Hi, I had Let’s encrypt SSL on my freeipa server. When I setup freeIPA for the first time, I set Let’s encrypt on next way:
I installed DST CA ROOT and LetsEncrypt intermediate with next command: ipa-cacert-manage -n DSTRootCAX3 -t C,, install DTSRootCAX3.pem ipa-cacert-manage -n LetsEncryptX3 -t C,, install ca.cer ipa-certupdate -v Then, I issued letsencypt ssl for domain with certbot and make pkcs chain with command: openssl pkcs12 -export -in my_domain.cer -inkey my.key.key -out my_ipa.p12 -certfile fullchain.cer and install with command: ipa-server-certinstall -w ipa.soholab.org.p12 In the last almost two years I didn’t have any problem, letsencrypt was renewed and freeipa was worked. But after last renew sll failed. In the freeipa gui when I try to access to Authentication tab I get error: cannot connect to 'https://my_domain:443/ca/rest/certs/search?size=2147483647': [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:727) I checked SSL in browser and I can see Let’s encrypt changed intermediate from Let’s encypt Authority X3 to R3. I found doc on letsencypt where they said about that intermediate changes: https://letsencrypt.org/2020/09/17/new-root-and-intermediates.html <https://letsencrypt.org/2020/09/17/new-root-and-intermediates.html> I tried to install new Intermediate with this new R3 on same way as I do that earlier with old intermediate: ipa-cacert-manage -n R3 -t C,, install new_intermediate.cer but without luck. Maybe someone of you had same probem, or some idea how to solve this? Thank you in advanced.
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
