Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot install LetsEncryptAuthorityX3 certificate #1

Closed
JoyceBabu opened this issue Oct 24, 2016 · 6 comments · Fixed by #3
Closed

Cannot install LetsEncryptAuthorityX3 certificate #1

JoyceBabu opened this issue Oct 24, 2016 · 6 comments · Fixed by #3

Comments

@JoyceBabu
Copy link

JoyceBabu commented Oct 24, 2016
edited

I have FreeIPA docker container based on adelton/freeipa-server. When I run the setup-le.sh script, I am getting SEC_ERROR_UNKNOWN_ISSUER error.

[root@freeipa ipa-le]# ipa-cacert-manage install /root/ipa-le/ca/LetsEncryptAuthorityX3.pem -n letsencryptx3 -t C,,
Installing CA certificate, please wait
Not a valid CA certificate: (SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized. (visit http://www.freeipa.org/page/Troubleshooting for troubleshooting guide)
The ipa-cacert-manage command failed.
[root@freeipa ipa-le]# ipa-cacert-manage install /root/ipa-le/ca/LetsEncryptAuthorityX3.pem -n letsencryptx3 -t C,,
Installing CA certificate, please wait
Not a valid CA certificate: (SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized. (visit http://www.freeipa.org/page/Troubleshooting for troubleshooting guide)
The ipa-cacert-manage command failed.

According to LetsEncrypt Chain of Trust, LetsEncryptAuthorityX3 is not cross signed by ISGRoot X1.

image

So I tried installing the (IdentTrust) DST Root CA X3. Now I am getting SEC_ERROR_UNTRUSTED_ISSUER error.

[root@freeipa ipa-le]# ipa-cacert-manage install /root/ipa-le/ca/DSTRootCAX3.pem -n DSTRootCAX3 -t ,,
Installing CA certificate, please wait
CA certificate successfully installed
The ipa-cacert-manage command was successful
[root@freeipa ipa-le]# ipa-cacert-manage install /root/ipa-le/ca/LetsEncryptAuthorityX3.pem -n letsencryptx3 -t C,,
Installing CA certificate, please wait
Not a valid CA certificate: (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user. (visit http://www.freeipa.org/page/Troubleshooting for troubleshooting guide)
The ipa-cacert-manage command failed.
@JoyceBabu JoyceBabu changed the title Not working with docker image Cannot install LetsEncryptAuthorityX3 Oct 24, 2016
@JoyceBabu JoyceBabu changed the title Cannot install LetsEncryptAuthorityX3 Cannot install LetsEncryptAuthorityX3 certificate Oct 24, 2016
@regnauld
Copy link
Contributor

Having this problem as well - plain IPA install on standard VM (not containers), CentOS 7, IPA 4.2.0

@tkrizek
Copy link
Contributor

tkrizek commented Nov 29, 2016
edited

I'm also able to reproduce this issue. This is caused due to incorrect root cert installed and incorrect trust flags for the certificate.

tkrizek pushed a commit to tkrizek/freeipa-letsencrypt that referenced this issue Nov 29, 2016
Install DST Root CA X3 certificate with trusted CA flag
d0d43b0 
The certificates in the repo are signed by DTS Root CA X3, not
ISRG Root X1. This would cause issues with unknown issuer. Install
DST Root CA X3 instead of ISRG Root X1 into nssdb to resolve this.

The DST Root CA X3 also has to be marked as trusted CA in order
for the verification of certutil to pass.

Fixes freeipa#1
@tkrizek tkrizek mentioned this issue Nov 29, 2016
Merged
@tkrizek
Copy link
Contributor

tkrizek commented Nov 29, 2016

PR #3 fixes this issue. Please note that if you previously installed DSTRootCAX3 you will most likely need to reinstall IPA before the fix will work for you.

pspacek pushed a commit that referenced this issue Nov 29, 2016
@pspacek
Install DST Root CA X3 certificate with trusted CA flag
1f14079 
The certificates in the repo are signed by DTS Root CA X3, not
ISRG Root X1. This would cause issues with unknown issuer. Install
DST Root CA X3 instead of ISRG Root X1 into nssdb to resolve this.

The DST Root CA X3 also has to be marked as trusted CA in order
for the verification of certutil to pass.

Fixes #1
@JoyceBabu
Copy link
Author

JoyceBabu commented Dec 1, 2016
edited

It worked, thank you.

If anyone wants to use dns-01 validation with Route53, you can use the certbot-route53 plugin

dnf install -y git gcc libffi-devel redhat-rpm-config python-devel openssl-devel
pip install -U certbot-route53

Then modify renew-le.sh with

letsencrypt certonly --standalone --csr "$WORKDIR/httpd-csr.der" --email "$EMAIL" --agree-tos

DOMAIN="yourdomain.com"
certbot certonly  --csr "$WORKDIR/httpd-csr.der" --email "$EMAIL" --agree-tos -d "$DOMAIN" -a certbot-route53:auth

@jokogr
Copy link

jokogr commented Jun 25, 2017

@tomaskrizek I had previously installed DSTRootCAX3, so I have to reinstall IPA.

  1. Am I going to lose the data if I reinstall it?
  2. Any idea what the installation command would be? I am guessing it is going to be a CA-less installation, so I wonder what to include for CA, SSL certificate etc.

@foood foood mentioned this issue Oct 3, 2017
Closed
@ahharu
Copy link

ahharu commented Oct 31, 2017

I stumbled on this today... any clue?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Install DST Root CA X3 certificate with trusted CA flag tkrizek/freeipa-letsencrypt
5 participants
@JoyceBabu @regnauld @jokogr @ahharu @tkrizek