Comment 6 for bug 1635568

Hi Timo, Georgijs,

In our setup we use Let's Encrypt certificates for HTTPS/LDAPS and the solution was to add the "DST Root CA X3" to NSS database at "/etc/pki/nssdb". I used the following command to do it:

$ certutil -A -n "DST Root CA X3" -t "C,," -i /etc/ssl/certs/DST_Root_CA_X3.pem -d sql:/etc/pki/nssdb

The strange part of the story that this is not necessary on Ubuntu 16.04 to have successful ipa-client-install. Maybe the 4.x version of FreeIPA has different method(s) for CA certificate retrieval or validation.