'ipa-server-certinstall -w -d fullchain.pem privkey.pem' throwing error

[toxynoid]

With ipa-server-certinstall -w -d fullchain.pem privkey.pem I've got following error The full certificate chain is not present in fullchain.pem, privkey.pem I instead had success with ipa-server-certinstall -w -d cert.pem privkey.pem I'm not sure if my fullchain.pem is broken or if there have been recent changes in certbot.

[antevens]

This is due to the recent changes in the intermediate authority and the change to using their own root cert, thx for the bug report.

[dilruacs]

Thank you for acknowledging the problem, but how do we solve this?

[antevens]

The workaround is posted above, just use the cert instead of the chain.

[dilruacs]

Thank you, sorry for not reading the report good enough :blush:

Edit to add: I am running renew.sh from cron, I suppose this needs to be changed also.

[grossws]

Workaround from issue itself didn't work for me.

From what I found new Let's Encrypt cert are signed with CN=R3 but chain.pem/fullchain.pem in my case containded only CN=X3 intermediate cert.

When I update with privkey.pem cert.pem lets-encrypt-r3.pem all seems ok.

UPD: I had to add dst-root-x3 root ca since I had le-r3 signed with that CA.