Sarhan Aissi via FreeIPA-users wrote:
> Hello,
> I am using FreeIPA 4.3.1 with Ubuntu Server 16.04 and i tried to add my
> Let's encrypt certificate using the "freeipa-letsencrypt" script (I replaced 
> Fedora/RHEL commands with ubuntu equivalents):
> After restarting freeipa i cannot add new members to the ipa server or
> connect to the REST api. The error message is related to the certificate
> and " (SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not
> recognized.".
> How can  add the Let's encrypt issuer to the trust list or at undo what
> i have done (i don't have any backup for /etc/apache2/nssdb) ?

The clients need to trust the issuer of your CA cert.

Try ipa-cacert-manage install to install the chain

Then on each already-enrolled client run ipa-certupdate

New clients should get the chain upon enrollment.

FreeIPA-users mailing list --
To unsubscribe send an email to

Reply via email to