Issue

We have being using FreeIPA for years with our corporation wildcard certificate, unfortunately one of our Intermediate CAs expired yesterday May 30 2020 and we are no longer able to login: https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020

ipa: INFO: 401 Unauthorized: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)
[:error] [pid 2041] SSL Library Error: -12269 The server has rejected your certificate as expired

# openssl s_client -showcerts -verify 5 -connect ldap.example.com:443
verify depth is 5
CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify error:num=10:certificate has expired
notAfter=May 30 10:48:38 2020 GMT
verify return:1
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
notAfter=May 30 10:48:38 2020 GMT
verify return:1
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify error:num=10:certificate has expired
notAfter=May 30 10:48:38 2020 GMT
verify return:1
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
notAfter=May 30 10:48:38 2020 GMT
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
notAfter=Dec 31 23:59:59 2030 GMT
verify return:1
depth=0 OU = Domain Control Validated, OU = EssentialSSL Wildcard, CN = *.example.com
notAfter=Sep 16 23:59:59 2021 GMT
verify return:1

This is how I installed my current certificates

# echo "passw0rd" | kinit admin

# ipa-cacert-manage -p "passw0rd" -n OLDCA -t C,, install OLDCA.crt

# ipa-cacert-manage -p "passw0rd" -n OLD-Intermediate -t C,, install OLD-Intermediate.crt

# ipa-certupdate

# ipa-server-certinstall -w -d star.example.com.key star.example.com.crt --pin="passw0rd" --dirman-password="passw0rd" 

# ipa-cacert-manage  list
EXAMPLE.COM IPA CA
OLDCA
OLD-Intermediate
The ipa-cacert-manage command was successful

What I'm trying to do is replace the expired CA chain by a new chain that I tested and works on a new dev server

When I try to install the new CA and Intermediate it doesn't work, I tried

# echo "passw0rd" | kinit admin

# ipa-cacert-manage -p "passw0rd" -n OLDCA -t C,, install NEWCA.crt

Installing CA certificate, please wait
Command '/usr/bin/certutil -d dbm:/tmp/tmp5bl9pz -A -n OLDCA -t C,, -a -f /tmp/tmp5bl9pz/pwdfile.txt' returned non-zero exit status 255
The ipa-cacert-manage command failed.

I imaging this is because the OLDCA nickname is already used, then I tried chaging the nickname to NEWCA it seems to work but when I run 'ipa-certupdate' I don't see it in the list of 'ipa-cacert-manage list'

Is this the expected behaviour ? I'm missing something ?

Steps to Reproduce

1. Install FreeIPA with a CA and Intermediate
2. Try to replace the original CA and Intermediate by a new chain

Actual behavior

CA chain doesn't get updated

Expected behavior

Update CA chain by a new one

Version/Release/Distribution

ipa-server-4.6.6-11.el7.centos.x86_64

ipa-client-4.6.6-11.el7.centos.x86_64

389-ds-base-1.3.10.1-9.el7_8.x86_64

pki-ca-10.5.17-6.el7.noarch

krb5-server-1.15.1-46.el7.x86_64

CentOS Linux release 7.8.2003

Additional info:

Any additional information, configuration, data or log snippets that is needed for reproduction or investigation of the issue.

Log file locations: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/config-files-logs.html
Troubleshooting guide: https://www.freeipa.org/page/Troubleshooting