FQDN=$(hostname -f)
mkdir -p "/etc/ssl/$FQDN"

#get x1 root
curl -o  "/etc/ssl/$FQDN/x1.der" "https://x1.i.lencr.org"
openssl x509 -inform der -in /etc/ssl/$FQDN/x1.der -out /etc/ssl/$FQDN/x1.pem

#get x2 root
curl -o  "/etc/ssl/$FQDN/x2.der" "https://x2.i.lencr.org"
openssl x509 -inform der -in /etc/ssl/$FQDN/x2.der -out /etc/ssl/$FQDN/x2.pem

#get issuer
openssl x509 -noout -text -in crt.pem  | grep i.lencr.org | grep -Po http.+
issuer=`openssl x509 -noout -text -in /etc/letsencrypt/live/$FQDN/fullchain.pem | grep Issuer | grep Encrypt | grep -Po "(?<=CN=).*" | tr '[:upper:]' '[:lower:]'`

curl -o  "/etc/ssl/$FQDN/$issuer.der" "https://$issuer.i.lencr.org"
openssl x509 -inform der -in /etc/ssl/$FQDN/$issuer.der -out /etc/ssl/$FQDN/$issuer.pem


ipa-cacert-manage install "/etc/ssl/$FQDN/x1.pem"
ipa-cacert-manage install "/etc/ssl/$FQDN/x2.pem"
ipa-cacert-manage install "/etc/ssl/$FQDN/$issuer.pem"

ipa-certupdate

if ! [[ -L /var/lib/ipa/certs/httpd.crt ]]
then
    mv /var/lib/ipa/certs/httpd.crt /var/lib/ipa/certs/httpd.crt.bak
    ln -s /etc/letsencrypt/live/$FQDN/cert.pem /var/lib/ipa/certs/httpd.crt
fi

if ! [[ -L /var/lib/ipa/private/httpd.key ]]
then
    mv /var/lib/ipa/private/httpd.key /var/lib/ipa/private/httpd.key.bak
    ln -s /etc/letsencrypt/live/$FQDN/privkey.pem /var/lib/ipa/private/httpd.key
fi