I sorted problem. I need to import new R3 Let’sencrypt intermediate before issue of new SSL.
ipa-cacert-manage -n R3 -t C,, install letsencrypt_r3.pem ipa-certupdate -v renewl Let’s encypt ssl. > On 20.01.2021., at 10:37, Petar Kozić <[email protected]> wrote: > > Hi, > I had Let’s encrypt SSL on my freeipa server. When I setup freeIPA for the > first time, I set Let’s encrypt on next way: > > I installed DST CA ROOT and LetsEncrypt intermediate with next command: > > ipa-cacert-manage -n DSTRootCAX3 -t C,, install DTSRootCAX3.pem > ipa-cacert-manage -n LetsEncryptX3 -t C,, install ca.cer > ipa-certupdate -v > > Then, I issued letsencypt ssl for domain with certbot and make pkcs chain > with command: > > openssl pkcs12 -export -in my_domain.cer -inkey my.key.key -out my_ipa.p12 > -certfile fullchain.cer > > and install with command: > ipa-server-certinstall -w ipa.soholab.org.p12 > > > In the last almost two years I didn’t have any problem, letsencrypt was > renewed and freeipa was worked. But after last renew sll failed. > > In the freeipa gui when I try to access to Authentication tab I get error: > cannot connect to > 'https://my_domain:443/ca/rest/certs/search?size=2147483647': > <https://my_domain/ca/rest/certs/search?size=2147483647%27:> [SSL: > CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:727) > > I checked SSL in browser and I can see Let’s encrypt changed intermediate > from Let’s encypt Authority X3 to R3. > > I found doc on letsencypt where they said about that intermediate changes: > https://letsencrypt.org/2020/09/17/new-root-and-intermediates.html > <https://letsencrypt.org/2020/09/17/new-root-and-intermediates.html> > > I tried to install new Intermediate with this new R3 on same way as I do that > earlier with old intermediate: > ipa-cacert-manage -n R3 -t C,, install new_intermediate.cer > > but without luck. > > Maybe someone of you had same probem, or some idea how to solve this? > Thank you in advanced. > >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
