Trying to get a freeipa CSR signed by LetsEncrypt

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command: - Step 3c Sign API Requests - Create your certificate order

It produced this output:
Error: Order failed. Please start back at Step 1. { ‚Äútype‚ÄĚ: ‚Äúurn:ietf:params:acme:error:rejectedIdentifier‚ÄĚ, ‚Äúdetail‚ÄĚ: ‚ÄúError creating new order :: Cannot issue for ‚Äúcertificate authority‚ÄĚ: Domain name contains an invalid character‚ÄĚ, ‚Äústatus‚ÄĚ: 400 }

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
freeipa 4.8

I am trying to install freeipa server (really new at certs) with an external CA. Our domain has already registered and the webserver is running Certbot, but we want to expand to use FIPA to issue certs for our internal services operating off the same domain, hence the introduction of FreeIPA.

I have taken the CSR created by pass 1 of the freeipa server install process and tried to get it signed by following the steps on, but the process fails during the step to sign API requests/create certificate order with the message indicated in the form above. I have been able to create my own CSR and was able to walk it through the signing process, but FIPA did not like the resulting certificate.

I would like to get the CSR that FreeIPA created signed and would like advice pointing me in the right direction.

Thank you in advance.

1 Like

Cannot issue for ‚Äúcertificate authority‚ÄĚ

Your CSR literally contains the domain name ‚Äúcertificate authority‚ÄĚ. Something is wrong with the way FreeIPA has generated it. It should contain your domain name instead.


Thank you. I found that suspicious but trusted that the installer did the right thing out of the box. Now I have to see what can be done to properly influence the CSR creation during installation.

1 Like

For anyone who runs into the same issue I had here are my circumstances and how it got resolved.

Installing FreeIPA server with an external CA is a 2 step process. The first part does some of the installation and then it creates a CSR that is to be retrieved and signed by, in this case, LetsEncrypt. One of the few snares I fell into was that the CN created for the FreeIPA CSR is the string ‚ÄėCertificate Authority‚Äô, where LetsEncrypt was expecting a proper domain.

In order to resolve this I deleted my current instance of FreeIPA sever and reran ipa-server-install again to include the flag --ca-subject "" which allowed FreeIPA to produce a CSR that could be processed by LetsEncrypt.

Thanks again, @_az


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.