CA Certs included are Expired

[KodirovR]

I have a similar issue which was written here https://github.com/freeipa/freeipa-letsencrypt/issues/25, and maked all the steps which were provided to resolve, but at the end i have such error after disabling ssl check

ipa-certupdate

Connect error: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (certificate has expired) The ipa-certupdate command failed. ipa --version VERSION: 4.9.13, API_VERSION: 2.251

in the docekrfile with image Centos-8-stream

[samuelemusiani]

Same, and I've no idea how to solve that. Did you manage to get it working?

[rcritten]

The quickest fix would be to go back in time to when the certificates were still valid. ipactl restart.

Then try this patch https://github.com/freeipa/freeipa-letsencrypt/pull/49

[samuelemusiani]

I tried to re-run the scripts and using the new script in #49 but it did not resolve the issue. I dind't try to go back in time.

But i found a solution! Ipa didn't have the full certificate chain for Let's Encrypt, so even though the browser was connecting correctly at the webui, the curl command was failing. My solution was to add the R10 and R11 certificates in the /etc/ipa/ca.crt file and restart httpd. After that everything started working correctly again.

Hope it could be helpful to someone.