When the letsencrypt certificate was renewed a couple of months ago, a problem occurred.
I found this guide and tried to follow it:
https://yyhh.org/blog/2021/01/fix-freeipa-httpd-lets-encrypt-certificate-...
But it seems I have messed up something, and I would like some hints how to solve my
problem.
ipa-server: 4.6.8
Among other things I get this error message:
ipa-server-certinstall -w fullchain.pem privkey.pem
Directory Manager password:
Enter private key unlock password:
Peer's certificate issuer is not trusted (certutil: certificate is invalid: Peer's
Certificate issuer is not recognized.
). Please run ipa-cacert-manage install and ipa-certupdate to install the CA certificate.
The ipa-server-certinstall command failed.
Below are outputs from some important commands with my domain replaced with
example.net:
certutil -L -d /etc/httpd/alias/
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Signing-Cert u,u,u
DSTRootCAX3 C,,
EXAMPLE.NET IPA CA CT,C,C
letsencryptx3 C,,
CN=ipa.example.net u,u,u
ldapsearch -Y GSSAPI -Q -b cn=certificates,cn=ipa,cn=etc,dc=example,dc=net
# extended LDIF
#
# LDAPv3
# base <cn=certificates,cn=ipa,cn=etc,dc=example,dc=net> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# certificates, ipa, etc,
example.net
dn: cn=certificates,cn=ipa,cn=etc,dc=example,dc=net
objectClass: nsContainer
objectClass: top
cn: certificates
#
EXAMPLE.NET IPA CA, certificates, ipa, etc,
example.net
dn:
cn=EXAMPLE.NET IPA CA,cn=certificates,cn=ipa,cn=etc,dc=example,dc=net
ipaConfigString: ipaCa
ipaConfigString: compatCA
ipaCertSubject: CN=Certificate
Authority,O=EXAMPLE.NET
ipaKeyTrust: trusted
cACertificate;binary:: Replaced with XXX
ipaPublicKey:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1nIS8VuSpvUaTucptnP
BDEXQYh4cxPT5qkHbuaBrZ7z8TvS2V5K2HCB/Gm6kkyZghxQFMm7zZdDNJQSu9pXUb2HDwv2wdBf6
ZBLxAZNYWJ4qTCXG5RhY13xcORnxzflXkQsMk1Pz4BZb6yEjZx9UvGXVWcdzoKVC9u1YF+jHdcKyQ
4o4K/mcy7PR/F73j3VVAyUXB7WIHT6KLaIp13Ir2byRAHHSPrIa3RBvodrRLQPuHQZZhO5O4BRXPR
6v1rwTgF+EI1Ua3w+mRmP7fHgCQcehvwkXy7zV7GMtaSchcDUf4EluWarG0UsclbLG9orVBnX6kBu
T++1Zs/nVnMAE8wIDAQAB
ipaCertIssuerSerial: CN=Certificate Authority,O=EXAMPLE.NET;1
objectClass: ipaCertificate
objectClass: pkiCA
objectClass: ipaKeyPolicy
objectClass: top
cn:
EXAMPLE.NET IPA CA
ipaKeyExtUsage: 1.3.6.1.5.5.7.3.1
ipaKeyExtUsage: 1.3.6.1.5.5.7.3.2
ipaKeyExtUsage: 1.3.6.1.5.5.7.3.3
ipaKeyExtUsage: 1.3.6.1.5.5.7.3.4
# DSTRootCAX3, certificates, ipa, etc,
example.net
dn: cn=DSTRootCAX3,cn=certificates,cn=ipa,cn=etc,dc=example,dc=net
ipaKeyExtUsage: 1.3.6.1.5.5.7.3.1
cn: DSTRootCAX3
objectClass: ipaCertificate
objectClass: pkiCA
objectClass: ipaKeyPolicy
objectClass: top
ipaCertSubject: CN=DST Root CA X3,O=Digital Signature Trust Co.
ipaPublicKey:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA36/pl1AIg1e0zGJl9pC
C7MfTLGswylvs2cN9x0DBGBSL4Ogzdkkq4z8hSZOsTg6vPkjLZe780yEPZdIq2TKPjOX3d7ASe7WV
wImjqbrtcy56DAYyg6J+ihQwzRGg4So4uXkKMf1QvYBl37dRY4PI4ohh6kthgexSa7mi4ksaKJ9Io
54M2gmOPhcuHt0g31vGKoqrLr1wrcULGiWQdHLFe2qrNNYwif/laBN7VAvI1q7sWpySHj1ks4zG37
/JQXDsFnLVJuw4VTlD0Pz9GFxA8Zfr1ZqbjR262iW5xtjfwRUCOqvabvE+LvVcCJw81oNp5BCbGSq
2KVfj5T2bn/ACXQIDAQAB
cACertificate;binary:: Replaced with XXX
ipaKeyTrust: trusted
ipaCertIssuerSerial: CN=DST Root CA X3,O=Digital Signature Trust Co.;912997355
75339953335919266965803778155
# letsencryptx3, certificates, ipa, etc,
example.net
dn: cn=letsencryptx3,cn=certificates,cn=ipa,cn=etc,dc=example,dc=net
ipaKeyExtUsage: 1.3.6.1.5.5.7.3.1
cn: letsencryptx3
objectClass: ipaCertificate
objectClass: pkiCA
objectClass: ipaKeyPolicy
objectClass: top
ipaCertSubject: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US
ipaPublicKey:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7N
oYzDq1zUmGSXhvb418XCSL7e4S0EFq6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdx
yGkOlZHP/uaZ6WA8SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQD
IZ0Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWAa6xK8xuQSX
gvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj/PIzark5McWvxI0NHWQWM6r
6hCm21AvA2H3DkwIDAQAB
cACertificate;binary:: Replaced with XXX
ipaKeyTrust: trusted
ipaCertIssuerSerial: CN=DST Root CA X3,O=Digital Signature Trust Co.;132987958
40390663119752826058995181320
# letsencryptr3-cross, certificates, ipa, etc,
example.net
dn: cn=letsencryptr3-cross,cn=certificates,cn=ipa,cn=etc,dc=example,dc=net
ipaKeyExtUsage: 1.3.6.1.5.5.7.3.1
cn: letsencryptr3-cross
objectClass: ipaCertificate
objectClass: pkiCA
objectClass: ipaKeyPolicy
objectClass: top
ipaCertSubject: CN=R3,O=Let's Encrypt,C=US
ipaPublicKey:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuwIVKMz2oJTTDxLsjVW
Sw/iC8ZmmekKIp10mqrUrucVMsa+Oa/l1yKPXD0eUFFU1V4yeqKI5GfWCPEKpTm71O8Mu243AsFzz
WTjn7c9p8FoLG77AlCQlh/o3cbMT5xys4Zvv2+Q7RVJFlqnBU840yFLuta7tj95gcOKlVKu2bQ6Xp
UA0ayvTvGbrZjR8+muLj1cpmfgwF126cm/7gcWt0oZYPRfH5wm78Sv3htzB2nFd1EbjzK0lwYi8YG
d1ZrPxGPeiXOZT/zqItkel/xMY6pgJdz+dU/nPAeX1pnAXFK9jpP+Zs5Od3FOnBv5IhR2haa4ldbs
TzFID9e1RoYvbFQIDAQAB
cACertificate;binary:: Replaced with XXX
ipaKeyTrust: trusted
ipaCertIssuerSerial: CN=DST Root CA X3,O=Digital Signature Trust Co.;850781574
26496920958827089468591623647
# search result
search: 4
result: 0 Success
# numResponses: 6
# numEntries: 5