Add LetsEncrypt chains to FreeIPA for transition to proper CA (Feb 2021)

LetsEncrypt_FreeIPA_Certificate_Chaining.sh

# Add LetsEncrypt chains to FreeIPA for transition to proper CA (Feb 2021)
#  > The full certificate chain is not present in /etc/letsencrypt/live/${DOMAIN}/privkey.pem ...
#  > The ipa-server-certinstall command failed.


# Grab Certificates from FreeIPA ( https://letsencrypt.org/certificates/ )
cd /tmp/
wget https://letsencrypt.org/certs/isrgrootx1.pem
wget https://letsencrypt.org/certs/letsencryptauthorityx3.pem
wget https://letsencrypt.org/certs/trustid-x3-root.pem
wget https://letsencrypt.org/certs/lets-encrypt-r3-cross-signed.pem
wget https://letsencrypt.org/certs/isrg-root-x1-cross-signed.pem
wget https://letsencrypt.org/certs/lets-encrypt-r3.pem


# Add Certificates to FreeIPA CA
ipa-cacert-manage install isrgrootx1.pem -n ISRGRootCAX1 -t C,,
ipa-cacert-manage install letsencryptauthorityx3.pem -n ISRGRootCAX3 -t C,,
ipa-cacert-manage install trustid-x3-root.pem -n TrustIDCAX3 -t C,,
ipa-cacert-manage install lets-encrypt-r3-cross-signed.pem -n LetsEncryptCAR3-cross -t C,,
ipa-cacert-manage install isrg-root-x1-cross-signed.pem -n ISRGRootCAX1-cross -t C,,
ipa-cacert-manage install lets-encrypt-r3.pem -n LetsEncryptCAR3 -t C,,
ipa-certupdate -v

# Add new domain LetsEncrypt Certificate
DOMAIN=sub.domain.tld
 DIRMAN_PASSWORD=
 KEY_PASSWORD=
ipa-server-certinstall -w -d /etc/letsencrypt/live/${DOMAIN}/fullchain.pem /etc/letsencrypt/live/${DOMAIN}/privkey.pem --dirman-password="${DIRMAN_PASSWORD}" --pin="${KEY_PASSWORD}"

ipactl restart