I have attached the files to this response.

On Tue, Oct 15, 2019 at 3:32 PM Rob Crittenden <rcritten@redhat.com> wrote:
Kristian Petersen via FreeIPA-users wrote:
> They aren't in one file.  But the server cert's issuer is the subject of
> the DigiCert.crt file.  I have already tried adding just the
> Digicert.crt file only to have it tell me it's Peer's Certificate isn't
> trusted.  I don't even know what certificate that is talking about.

Can you share the files?

rob

>
> On Tue, Oct 15, 2019 at 7:27 AM Rob Crittenden <rcritten@redhat.com
> <mailto:rcritten@redhat.com>> wrote:
>
>     Kristian Petersen wrote:
>     > Rob,
>     >
>     > After investigating the certs as you had suggested, I do have the
>     whole
>     > chain.  The server cert has as its issuer:
>     > Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com
>     <http://www.digicert.com>
>     > <http://www.digicert.com>, CN = DigiCert SHA2 High Assurance Server CA
>     >
>     > And the DigiCert.crt file has as its issuer and subject:
>     > Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com
>     <http://www.digicert.com>
>     > <http://www.digicert.com>, CN = DigiCert SHA2 High Assurance Server CA
>     > Subject: C = US, O = DigiCert Inc, OU = www.digicert.com
>     <http://www.digicert.com>
>     > <http://www.digicert.com>, CN = DigiCert SHA2 High Assurance Server CA
>     >
>     > Am I missing something here? 
>
>     So you have the whole chain in one file? Try adding them individually,
>     starting at the root.
>
>     rob
>
>     >
>     > On Fri, Oct 11, 2019 at 12:50 PM Rob Crittenden
>     <rcritten@redhat.com <mailto:rcritten@redhat.com>
>     > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>> wrote:
>     >
>     >     Kristian Petersen wrote:
>     >     > New but related question:  Iff I just want to add new LDAP
>     and HTTPS
>     >     > certs (not replacing the current ones) I know that can be
>     done.  I
>     >     read
>     >     > an article from Florence Blanc-Renaud that mentions it, but
>     I ran into
>     >     > some errors and I'm trying to troubleshoot them. When I ran
>     >     > ipa-server-certinstall and gave it the key I generated and
>     the crt
>     >     file
>     >     > I got from Digicert it said the entire chain was not
>     present.  So
>     >     then I
>     >     > tried including the DigiCertCA.crt file as well, however, I got
>     >     the same
>     >     > result.
>     >     >
>     >     > I next tried adding the DigiCert certificate to IPA
>     >     > usingipa-cacert-manage -p DM_PASSWORD -n NICKNAME -t C,, install
>     >     > DigiCertCA.crt
>     >     > This also failed giving an error that the cert was invalid
>     because the
>     >     > Peer's Certificate issuer was not recognized.  Any thoughts
>     about
>     >     what I
>     >     > might have missed?
>     >
>     >     You don't have the full chain. It can be tricky to find the
>     whole list
>     >     even on CA's that make it relatively easy.
>     >
>     >     What you want to do is use a tool like openssl x509 to display the
>     >     subject and issuer:
>     >
>     >     openssl x509 -text -noout -in /path/to/cert
>     >
>     >     I'd start with the server cert you've been issued. Find a
>     matching CA
>     >     cert where the subject of the CA cert matches the issuer on the
>     >     server cert.
>     >
>     >     Then find another CA cert whose subject matches the issuer of
>     the bottom
>     >     of the chain, and work upwards until you find a CA cert where
>     the issuer
>     >     and subject match. Then you've found the root. That plus the other
>     >     matching CA certs is your chain.
>     >
>     >     I'll also note about the "add but not replace" the LDAP and
>     Web certs.
>     >     There can only be one active. You can certainly use different
>     physical
>     >     files and nicknames to store the new certs but only one set is
>     active at
>     >     a time.
>     >
>     >     rob
>     >
>     >     >
>     >     >
>     >     > On Fri, Oct 11, 2019 at 11:20 AM Rob Crittenden
>     >     <rcritten@redhat.com <mailto:rcritten@redhat.com>
>     <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
>     >     > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
>     <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>> wrote:
>     >     >
>     >     >     Kristian Petersen via FreeIPA-users wrote:
>     >     >     > That outlines the options, but not why I should or
>     shouldn't use
>     >     >     any of
>     >     >     > them.  That is more of what I am looking for.
>     >     >
>     >     >     It's less benefit analysis and more forced by internal
>     >     requirements.
>     >     >
>     >     >     Often an organization already has a CA and wants any
>     >     additional CA's to
>     >     >     be subordinates.
>     >     >
>     >     >     The downsides of an external CA is some additional
>     complexity.
>     >     >
>     >     >     Installation can be more difficult (users often have issues
>     >     getting
>     >     >     their external CA to properly sign the IPA CSR), dealing
>     with
>     >     a longer
>     >     >     certificate chain and being bound by the expiration date
>     of the
>     >     >     external CA.
>     >     >
>     >     >     rob
>     >     >
>     >     >     >
>     >     >     > On Fri, Oct 11, 2019 at 9:47 AM François Cami
>     >     <fcami@redhat.com <mailto:fcami@redhat.com>
>     <mailto:fcami@redhat.com <mailto:fcami@redhat.com>>
>     >     >     <mailto:fcami@redhat.com <mailto:fcami@redhat.com>
>     <mailto:fcami@redhat.com <mailto:fcami@redhat.com>>>
>     >     >     > <mailto:fcami@redhat.com <mailto:fcami@redhat.com>
>     <mailto:fcami@redhat.com <mailto:fcami@redhat.com>>
>     >     <mailto:fcami@redhat.com <mailto:fcami@redhat.com>
>     <mailto:fcami@redhat.com <mailto:fcami@redhat.com>>>>> wrote:
>     >     >     >
>     >     >     >     Hi,
>     >     >     >
>     >     >     >     On Fri, Oct 11, 2019 at 5:34 PM Kristian Petersen via
>     >     >     FreeIPA-users
>     >     >     >     <freeipa-users@lists.fedorahosted.org
>     <mailto:freeipa-users@lists.fedorahosted.org>
>     >     <mailto:freeipa-users@lists.fedorahosted.org
>     <mailto:freeipa-users@lists.fedorahosted.org>>
>     >     >     <mailto:freeipa-users@lists.fedorahosted.org
>     <mailto:freeipa-users@lists.fedorahosted.org>
>     >     <mailto:freeipa-users@lists.fedorahosted.org
>     <mailto:freeipa-users@lists.fedorahosted.org>>>
>     >     >     >     <mailto:freeipa-users@lists.fedorahosted.org
>     <mailto:freeipa-users@lists.fedorahosted.org>
>     >     <mailto:freeipa-users@lists.fedorahosted.org
>     <mailto:freeipa-users@lists.fedorahosted.org>>
>     >     >     <mailto:freeipa-users@lists.fedorahosted.org
>     <mailto:freeipa-users@lists.fedorahosted.org>
>     >     <mailto:freeipa-users@lists.fedorahosted.org
>     <mailto:freeipa-users@lists.fedorahosted.org>>>>> wrote:
>     >     >     >     >
>     >     >     >     > Hey y'all,
>     >     >     >     >
>     >     >     >     > What are the pros and cons of using and external or
>     >     internal CA
>     >     >     >     for FreeIPA/IdM?  I am trying to decide which to
>     do but
>     >     having
>     >     >     >     trouble finding a lot of info about why I would
>     want to
>     >     do one or
>     >     >     >     the other.
>     >     >     >
>     >     >     >     The choices are documented there:
>     >     >     >   
>     >     >   
>     >   
>        https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/install-server
>     >     >     >
>     >     >     >     François
>     >     >     >
>     >     >     >     > Thanks in advance!
>     >     >     >     >
>     >     >     >     > --
>     >     >     >     > Kristian Petersen
>     >     >     >     > System Administrator
>     >     >     >     > BYU Dept. of Chemistry and Biochemistry
>     >     >     >     > _______________________________________________
>     >     >     >     > FreeIPA-users mailing list --
>     >     >     freeipa-users@lists.fedorahosted.org
>     <mailto:freeipa-users@lists.fedorahosted.org>
>     >     <mailto:freeipa-users@lists.fedorahosted.org
>     <mailto:freeipa-users@lists.fedorahosted.org>>
>     >     >     <mailto:freeipa-users@lists.fedorahosted.org
>     <mailto:freeipa-users@lists.fedorahosted.org>
>     >     <mailto:freeipa-users@lists.fedorahosted.org
>     <mailto:freeipa-users@lists.fedorahosted.org>>>
>     >     >     >     <mailto:freeipa-users@lists.fedorahosted.org
>     <mailto:freeipa-users@lists.fedorahosted.org>
>     >     <mailto:freeipa-users@lists.fedorahosted.org
>     <mailto:freeipa-users@lists.fedorahosted.org>>
>     >     >     <mailto:freeipa-users@lists.fedorahosted.org
>     <mailto:freeipa-users@lists.fedorahosted.org>
>     >     <mailto:freeipa-users@lists.fedorahosted.org
>     <mailto:freeipa-users@lists.fedorahosted.org>>>>
>     >     >     >     > To unsubscribe send an email to
>     >     >     >     freeipa-users-leave@lists.fedorahosted.org
>     <mailto:freeipa-users-leave@lists.fedorahosted.org>
>     >     <mailto:freeipa-users-leave@lists.fedorahosted.org
>     <mailto:freeipa-users-leave@lists.fedorahosted.org>>
>     >     >     <mailto:freeipa-users-leave@lists.fedorahosted.org
>     <mailto:freeipa-users-leave@lists.fedorahosted.org>
>     >     <mailto:freeipa-users-leave@lists.fedorahosted.org
>     <mailto:freeipa-users-leave@lists.fedorahosted.org>>>
>     >     >     >     <mailto:freeipa-users-leave@lists.fedorahosted.org
>     <mailto:freeipa-users-leave@lists.fedorahosted.org>
>     >     <mailto:freeipa-users-leave@lists.fedorahosted.org
>     <mailto:freeipa-users-leave@lists.fedorahosted.org>>
>     >     >     <mailto:freeipa-users-leave@lists.fedorahosted.org
>     <mailto:freeipa-users-leave@lists.fedorahosted.org>
>     >     <mailto:freeipa-users-leave@lists.fedorahosted.org
>     <mailto:freeipa-users-leave@lists.fedorahosted.org>>>>
>     >     >     >     > Fedora Code of Conduct:
>     >     >     >   
>     >      https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>     >     >     >     > List Guidelines:
>     >     >     >     https://fedoraproject.org/wiki/Mailing_list_guidelines
>     >     >     >     > List Archives:
>     >     >     >   
>     >     >   
>     >   
>        https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>     >     >     >
>     >     >     >
>     >     >     >
>     >     >     > --
>     >     >     > Kristian Petersen
>     >     >     > System Administrator
>     >     >     > BYU Dept. of Chemistry and Biochemistry
>     >     >     >
>     >     >     >
>     >     >     > _______________________________________________
>     >     >     > FreeIPA-users mailing list --
>     >     freeipa-users@lists.fedorahosted.org
>     <mailto:freeipa-users@lists.fedorahosted.org>
>     >     <mailto:freeipa-users@lists.fedorahosted.org
>     <mailto:freeipa-users@lists.fedorahosted.org>>
>     >     >     <mailto:freeipa-users@lists.fedorahosted.org
>     <mailto:freeipa-users@lists.fedorahosted.org>
>     >     <mailto:freeipa-users@lists.fedorahosted.org
>     <mailto:freeipa-users@lists.fedorahosted.org>>>
>     >     >     > To unsubscribe send an email to
>     >     >     freeipa-users-leave@lists.fedorahosted.org
>     <mailto:freeipa-users-leave@lists.fedorahosted.org>
>     >     <mailto:freeipa-users-leave@lists.fedorahosted.org
>     <mailto:freeipa-users-leave@lists.fedorahosted.org>>
>     >     >     <mailto:freeipa-users-leave@lists.fedorahosted.org
>     <mailto:freeipa-users-leave@lists.fedorahosted.org>
>     >     <mailto:freeipa-users-leave@lists.fedorahosted.org
>     <mailto:freeipa-users-leave@lists.fedorahosted.org>>>
>     >     >     > Fedora Code of Conduct:
>     >     >   
>      https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>     >     >     > List Guidelines:
>     >     >     https://fedoraproject.org/wiki/Mailing_list_guidelines
>     >     >     > List Archives:
>     >     >   
>     >   
>       https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>     >     >     >
>     >     >
>     >     >
>     >     >
>     >     > --
>     >     > Kristian Petersen
>     >     > System Administrator
>     >     > BYU Dept. of Chemistry and Biochemistry
>     >
>     >
>     >
>     > --
>     > Kristian Petersen
>     > System Administrator
>     > BYU Dept. of Chemistry and Biochemistry
>
>
>
> --
> Kristian Petersen
> System Administrator
> BYU Dept. of Chemistry and Biochemistry
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>



--
Kristian Petersen
System Administrator
BYU Dept. of Chemistry and Biochemistry