letsencrypt-freeipa icon indicating copy to clipboard operation
letsencrypt-freeipa copied to clipboard

Published 20 hours ago verified publisher icon antevens

'ipa-server-certinstall -w -d fullchain.pem privkey.pem' throwing error

Open toxynoid opened this issue 4 years ago • 5 comments

With ipa-server-certinstall -w -d fullchain.pem privkey.pem I've got following error The full certificate chain is not present in fullchain.pem, privkey.pem I instead had success with ipa-server-certinstall -w -d cert.pem privkey.pem I'm not sure if my fullchain.pem is broken or if there have been recent changes in certbot.

toxynoid avatar Jan 03 '21 13:01 toxynoid

This is due to the recent changes in the intermediate authority and the change to using their own root cert, thx for the bug report.

antevens avatar Jan 05 '21 01:01 antevens

Thank you for acknowledging the problem, but how do we solve this?

dilruacs avatar Jan 05 '21 19:01 dilruacs

The workaround is posted above, just use the cert instead of the chain.

antevens avatar Jan 05 '21 19:01 antevens

Thank you, sorry for not reading the report good enough :blush:

Edit to add: I am running renew.sh from cron, I suppose this needs to be changed also.

dilruacs avatar Jan 05 '21 20:01 dilruacs

Workaround from issue itself didn't work for me.

From what I found new Let's Encrypt cert are signed with CN=R3 but chain.pem/fullchain.pem in my case containded only CN=X3 intermediate cert.

When I update with privkey.pem cert.pem lets-encrypt-r3.pem all seems ok.

UPD: I had to add dst-root-x3 root ca since I had le-r3 signed with that CA.

grossws avatar Jan 28 '21 23:01 grossws