@Rob, sorry for duplicate mail, I forget to do reply to all


No, there is X1 and X3. I have whole chain in ca.crt

Where you think that I can install this let’s encrypt root on client side, because on server I already have it in chain?

On IPA I installed on this way.
https://blog.soholabs.org/lets-encrypt-and-the-freeipa-web-gui/

On May 20, 2019 at 3:28:50 PM, Rob Crittenden (rcritten@redhat.com) wrote:

Petar Kozić via FreeIPA-users wrote:
> Here is the log files. I just want to inform you that I have that
> problem now also on Ubuntu 14.40 and Debian 8.
> On Ubuntu ipa client version is 3.3, maybe problem is there.
>
> In mean time I enrolled several more Ubuntu 18.04 instances without
> problem. 
>
> On this Debian 8 and Ubuntu 14.40 I just try with options —ca-cert-file
> which I copied from master but same error.
>

I have no visibility into what CA file you used but you're missing
either the X3 subca or the X1 root.

You can get them from https://letsencrypt.org/certificates/

Look at the ca.crt you used and see how many certificates are in there.
I'm assuming there is only one. You can try concatenating the X1 and X3
certs into that and things should work.

rob