Hello,
I have been tasked with installing FreeIPA in our environment to help manage
certificates for Postgres, NGINX and RabbitMQ. I am completely new to the
administrative side of certificates, so I may have made some incorrect
assumptions. We have decided to use LetsEncrypt as our external CA, so I ran
the FreeIPA install:
sudo ipa-server-install --realm MYDOMAIN.COM --domain mydomain.com
--setup-dns --auto-forwarders --allow-zone-overlap --external-ca --ca-subject
"CN=mydomain.com"
This produced a CSR which I have had signed by LetsEncrypt (I also tried to
sign the CSR with with gethttpsforfree, but got the same results):
sudo certbot --csr /root/ipa.csr --preferred-challenges dns certonly
As I understand it, it should be as simple at this point to rerun
ipa-server-install with external-cert-file arguments for the signed CSR file
and the existing trust chain.
sudo ipa-server-install --external-cert-file=/path/to/file/signed_csr.pem
--external-cert-file=/etc/letsencrypt/live/mydomain.com/fullchain.pem
This results in an error I can't wrap my head around:
ERROR: CA Certificate CN=mydomain.com in <signed CSR file>, <trust chain
file> is not valid: not a CA certificate.
After getting this certificate chain in FreeIPA I plan on creating a couple
more layers of intermediate certificates and, eventually, create root
certificates for the individual services. What assumption am I making that is
causing this process to go sideways? I could not really find anything in the
volumes of documentation I have gone through so far.
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
