyTrust: trusted
 ipaCertIssuerSerial: CN=DST Root CA X3,O=Digital Signature Trust Co.;132987958
   40390663119752826058995181320

 # letsencryptr3-cross, certificates, ipa, etc, example.net
 dn: cn=letsencryptr3-cross,cn=certificates,cn=ipa,cn=etc,dc=example,dc=net
 ipaKeyExtUsage: 1.3.6.1.5.5.7.3.1
 cn: letsencryptr3-cross
 objectClass: ipaCertificate
 objectClass: pkiCA
 objectClass: ipaKeyPolicy
 objectClass: top
 ipaCertSubject: CN=R3,O=Let's Encrypt,C=US
 ipaPublicKey:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuwIVKMz2oJTTDxLsjVW
   Sw/iC8ZmmekKIp10mqrUrucVMsa+Oa/l1yKPXD0eUFFU1V4yeqKI5GfWCPEKpTm71O8Mu243AsFzz
   WTjn7c9p8FoLG77AlCQlh/o3cbMT5xys4Zvv2+Q7RVJFlqnBU840yFLuta7tj95gcOKlVKu2bQ6Xp
   UA0ayvTvGbrZjR8+muLj1cpmfgwF126cm/7gcWt0oZYPRfH5wm78Sv3htzB2nFd1EbjzK0lwYi8YG
   d1ZrPxGPeiXOZT/zqItkel/xMY6pgJdz+dU/nPAeX1pnAXFK9jpP+Zs5Od3FOnBv5IhR2haa4ldbs
   TzFID9e1RoYvbFQIDAQAB
 cACertificate;binary:: Replaced with XXX
 ipaKeyTrust: trusted
 ipaCertIssuerSerial: CN=DST Root CA X3,O=Digital Signature Trust Co.;850781574
   26496920958827089468591623647

 # search result
 search: 4
 result: 0 Success

 # numResponses: 6
 # numEntries: 5
 _______________________________________________
 FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
 To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
 Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
 List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
 List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
 Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

2024

2023

2022

2021

2020

2019

2018

2017

[Freeipa-users] Re: Updating Letsencrypt certificate fails