The web UI on the FreeIPA server comes with a self-signed certificate, which means that your web browser will complain about an invalid certificate when first connecting. This is undesirable for a security product.

Today Let's Encrypt provides signed x509 certificates for free, hence this has become a very attractive solution to the problem.
To implement this we can distinguish 3 fundamental steps:

  1. Obtaining Let's Encrypt certificates is largely explained on the web, this procedure should work with any of these generic explications.

  2. Download the DTSRoot CA certificate and copy/paste it in a file (here DTSRootCAX3.pem), make sure the file begins and ends respectively with the lines:

-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
  1. Then import the certificates in the FreeIPA server, as explained below:

The commands that follow will prompted you for the Directory Manager password if needed, the different ipa commands also support a -p password option to provide the password at the command-line. (personally, I prefer not to have the Directory Manager password in my command history)

Change to the directory where the Let's Encrypt certificates are stored.

[root@ipa ~]# cd /root/ipa.soholab.org

Import the respective CA certificates and run ipa-certupdate.

[root@ipa ipa.soholab.org]# ipa-cacert-manage -n DSTRootCAX3 -t C,, install DTSRootCAX3.pem
Installing CA certificate, please wait
CA certificate successfully installed
The ipa-cacert-manage command was successful

[root@ipa ipa.soholab.org]# ipa-cacert-manage -n LetsEncryptX3 -t C,, install ca.cer
Installing CA certificate, please wait
CA certificate successfully installed
The ipa-cacert-manage command was successful

[root@lxipa ~]# ipa-certupdate -v

Use openssl to convert the Let's Encrypt certificate into the p12 certificate format, this to combine the certificate with the private key in one single file.

[root@ipa ipa.soholab.org]# openssl pkcs12 -export -in ipa.soholab.org.cer   -inkey ipa.soholab.org.key  -out ipa.soholab.org.p12 -certfile fullchain.cer
Enter Export Password:
Verifying - Enter Export Password:

Finally install the obtained p12 certificate in the directory server.

[root@ipa ipa.soholab.org]# ipa-server-certinstall -w ipa.soholab.org.p12
Directory Manager password:

Enter private key unlock password:

The ipa-server-certinstall command was successful
[root@ipa ipa.soholab.org]#

The following services have to be restarted to take our changes into account:

[root@ipa ipa.soholab.org]# systemctl restart httpd.service
[root@ipa ipa.soholab.org]# systemctl restart dirsrv@SOHOLABS-ORG.service

Alternatively you could also restart all ipa related services with ipactl.

[root@lxipa ipa.soholab.org]# ipactl stop
Stopping ipa-otpd Service
Stopping pki-tomcatd Service
Stopping ipa-custodia Service
Stopping httpd Service
Stopping ipa_memcached Service
Stopping kadmin Service
Stopping krb5kdc Service
Stopping Directory Service
ipa: INFO: The ipactl command was successful

[root@lxipa ~]# ipactl start
Starting Directory Service
Starting krb5kdc Service
Starting kadmin Service
Starting ipa_memcached Service
Starting httpd Service
Starting ipa-custodia Service
Starting pki-tomcatd Service
Starting ipa-otpd Service
ipa: INFO: The ipactl command was successful
[root@lxipa ~]#