Let's Encrypt new chain of trust is now the following:
- *ISRG Root X1*: *C = US, O = Internet Security Research Group, CN = ISRG
(was previsouly also cross signed by *DST Root CA X3*: *O = Digital
Signature Trust Co., CN = DST Root CA X3*)
- *R3*: *C = US, O = Let's Encrypt, CN = R3*
- your server cert
You mention that the cross-signed root certificate was removed with
ipa-cacert-manage, but did you also run ipa-certupdate before trying
ipa-server-certinstall? This step is mandatory in order to update the NSS
databases, as specified in the man page ipa-cacert-manage(1).
On Thu, Oct 7, 2021 at 11:44 PM Stefan Fleischmann via FreeIPA-users <
Hi! I've been using FreeIPA (installed without CA --no-pkinit)
letsencrypt certificate. Whenever the certificate gets renewed I install it
ipa-server-certinstall for both the LDAP and web server and that has been
working just fine. Recently the root certificate (DST Root CA X3)
expired as mentioned here
Now when I try to install the new certificate I get this error:
CA certificate CN=DST Root CA X3,O=Digital Signature Trust Co. in
is not valid: certutil: certificate is invalid: The certificate issuer's
certificate has expired. Check your system date and time.
The ipa-server-certinstall command failed.
I don't understand this error message at all since the `cert.pem` file
does not contain any reference to the X3 CA, so I suppose it must come from
somewhere else. Does someone have an idea how to fix this?
I've already removed the root certificate with ipa-cacert-manage and added
the self-signed X1 root cert, yet the same error message above keeps
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
Do not reply to spam on the list, report it: