In our setup we use Let's Encrypt certificates for HTTPS/LDAPS and the solution was to add the "DST Root CA X3" to NSS database at "/etc/pki/nssdb". I used the following command to do it:
$ certutil -A -n "DST Root CA X3" -t "C,," -i /etc/ssl/certs/DST_Root_CA_X3.pem -d sql:/etc/pki/nssdb
The strange part of the story that this is not necessary on Ubuntu 16.04 to have successful ipa-client-install. Maybe the 4.x version of FreeIPA has different method(s) for CA certificate retrieval or validation.
Hi Timo, Georgijs,
In our setup we use Let's Encrypt certificates for HTTPS/LDAPS and the solution was to add the "DST Root CA X3" to NSS database at "/etc/pki/nssdb". I used the following command to do it:
$ certutil -A -n "DST Root CA X3" -t "C,," -i /etc/ssl/ certs/DST_ Root_CA_ X3.pem -d sql:/etc/pki/nssdb
The strange part of the story that this is not necessary on Ubuntu 16.04 to have successful ipa-client-install. Maybe the 4.x version of FreeIPA has different method(s) for CA certificate retrieval or validation.