Open matthewprobasco opened 2 months ago
Hi, freeipa appears to be relying on knowing intermediates. Instead you should implicitly trust valid intermediates signed by a trusted root. If you need to know intermediates ahead of time things will fail, as intermediates can change overnight.
Intermediates exist as temporary issuers so that the CA doesn't have their root directly signing stuff all the time.
https://community.letsencrypt.org/t/freeipa-doesnt-see-the-full-certificate-chain-when-cn-e6/220278
Hi, I tried the script in #49, but still get the same error for ipa-certupdate
command in script:
cannot connect to 'https://ipa1.example.com/ipa/json': [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:997)
all intermediate certificates has been installed.
Same here. Most tools return SSL retaled errors now:
ERROR: cannot connect to 'https://my.domain.tld/ipa/json': [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1133)
Try adding the certificates manually to temporarily resolve the issues, see https://github.com/freeipa/freeipa-letsencrypt/issues/50
Then apply the patch in https://github.com/freeipa/freeipa-letsencrypt/pull/49 and run that.
Thanks, that worked! :)
As of June 6 2024 Let's Encrypt added new CA's for issuing certs. As such, the setup script is not adding all intermediate CA's which certificates may be issued. https://letsencrypt.org/certificates/.
This is required or else there will be error of: "SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)')))" and "HTTPSConnectionPool(host='ldap01.idm.nerotechsolutions.com', port=443): Max retries exceeded with url: /ipa/session/cookie (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)')))"
In addition, the web service doesnt send the full CA Chain, so the cert is untrusted.