I just try that:
cp ca.crt /usr/local/share/ca-certificates/
update-ca-certificates
Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d....
updates of cacerts keystore disabled.
done.
Looks like update something, but again same error. In above command I
copied ca.crt from IPA if you think on that.
Thank you on your time.
On May 20, 2019 at 4:03:32 PM, Rob Crittenden (rcritten(a)redhat.com) wrote:
Petar Kozić via FreeIPA-users wrote:
@Rob, sorry for duplicate mail, I forget to do reply to all
No, there is X1 and X3. I have whole chain in ca.crt
Where you think that I can install this let’s encrypt root on client
side, because on server I already have it in chain?
On IPA I installed on this way.
https://blog.soholabs.org/lets-encrypt-and-the-freeipa-web-gui/
The older ipa-client-install don't handle cert chains well. You can try
to add the roots to the global trust before running the installer via:
$ sudo cp ca.crt /usr/local/share/ca-certificates/
$ sudo update-ca-certificates
rob
On May 20, 2019 at 3:28:50 PM, Rob Crittenden (rcritten(a)redhat.com
<mailto:rcritten@redhat.com>) wrote:
> Petar Kozić via FreeIPA-users wrote:
> > Here is the log files. I just want to inform you that I have that
> > problem now also on Ubuntu 14.40 and Debian 8.
> > On Ubuntu ipa client version is 3.3, maybe problem is there.
>
> > In mean time I enrolled several more Ubuntu 18.04
instances without
> > problem.
>
> > On this Debian 8 and Ubuntu 14.40 I just try with
options
—ca-cert-file
> > which I copied from master but same error.
>
> I have no visibility into what
CA file you used but you're missing
> either the X3 subca or the X1 root.
> You can get them from
https://letsencrypt.org/certificates/
> Look at the ca.crt you used and see how many certificates
are in there.
> I'm assuming there is only one. You can try concatenating the X1 and X3
> certs into that and things should work.
> rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...