Freeipa doesn't see the full certificate chain when CN = E6

Hello, I encountered a problem. I always issued a new certificate with this command and everything worked fine

certbot certonly -d '*.mydomain.net' --manual --config-dir config --work-dir work --logs-dir logs --preferred-challenges dns --keep-until-expiring --agree-tos --no-self-upgrade --no-bootstrap --cert-name wildcard-mydomain-net

But yesterday, as usual, I tried to issue a certificate and add it to Freeipa and got this error:

The full certificate chain is not present in /etc/ssl/private/privkey.pem, /etc/ssl/private/cert.pem

The only difference that I see between old certs and new is new CN name, old certificate is

Issuer: C = US, O = Let's Encrypt, CN = R3

New certificate CN name is:

Issuer: C = US, O = Let's Encrypt, CN = E6

As I understand Freeipa can't see certificate chain with new CN..
What can I do with it?
I only have 5 days left before my old certificate expires.
Thanks for any help.

certbot version is 2.11.0

Found the answer here:

First you need to run this script to obtain and install new CA's certificates

FQDN=$(hostname -f)
CERTS2=("e5.pem" "e6.pem" "r10.pem" "r11.pem")

for CERT2 in "${CERTS2[@]}"
do
  if command -v wget &> /dev/null
  then
    wget -O "/etc/ssl/$FQDN/$CERT2" "https://letsencrypt.org/certs/2024/$CERT2"
  elif command -v curl &> /dev/null
  then
    curl -o "/etc/ssl/$FQDN/$CERT2" "https://letsencrypt.org/certs/2024/$CERT2"
  fi
  ipa-cacert-manage install "/etc/ssl/$FQDN/$CERT2"
done

Then as usual install them:

ipa-server-certinstall -w -d /etc/ssl/private/privkey.pem /etc/ssl/private/cert.pem --pin=''

And just restart ipa:

ipactl restart

That it! Maybe this will helpful for someone.

What a terrible idea by Freeipa. They should not hardcode the intermediates! They don't have a clue what they're doing.....

5 Likes

I second that.

4 Likes

Wanted to add to this incase anyone else finds themselves here.

This was the error I got when trying this method:

Not a valid CA certificate: certutil: certificate is invalid: Peer's Certificate issuer is not recognized.

I am using OPNSense to manage my certificates and using built in automation to upload them to my server. This is the first time I using FreeIPA.

To fix this I had to download the root CA from lets encrypt from their certificate page.

Under the Root CA there are two certs called ISRG Root X1 and ISRG Root X2 as of 2024-06-26.
For each of these you want to download the Certificate details (self-signed) pem version.
An example

wget https://letsencrypt.org/certs/isrg-root-x2.pem

Then you need to install these like so

ipa-cacert-manage install isrgrootx1.pem -n ISRGRootCAX1 -t C,,
ipa-cacert-manage install isrg-root-x2.pem -n ISRGRootCAX2 -t C,,
ipa-certupdate -v

This part I got from this gist.

After these are installed, you can move on with the solution above.

Note: if you are doing something like me with having something SFTP the certs to the server, you will need to generate the /etc/ssl/FQDN directory or update the script to some other directory.

2 Likes

@alteredtech It's nice that you found that and posted it. For people who may try to follow the instructions at that gist directly I want to warn them it is from 3 years ago.

So, do not try to download and install this one as it shows

wget https://letsencrypt.org/certs/letsencryptauthorityx3.pem

That cert expired nearly 3 years ago. The X1 and X2 roots shown by @alteredtech are good suggestions.

3 Likes