Hi, Let's Encrypt new chain of trust is now the following: - *ISRG Root X1*: *C = US, O = Internet Security Research Group, CN = ISRG Root X1* (was previsouly also cross signed by *DST Root CA X3*: *O = Digital Signature Trust Co., CN = DST Root CA X3*) - *R3*: *C = US, O = Let's Encrypt, CN = R3* - your server cert
You mention that the cross-signed root certificate was removed with ipa-cacert-manage, but did you also run ipa-certupdate before trying ipa-server-certinstall? This step is mandatory in order to update the NSS databases, as specified in the man page ipa-cacert-manage(1). HTH, flo On Thu, Oct 7, 2021 at 11:44 PM Stefan Fleischmann via FreeIPA-users < [email protected]> wrote: > Hi! I've been using FreeIPA (installed without CA --no-pkinit) with > letsencrypt certificate. Whenever the certificate gets renewed I install it > with > ipa-server-certinstall for both the LDAP and web server and that has been > working just fine. Recently the root certificate (DST Root CA X3) > expired as mentioned here > https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ > > Now when I try to install the new certificate I get this error: > --- > CA certificate CN=DST Root CA X3,O=Digital Signature Trust Co. in > /etc/letsencrypt/live/XXX/cert.pem, /etc/letsencrypt/live/XXX/privkey.pem > is not valid: certutil: certificate is invalid: The certificate issuer's > certificate has expired. Check your system date and time. > > The ipa-server-certinstall command failed. > --- > I don't understand this error message at all since the `cert.pem` file > does not contain any reference to the X3 CA, so I suppose it must come from > somewhere else. Does someone have an idea how to fix this? > > I've already removed the root certificate with ipa-cacert-manage and added > the self-signed X1 root cert, yet the same error message above keeps > showing up. > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
