Hi Timo, Georgijs, In our setup we use Let's Encrypt certificates for HTTPS/LDAPS and the solution was to add the "DST Root CA X3" to NSS database at "/etc/pki/nssdb". I used the following command to do it:
$ certutil -A -n "DST Root CA X3" -t "C,," -i /etc/ssl/certs/DST_Root_CA_X3.pem -d sql:/etc/pki/nssdb The strange part of the story that this is not necessary on Ubuntu 16.04 to have successful ipa-client-install. Maybe the 4.x version of FreeIPA has different method(s) for CA certificate retrieval or validation. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1635568 Title: freeipa-client - Can't enroll a client if server has external CA certs in addition to self signed CA cert To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1635568/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
