LetsEncrypt added new CA's, setup script is broken. #48
Comments
reverted since the setup script will add the full chain as expected. Closes freeipa#48
reverted since the setup script will add the full chain as expected. Closes freeipa#48 Signed-off-by: Matthew Probasco <[email protected]>
|
Hi, freeipa appears to be relying on knowing intermediates. Instead you should implicitly trust valid intermediates signed by a trusted root. If you need to know intermediates ahead of time things will fail, as intermediates can change overnight. Intermediates exist as temporary issuers so that the CA doesn't have their root directly signing stuff all the time. https://community.letsencrypt.org/t/freeipa-doesnt-see-the-full-certificate-chain-when-cn-e6/220278 |
|
Hi, I tried the script in #49, but still get the same error for |
|
Same here. |
|
Thanks, that worked! :) |
reverted since the setup script will add the full chain as expected. Closes freeipa#48
As of June 6 2024 Let's Encrypt added new CA's for issuing certs. As such, the setup script is not adding all intermediate CA's which certificates may be issued. https://letsencrypt.org/certificates/.
This is required or else there will be error of:
"SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)')))"
and
"HTTPSConnectionPool(host='ldap01.idm.nerotechsolutions.com', port=443): Max retries exceeded with url: /ipa/session/cookie (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)')))"
In addition, the web service doesnt send the full CA Chain, so the cert is untrusted.
The text was updated successfully, but these errors were encountered: