Thank you so much for the pointers in the right direction! So actually on one of the replicas the certificate had expired just yesterday or the day before, so that posed an additional problem.
First I removed the expired X3 CA and cross-signed X1 with `ipa-cacert-manage` (using the force flag), then I added the self-signed X1 (with "-t C,," flag). Now to the task of making `ipa-certupdate` work despite the expired certificate. First I made sure as you mentioned that I have the correct (only Letsencrypt R3 and self-signed X1) in the file ` /etc/ipa/ca.crt`. Then I disabled strict ssl checks both for LDAP and HTTP by editing the following files: /usr/lib/python3/dist-packages/ipalib/util.py - ctx.verify_mode = ssl.CERT_REQUIRED - ctx.check_hostname = True - ctx.load_verify_locations(cafile) + ctx.verify_mode = ssl.CERT_NONE + ctx.check_hostname = False (stolen from here https://github.com/freeipa/freeipa-letsencrypt/issues/25#issuecomment-761904947) and /usr/lib/python3/dist-packages/ipapython/ipaldap.py - conn.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_DEMAND) + conn.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_ALLOW) and for good measure I added "TLS_REQCERT allow" in /etc/ldap/ldap.conf. Then the `ipa-certupdate` finally went through and I reverted the changes above. Then I could finally install the new certificate with `ipa-server-certinstall` and things seem back to normal now. But I guess I still need to be careful to not accidentally import the old chain on the next update... _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
