Thank you very much for everything.
I tried curl and curl on https:// works, a get html response with whole body 

<!DOCTYPE html>
<html>
<head>
    <meta charset="utf-8">
    <title>IPA: Identity Policy Audit</title>
    <script type="text/javascript" src="../ui/js/libs/loader.js"></script>
    <script type="text/javascript">
        var dojoConfig = {
            baseUrl: "../ui/js",
            has: {
                'dojo-firebug': false,
                'dojo-debug-messages': true
            },
            parseOnLoad: false,
            async: true,
            packages: [ …………
…..

<div class="container-fluid">
    <div class="row">
    <div class="col-sm-12">
    <div id="unauthorized-msg">
    <noscript>

        <h1>Unable to verify your Kerberos credentials</h1>
        <p>
            Please make sure that you have valid Kerberos tickets (obtainable via <strong>kinit</strong>), and that you have configured your browser correctly.
        </p>

        <h2>Browser configuration</h2>

        <div id="first-time">
            <p>
                If this is your first time, please <a href="ssbrowser.html">configure your browser</a>. …………..

……………

I don’t have idea. Looks like I will update all this VPS to Ubuntu 18.04 because there everything works.



On May 20, 2019 at 4:23:56 PM, Rob Crittenden (rcritten@redhat.com) wrote:

Petar Kozić wrote:
> I just try that:
>
> cp ca.crt /usr/local/share/ca-certificates/
> update-ca-certificates
>
> Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done.
> Running hooks in /etc/ca-certificates/update.d....
> updates of cacerts keystore disabled.
> done.
>
> Looks like update something, but again same error. In above command I
> copied ca.crt from IPA if you think on that.
> Thank you on your time.

That's about the extent of my Ubuntu knowledge.

It's hard to parse the output. Was that one file added or one
certificate added? LE definitely has a chain.

You should be able to independently confirm that the trust is ok using
something like curl:

$ curl https://ipa.example.com/ipa

If the connection fails then the right LE roots are not available on the
system.

rob

>
> On May 20, 2019 at 4:03:32 PM, Rob Crittenden (rcritten@redhat.com
> <mailto:rcritten@redhat.com>) wrote:
>
>> Petar Kozić via FreeIPA-users wrote:
>> > @Rob, sorry for duplicate mail, I forget to do reply to all
>> >
>> >
>> > No, there is X1 and X3. I have whole chain in ca.crt
>> >
>> > Where you think that I can install this let’s encrypt root on client
>> > side, because on server I already have it in chain?
>> >
>> > On IPA I installed on this way.
>> > https://blog.soholabs.org/lets-encrypt-and-the-freeipa-web-gui/
>>
>> The older ipa-client-install don't handle cert chains well. You can try
>> to add the roots to the global trust before running the installer via:
>>
>> $ sudo cp ca.crt /usr/local/share/ca-certificates/
>> $ sudo update-ca-certificates
>>
>> rob
>>
>> >
>> > On May 20, 2019 at 3:28:50 PM, Rob Crittenden (rcritten@redhat.com <mailto:rcritten@redhat.com>
>> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>) wrote:
>> >
>> >> Petar Kozić via FreeIPA-users wrote:
>> >> > Here is the log files. I just want to inform you that I have that
>> >> > problem now also on Ubuntu 14.40 and Debian 8.
>> >> > On Ubuntu ipa client version is 3.3, maybe problem is there.
>> >> >
>> >> > In mean time I enrolled several more Ubuntu 18.04 instances without
>> >> > problem. 
>> >> >
>> >> > On this Debian 8 and Ubuntu 14.40 I just try with options —ca-cert-file
>> >> > which I copied from master but same error.
>> >> >
>> >>
>> >> I have no visibility into what CA file you used but you're missing
>> >> either the X3 subca or the X1 root.
>> >>
>> >> You can get them from https://letsencrypt.org/certificates/
>> >>
>> >> Look at the ca.crt you used and see how many certificates are in there.
>> >> I'm assuming there is only one. You can try concatenating the X1 and X3
>> >> certs into that and things should work.
>> >>
>> >> rob
>> >
>> >
>> > _______________________________________________
>> > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> <mailto:freeipa-users@lists.fedorahosted.org>
>> > To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
>> <mailto:freeipa-users-leave@lists.fedorahosted.org>
>> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
>> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> > List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>>
>> >
>>