Hi! I've been using FreeIPA (installed without CA --no-pkinit) with letsencrypt
certificate. Whenever the certificate gets renewed I install it with
ipa-server-certinstall for both the LDAP and web server and that has been working just
fine. Recently the root certificate (DST Root CA X3)
expired as mentioned here
https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
Now when I try to install the new certificate I get this error:
---
CA certificate CN=DST Root CA X3,O=Digital Signature Trust Co. in
/etc/letsencrypt/live/XXX/cert.pem, /etc/letsencrypt/live/XXX/privkey.pem is not valid:
certutil: certificate is invalid: The certificate issuer's certificate has expired.
Check your system date and time.
The ipa-server-certinstall command failed.
---
I don't understand this error message at all since the `cert.pem` file does not
contain any reference to the X3 CA, so I suppose it must come from somewhere else. Does
someone have an idea how to fix this?
I've already removed the root certificate with ipa-cacert-manage and added the
self-signed X1 root cert, yet the same error message above keeps showing up.