webprofusion-chrisc
commented
2 months ago Hi, freeipa appears to be relying on knowing intermediates. Instead you should implicitly trust valid intermediates signed by a trusted root. If you need to know intermediates ahead of time things will fail, as intermediates can change overnight.
Intermediates exist as temporary issuers so that the CA doesn't have their root directly signing stuff all the time.
https://community.letsencrypt.org/t/freeipa-doesnt-see-the-full-certificate-chain-when-cn-e6/220278
JavadHosseini
kimdre
rcritten
As of June 6 2024 Let's Encrypt added new CA's for issuing certs. As such, the setup script is not adding all intermediate CA's which certificates may be issued. https://letsencrypt.org/certificates/.
This is required or else there will be error of: "SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)')))" and "HTTPSConnectionPool(host='ldap01.idm.nerotechsolutions.com', port=443): Max retries exceeded with url: /ipa/session/cookie (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)')))"
In addition, the web service doesnt send the full CA Chain, so the cert is untrusted.