4.1 to 4.2 upgrade niggles

Hi I upgraded a DC Master and DC backup to 4.2-0 and then through to 4.2-1 (errata 85) tonight. I’ve encountered a few niggles that it seems some in the german forum might have already hit?

1. I think I’ve hit the issue noted in this bug: https://forge.univention.org/bugzilla/show_bug.cgi?id=42986
   I can’t login to the DC Backup web interface anymore. I just receive the “Could not fulfill the request. The SAML response contained a invalid signature: Failed to verify signature” error others seem to have had (reading via google translate). As far as I’m aware my CA/certs were not expired prior to the upgrade.
   I think I’ll hold off upgrading a 4.1 member server to 4.2 until I can determine it won’t also have the SAML errors.

2. I’ve also got an issue in the DC Master where I can’t seem to get updates via https. It seemed really similar to this other report in the german forum and his solution also helped me to get the packages over http instead to allow the upgrade from 4.2-0 to 4.2-1 to proceed.
   Didn’t have this issue on 4.1 and don’t have this issue on the DC Backup (hence I think that can eliminate our network).

To me your symptoms sound as if they might be caused by the same underlying issue. Both sound like SSL doesn’t work — for which multiple things can be the cause.

Let’s tackle the second problem first. Please make sure that the DC Master’s date and time are set correctly. That’s absolutely critical for SSL. They’re ok? Then continue.

What’s the output of apt update on the DC Master?

Next try running update-ca-certificates on the DC Master followed by another apt update.

Hi Moritz, I’ve since upgraded to errata 99 since this post and wondering if it’s had an effect.

Ign http://updates.software-univention.de 4.0-0/all/ InRelease
Ign http://updates.software-univention.de 4.0-0/amd64/ InRelease
Ign http://updates.software-univention.de 4.0-1/all/ InRelease
Ign http://updates.software-univention.de 4.0-1/amd64/ InRelease
Get:1 https://appcenter.software-univention.de uvmm-ec2/all/ InRelease [267 B]
Ign https://appcenter.software-univention.de uvmm-ec2/all/ InRelease
Ign http://updates.software-univention.de 4.0-2/all/ InRelease
Get:2 https://appcenter.software-univention.de uvmm-ec2/all/ InRelease [267 B]
Ign https://appcenter.software-univention.de uvmm-ec2/all/ InRelease
Ign http://updates.software-univention.de 4.0-2/amd64/ InRelease
Get:3 https://appcenter.software-univention.de uvmm-ec2/all/ InRelease [267 B]
Ign https://appcenter.software-univention.de uvmm-ec2/all/ InRelease
Ign http://updates.software-univention.de 4.0-3/all/ InRelease
Get:4 https://appcenter.software-univention.de uvmm-ec2/all/ Release.gpg [836 B]
Ign http://updates.software-univention.de 4.0-3/amd64/ InRelease
Get:5 https://appcenter.software-univention.de uvmm-ec2/all/ Release.gpg [836 B]
Ign http://updates.software-univention.de 4.0-4/all/ InRelease
Get:6 https://appcenter.software-univention.de uvmm-ec2/all/ Release.gpg [836 B]
Ign http://updates.software-univention.de 4.0-4/amd64/ InRelease
Hit https://appcenter.software-univention.de uvmm-ec2/all/ Release
Ign http://updates.software-univention.de 4.0-5/all/ InRelease
Hit https://appcenter.software-univention.de uvmm-ec2/all/ Release
Ign http://updates.software-univention.de 4.0-5/amd64/ InRelease
Hit https://appcenter.software-univention.de uvmm-ec2/all/ Release
Ign http://updates.software-univention.de 4.1-0/all/ InRelease
Hit https://appcenter.software-univention.de uvmm-ec2/all/ Packages
Ign http://updates.software-univention.de 4.1-0/amd64/ InRelease
Hit https://appcenter.software-univention.de uvmm-ec2/all/ Packages
Hit https://appcenter.software-univention.de uvmm-ec2/all/ Packages
Ign http://updates.software-univention.de 4.1-1/all/ InRelease
Ign http://updates.software-univention.de 4.1-1/amd64/ InRelease
Ign http://updates.software-univention.de 4.1-2/all/ InRelease
Ign http://updates.software-univention.de 4.1-2/amd64/ InRelease
Ign http://updates.software-univention.de 4.1-3/all/ InRelease
Ign http://updates.software-univention.de 4.1-3/amd64/ InRelease
Ign https://appcenter.software-univention.de uvmm-ec2/all/ InRelease
Ign https://appcenter.software-univention.de uvmm-ec2/all/ InRelease
Ign https://appcenter.software-univention.de uvmm-ec2/all/ InRelease
Ign http://updates.software-univention.de 4.0-0/all/ InRelease
Ign https://appcenter.software-univention.de uvmm-ec2/all/ Release.gpg
Ign http://updates.software-univention.de 4.0-0/amd64/ InRelease
Ign https://appcenter.software-univention.de uvmm-ec2/all/ Release.gpg
Ign https://appcenter.software-univention.de uvmm-ec2/all/ Release.gpg
Ign http://updates.software-univention.de 4.0-1/all/ InRelease
Ign http://updates.software-univention.de 4.0-1/amd64/ InRelease
Ign http://updates.software-univention.de 4.0-2/all/ InRelease
Ign http://updates.software-univention.de 4.0-2/amd64/ InRelease
Ign http://updates.software-univention.de 4.0-3/all/ InRelease
Ign http://updates.software-univention.de 4.0-3/amd64/ InRelease
Hit https://appcenter.software-univention.de uvmm-ec2/all/ Release
Ign http://updates.software-univention.de 4.0-4/all/ InRelease
Hit https://appcenter.software-univention.de uvmm-ec2/all/ Release
Ign http://updates.software-univention.de 4.0-4/amd64/ InRelease
Hit https://appcenter.software-univention.de uvmm-ec2/all/ Release
Ign http://updates.software-univention.de 4.0-5/all/ InRelease
Get:1 https://appcenter.software-univention.de uvmm-ec2/all/ Packages
Ign http://updates.software-univention.de 4.0-5/amd64/ InRelease
Get:2 https://appcenter.software-univention.de uvmm-ec2/all/ Packages
Ign http://updates.software-univention.de 4.1-0/all/ InRelease
Get:3 https://appcenter.software-univention.de uvmm-ec2/all/ Packages
Ign http://updates.software-univention.de 4.1-0/amd64/ InRelease
Hit https://appcenter.software-univention.de uvmm-ec2/all/ Packages
Hit https://appcenter.software-univention.de uvmm-ec2/all/ Packages
Hit https://appcenter.software-univention.de uvmm-ec2/all/ Packages
Ign http://updates.software-univention.de 4.1-1/all/ InRelease
Ign http://updates.software-univention.de 4.1-1/amd64/ InRelease
Ign http://updates.software-univention.de 4.1-2/all/ InRelease
Ign http://updates.software-univention.de 4.1-2/amd64/ InRelease
Ign http://updates.software-univention.de 4.1-3/all/ InRelease
Ign http://updates.software-univention.de 4.1-3/amd64/ InRelease
Ign http://updates.software-univention.de 4.1-4/all/ InRelease
Ign http://updates.software-univention.de 4.1-4/amd64/ InRelease
Ign http://updates.software-univention.de 4.2-0/all/ InRelease
Ign http://updates.software-univention.de 4.2-0/amd64/ InRelease
Ign http://updates.software-univention.de 4.2-1/all/ InRelease
Ign http://updates.software-univention.de 4.2-1/amd64/ InRelease
Ign http://updates.software-univention.de 4.2-1-errata/all/ InRelease
Ign http://updates.software-univention.de 4.2-1-errata/amd64/ InRelease
Ign http://updates.software-univention.de 4.1-4-errata/all/ InRelease
Ign http://updates.software-univention.de 4.1-4-errata/amd64/ InRelease
Ign http://updates.software-univention.de cool-solutions/all/ InRelease
Ign http://updates.software-univention.de cool-solutions/all/ InRelease
Ign http://updates.software-univention.de cool-solutions/all/ InRelease
Ign http://updates.software-univention.de cool-solutions/amd64/ InRelease
Get:4 http://updates.software-univention.de 4.0-0/all/ Release.gpg [836 B]
Get:5 http://updates.software-univention.de 4.0-0/amd64/ Release.gpg [836 B]
Get:6 http://updates.software-univention.de 4.0-1/all/ Release.gpg [836 B]
Get:7 http://updates.software-univention.de 4.0-1/amd64/ Release.gpg [836 B]
Get:8 http://updates.software-univention.de 4.0-2/all/ Release.gpg [836 B]
Get:9 http://updates.software-univention.de 4.0-2/amd64/ Release.gpg [836 B]
Get:10 http://updates.software-univention.de 4.0-3/all/ Release.gpg [836 B]
Get:11 http://updates.software-univention.de 4.0-3/amd64/ Release.gpg [836 B]
Get:12 http://updates.software-univention.de 4.0-4/all/ Release.gpg [836 B]
Get:13 http://updates.software-univention.de 4.0-4/amd64/ Release.gpg [836 B]
Get:14 http://updates.software-univention.de 4.0-5/all/ Release.gpg [836 B]
Get:15 http://updates.software-univention.de 4.0-5/amd64/ Release.gpg [836 B]
Get:16 http://updates.software-univention.de 4.1-0/all/ Release.gpg [836 B]
Get:17 http://updates.software-univention.de 4.1-0/amd64/ Release.gpg [836 B]
Get:18 http://updates.software-univention.de 4.1-1/all/ Release.gpg [836 B]
Get:19 http://updates.software-univention.de 4.1-1/amd64/ Release.gpg [836 B]
Get:20 http://updates.software-univention.de 4.1-2/all/ Release.gpg [836 B]
Get:21 http://updates.software-univention.de 4.1-2/amd64/ Release.gpg [836 B]
Get:22 http://updates.software-univention.de 4.1-3/all/ Release.gpg [836 B]
Get:23 http://updates.software-univention.de 4.1-3/amd64/ Release.gpg [836 B]
Hit http://updates.software-univention.de 4.1-4/all/ Release.gpg
Hit http://updates.software-univention.de 4.1-4/amd64/ Release.gpg
Hit http://updates.software-univention.de 4.2-0/all/ Release.gpg
Hit http://updates.software-univention.de 4.2-0/amd64/ Release.gpg
Hit http://updates.software-univention.de 4.2-1/all/ Release.gpg
Hit http://updates.software-univention.de 4.2-1/amd64/ Release.gpg
Hit http://updates.software-univention.de 4.2-1-errata/all/ Release.gpg
Hit http://updates.software-univention.de 4.2-1-errata/amd64/ Release.gpg
Hit http://updates.software-univention.de 4.1-4-errata/all/ Release.gpg
Hit http://updates.software-univention.de 4.1-4-errata/amd64/ Release.gpg
Hit http://updates.software-univention.de cool-solutions/all/ Release.gpg
Hit http://updates.software-univention.de cool-solutions/all/ Release.gpg
Hit http://updates.software-univention.de cool-solutions/all/ Release.gpg
Hit http://updates.software-univention.de cool-solutions/amd64/ Release.gpg
Hit http://updates.software-univention.de 4.0-0/all/ Release
Hit http://updates.software-univention.de 4.0-0/amd64/ Release
Hit http://updates.software-univention.de 4.0-1/all/ Release
Hit http://updates.software-univention.de 4.0-1/amd64/ Release
Hit http://updates.software-univention.de 4.0-2/all/ Release
Hit http://updates.software-univention.de 4.0-2/amd64/ Release
Hit http://updates.software-univention.de 4.0-3/all/ Release
Hit http://updates.software-univention.de 4.0-3/amd64/ Release
Hit http://updates.software-univention.de 4.0-4/all/ Release
Hit http://updates.software-univention.de 4.0-4/amd64/ Release
Hit http://updates.software-univention.de 4.0-5/all/ Release
Hit http://updates.software-univention.de 4.0-5/amd64/ Release
Hit http://updates.software-univention.de 4.1-0/all/ Release
Hit http://updates.software-univention.de 4.1-0/amd64/ Release
Hit http://updates.software-univention.de 4.1-1/all/ Release
Hit http://updates.software-univention.de 4.1-1/amd64/ Release
Hit http://updates.software-univention.de 4.1-2/all/ Release
Hit http://updates.software-univention.de 4.1-2/amd64/ Release
Hit http://updates.software-univention.de 4.1-3/all/ Release
Hit http://updates.software-univention.de 4.1-3/amd64/ Release
Hit http://updates.software-univention.de 4.1-4/all/ Release
Hit http://updates.software-univention.de 4.1-4/amd64/ Release
Hit http://updates.software-univention.de 4.2-0/all/ Release
Hit http://updates.software-univention.de 4.2-0/amd64/ Release
Hit http://updates.software-univention.de 4.2-1/all/ Release
Hit http://updates.software-univention.de 4.2-1/amd64/ Release
Hit http://updates.software-univention.de 4.2-1-errata/all/ Release
Hit http://updates.software-univention.de 4.2-1-errata/amd64/ Release
Hit http://updates.software-univention.de 4.1-4-errata/all/ Release
Hit http://updates.software-univention.de 4.1-4-errata/amd64/ Release
Hit http://updates.software-univention.de cool-solutions/all/ Release
Hit http://updates.software-univention.de cool-solutions/all/ Release
Hit http://updates.software-univention.de cool-solutions/all/ Release
Hit http://updates.software-univention.de cool-solutions/amd64/ Release
Hit http://updates.software-univention.de 4.0-0/all/ Packages
Hit http://updates.software-univention.de 4.0-0/amd64/ Packages
Hit http://updates.software-univention.de 4.0-1/all/ Packages
Hit http://updates.software-univention.de 4.0-1/amd64/ Packages
Hit http://updates.software-univention.de 4.0-2/all/ Packages
Hit http://updates.software-univention.de 4.0-2/amd64/ Packages
Hit http://updates.software-univention.de 4.0-3/all/ Packages
Hit http://updates.software-univention.de 4.0-3/amd64/ Packages
Hit http://updates.software-univention.de 4.0-4/all/ Packages
Hit http://updates.software-univention.de 4.0-4/amd64/ Packages
Hit http://updates.software-univention.de 4.0-5/all/ Packages
Hit http://updates.software-univention.de 4.0-5/amd64/ Packages
Hit http://updates.software-univention.de 4.1-0/all/ Packages
Hit http://updates.software-univention.de 4.1-0/amd64/ Packages
Hit http://updates.software-univention.de 4.1-1/all/ Packages
Hit http://updates.software-univention.de 4.1-1/amd64/ Packages
Hit http://updates.software-univention.de 4.1-2/all/ Packages
Hit http://updates.software-univention.de 4.1-2/amd64/ Packages
Hit http://updates.software-univention.de 4.1-3/all/ Packages
Hit http://updates.software-univention.de 4.1-3/amd64/ Packages
Hit http://updates.software-univention.de 4.1-4/all/ Packages
Hit http://updates.software-univention.de 4.1-4/amd64/ Packages
Hit http://updates.software-univention.de 4.2-0/all/ Packages
Hit http://updates.software-univention.de 4.2-0/amd64/ Packages
Hit http://updates.software-univention.de 4.2-1/all/ Packages
Hit http://updates.software-univention.de 4.2-1/amd64/ Packages
Hit http://updates.software-univention.de 4.2-1-errata/all/ Packages
Hit http://updates.software-univention.de 4.2-1-errata/amd64/ Packages
Hit http://updates.software-univention.de 4.1-4-errata/all/ Packages
Hit http://updates.software-univention.de 4.1-4-errata/amd64/ Packages
Hit http://updates.software-univention.de cool-solutions/all/ Packages
Hit http://updates.software-univention.de cool-solutions/all/ Packages
Hit http://updates.software-univention.de cool-solutions/all/ Packages
Hit http://updates.software-univention.de cool-solutions/amd64/ Packages
Fetched 16.7 kB in 47s (353 B/s)
Reading package lists...
Building dependency tree...
Reading state information...
All packages are up to date.

Switched back to https repos

update-ca-certificates --verbose                                                                                                                 Updating certificates in /etc/ssl/certs...                                                                                                              
0 added, 0 removed; done.                                                                                                                               
Running hooks in /etc/ca-certificates/update.d...                                                                                                       
done.  
ucr set repository/online/server=https://updates.software-univention.de/

and looks like it can get all the repos since the initial post.

Ign https://appcenter.software-univention.de uvmm-ec2/all/ InRelease
Ign https://updates.software-univention.de 4.0-0/all/ InRelease
Ign https://appcenter.software-univention.de uvmm-ec2/all/ InRelease
Ign https://updates.software-univention.de 4.0-0/amd64/ InRelease
Ign https://appcenter.software-univention.de uvmm-ec2/all/ InRelease
Ign https://updates.software-univention.de 4.0-1/all/ InRelease
Get:1 https://appcenter.software-univention.de uvmm-ec2/all/ Release.gpg [836 B]
Get:2 https://updates.software-univention.de 4.0-1/amd64/ InRelease [1,917 B]
Ign https://updates.software-univention.de 4.0-1/amd64/ InRelease
Get:3 https://appcenter.software-univention.de uvmm-ec2/all/ Release.gpg [836 B]
Get:4 https://updates.software-univention.de 4.0-2/all/ InRelease [1,917 B]
Ign https://updates.software-univention.de 4.0-2/all/ InRelease
Get:5 https://appcenter.software-univention.de uvmm-ec2/all/ Release.gpg [836 B]
Get:6 https://updates.software-univention.de 4.0-2/amd64/ InRelease [1,917 B]
Ign https://updates.software-univention.de 4.0-2/amd64/ InRelease
Hit https://appcenter.software-univention.de uvmm-ec2/all/ Release
Get:7 https://updates.software-univention.de 4.0-3/all/ InRelease [1,917 B]
Ign https://updates.software-univention.de 4.0-3/all/ InRelease
Hit https://appcenter.software-univention.de uvmm-ec2/all/ Release
Get:8 https://updates.software-univention.de 4.0-3/amd64/ InRelease [1,917 B]
Ign https://updates.software-univention.de 4.0-3/amd64/ InRelease
Hit https://appcenter.software-univention.de uvmm-ec2/all/ Release
Get:9 https://updates.software-univention.de 4.0-4/all/ InRelease [1,917 B]
Ign https://updates.software-univention.de 4.0-4/all/ InRelease
Hit https://appcenter.software-univention.de uvmm-ec2/all/ Packages
Get:10 https://updates.software-univention.de 4.0-4/amd64/ InRelease [1,917 B]
Ign https://updates.software-univention.de 4.0-4/amd64/ InRelease
Hit https://appcenter.software-univention.de uvmm-ec2/all/ Packages
Get:11 https://updates.software-univention.de 4.0-5/all/ InRelease [1,917 B]
Ign https://updates.software-univention.de 4.0-5/all/ InRelease
Hit https://appcenter.software-univention.de uvmm-ec2/all/ Packages
Get:12 https://updates.software-univention.de 4.0-5/amd64/ InRelease [1,917 B]
Ign https://updates.software-univention.de 4.0-5/amd64/ InRelease
Get:13 https://updates.software-univention.de 4.1-0/all/ InRelease [1,917 B]
Ign https://updates.software-univention.de 4.1-0/all/ InRelease
Get:14 https://updates.software-univention.de 4.1-0/amd64/ InRelease [1,917 B]
Ign https://updates.software-univention.de 4.1-0/amd64/ InRelease
Get:15 https://updates.software-univention.de 4.1-1/all/ InRelease [1,917 B]
Ign https://updates.software-univention.de 4.1-1/all/ InRelease
Get:16 https://updates.software-univention.de 4.1-1/amd64/ InRelease [1,917 B]
Ign https://updates.software-univention.de 4.1-1/amd64/ InRelease
Get:17 https://updates.software-univention.de 4.1-2/all/ InRelease [1,917 B]
Ign https://updates.software-univention.de 4.1-2/all/ InRelease
Get:18 https://updates.software-univention.de 4.1-2/amd64/ InRelease [1,917 B]
Ign https://updates.software-univention.de 4.1-2/amd64/ InRelease
Get:19 https://updates.software-univention.de 4.1-3/all/ InRelease [1,917 B]
Ign https://updates.software-univention.de 4.1-3/all/ InRelease
Get:20 https://updates.software-univention.de 4.1-3/amd64/ InRelease [1,917 B]
Ign https://updates.software-univention.de 4.1-3/amd64/ InRelease
Get:21 https://updates.software-univention.de 4.1-4/all/ InRelease [1,917 B]
Ign https://updates.software-univention.de 4.1-4/all/ InRelease
Get:22 https://updates.software-univention.de 4.1-4/amd64/ InRelease [1,917 B]
Ign https://updates.software-univention.de 4.1-4/amd64/ InRelease
Get:23 https://updates.software-univention.de 4.2-0/all/ InRelease [1,917 B]
Ign https://updates.software-univention.de 4.2-0/all/ InRelease
Get:24 https://updates.software-univention.de 4.2-0/amd64/ InRelease [1,917 B]
Ign https://updates.software-univention.de 4.2-0/amd64/ InRelease
Get:25 https://updates.software-univention.de 4.2-1/all/ InRelease [1,917 B]
Ign https://updates.software-univention.de 4.2-1/all/ InRelease
Get:26 https://updates.software-univention.de 4.2-1/amd64/ InRelease [1,917 B]
Ign https://updates.software-univention.de 4.2-1/amd64/ InRelease
Get:27 https://updates.software-univention.de 4.2-1-errata/all/ InRelease [1,917 B]
Ign https://updates.software-univention.de 4.2-1-errata/all/ InRelease
Get:28 https://updates.software-univention.de 4.2-1-errata/amd64/ InRelease [1,917 B]
Ign https://updates.software-univention.de 4.2-1-errata/amd64/ InRelease
Get:29 https://updates.software-univention.de 4.1-4-errata/all/ InRelease [1,917 B]
Ign https://updates.software-univention.de 4.1-4-errata/all/ InRelease
Get:30 https://updates.software-univention.de 4.1-4-errata/amd64/ InRelease [1,917 B]
Ign https://updates.software-univention.de 4.1-4-errata/amd64/ InRelease
Get:31 https://updates.software-univention.de cool-solutions/all/ InRelease [1,917 B]
Ign https://updates.software-univention.de cool-solutions/all/ InRelease
Get:32 https://updates.software-univention.de cool-solutions/all/ InRelease [1,917 B]
Ign https://updates.software-univention.de cool-solutions/all/ InRelease
Get:33 https://updates.software-univention.de cool-solutions/all/ InRelease [1,917 B]
Ign https://updates.software-univention.de cool-solutions/all/ InRelease
Get:34 https://updates.software-univention.de cool-solutions/amd64/ InRelease [1,917 B]
Ign https://updates.software-univention.de cool-solutions/amd64/ InRelease
Hit https://updates.software-univention.de 4.0-0/all/ Release.gpg
Hit https://updates.software-univention.de 4.0-0/amd64/ Release.gpg
Hit https://updates.software-univention.de 4.0-1/all/ Release.gpg
Hit https://updates.software-univention.de 4.0-1/amd64/ Release.gpg
Hit https://updates.software-univention.de 4.0-2/all/ Release.gpg
Hit https://updates.software-univention.de 4.0-2/amd64/ Release.gpg
Hit https://updates.software-univention.de 4.0-3/all/ Release.gpg
Hit https://updates.software-univention.de 4.0-3/amd64/ Release.gpg
Hit https://updates.software-univention.de 4.0-4/all/ Release.gpg
Hit https://updates.software-univention.de 4.0-4/amd64/ Release.gpg
Hit https://updates.software-univention.de 4.0-5/all/ Release.gpg
Hit https://updates.software-univention.de 4.0-5/amd64/ Release.gpg
Hit https://updates.software-univention.de 4.1-0/all/ Release.gpg
Hit https://updates.software-univention.de 4.1-0/amd64/ Release.gpg
Hit https://updates.software-univention.de 4.1-1/all/ Release.gpg
Hit https://updates.software-univention.de 4.1-1/amd64/ Release.gpg
Hit https://updates.software-univention.de 4.1-2/all/ Release.gpg
Hit https://updates.software-univention.de 4.1-2/amd64/ Release.gpg
Hit https://updates.software-univention.de 4.1-3/all/ Release.gpg
Hit https://updates.software-univention.de 4.1-3/amd64/ Release.gpg
Hit https://updates.software-univention.de 4.1-4/all/ Release.gpg
Hit https://updates.software-univention.de 4.1-4/amd64/ Release.gpg
Hit https://updates.software-univention.de 4.2-0/all/ Release.gpg
Hit https://updates.software-univention.de 4.2-0/amd64/ Release.gpg
Hit https://updates.software-univention.de 4.2-1/all/ Release.gpg
Hit https://updates.software-univention.de 4.2-1/amd64/ Release.gpg
Hit https://updates.software-univention.de 4.2-1-errata/all/ Release.gpg
Hit https://updates.software-univention.de 4.2-1-errata/amd64/ Release.gpg
Hit https://updates.software-univention.de 4.1-4-errata/all/ Release.gpg
Hit https://updates.software-univention.de 4.1-4-errata/amd64/ Release.gpg
Hit https://updates.software-univention.de cool-solutions/all/ Release.gpg
Hit https://updates.software-univention.de cool-solutions/all/ Release.gpg
Hit https://updates.software-univention.de cool-solutions/all/ Release.gpg
Hit https://updates.software-univention.de cool-solutions/amd64/ Release.gpg
Hit https://updates.software-univention.de 4.0-0/all/ Release
Hit https://updates.software-univention.de 4.0-0/amd64/ Release
Hit https://updates.software-univention.de 4.0-1/all/ Release
Hit https://updates.software-univention.de 4.0-1/amd64/ Release
Hit https://updates.software-univention.de 4.0-2/all/ Release
Hit https://updates.software-univention.de 4.0-2/amd64/ Release
Hit https://updates.software-univention.de 4.0-3/all/ Release
Hit https://updates.software-univention.de 4.0-3/amd64/ Release
Hit https://updates.software-univention.de 4.0-4/all/ Release
Hit https://updates.software-univention.de 4.0-4/amd64/ Release
Hit https://updates.software-univention.de 4.0-5/all/ Release
Hit https://updates.software-univention.de 4.0-5/amd64/ Release
Hit https://updates.software-univention.de 4.1-0/all/ Release
Hit https://updates.software-univention.de 4.1-0/amd64/ Release
Hit https://updates.software-univention.de 4.1-1/all/ Release
Hit https://updates.software-univention.de 4.1-1/amd64/ Release
Hit https://updates.software-univention.de 4.1-2/all/ Release
Hit https://updates.software-univention.de 4.1-2/amd64/ Release
Hit https://updates.software-univention.de 4.1-3/all/ Release
Hit https://updates.software-univention.de 4.1-3/amd64/ Release
Hit https://updates.software-univention.de 4.1-4/all/ Release
Hit https://updates.software-univention.de 4.1-4/amd64/ Release
Hit https://updates.software-univention.de 4.2-0/all/ Release
Hit https://updates.software-univention.de 4.2-0/amd64/ Release
Hit https://updates.software-univention.de 4.2-1/all/ Release
Hit https://updates.software-univention.de 4.2-1/amd64/ Release
Hit https://updates.software-univention.de 4.2-1-errata/all/ Release
Hit https://updates.software-univention.de 4.2-1-errata/amd64/ Release
Hit https://updates.software-univention.de 4.1-4-errata/all/ Release
Hit https://updates.software-univention.de 4.1-4-errata/amd64/ Release
Hit https://updates.software-univention.de cool-solutions/all/ Release
Hit https://updates.software-univention.de cool-solutions/all/ Release
Hit https://updates.software-univention.de cool-solutions/all/ Release
Hit https://updates.software-univention.de cool-solutions/amd64/ Release
Hit https://updates.software-univention.de 4.0-0/all/ Packages
Hit https://updates.software-univention.de 4.0-0/amd64/ Packages
Hit https://updates.software-univention.de 4.0-4/amd64/ Packages
Hit https://updates.software-univention.de 4.0-5/all/ Packages
Hit https://updates.software-univention.de 4.0-5/amd64/ Packages
Hit https://updates.software-univention.de 4.1-0/all/ Packages
Hit https://updates.software-univention.de 4.1-0/amd64/ Packages
Hit https://updates.software-univention.de 4.1-1/all/ Packages
Hit https://updates.software-univention.de 4.1-1/amd64/ Packages
Hit https://updates.software-univention.de 4.1-2/all/ Packages
Hit https://updates.software-univention.de 4.1-2/amd64/ Packages
Hit https://updates.software-univention.de 4.1-3/all/ Packages
Hit https://updates.software-univention.de 4.1-3/amd64/ Packages
Hit https://updates.software-univention.de 4.1-4/all/ Packages
Hit https://updates.software-univention.de 4.1-4/amd64/ Packages
Hit https://updates.software-univention.de 4.2-0/all/ Packages
Hit https://updates.software-univention.de 4.2-0/amd64/ Packages
Hit https://updates.software-univention.de 4.2-1/all/ Packages
Hit https://updates.software-univention.de 4.2-1/amd64/ Packages
Hit https://updates.software-univention.de 4.2-1-errata/all/ Packages
Hit https://updates.software-univention.de 4.2-1-errata/amd64/ Packages
Hit https://updates.software-univention.de 4.1-4-errata/all/ Packages
Hit https://updates.software-univention.de 4.1-4-errata/amd64/ Packages
Hit https://updates.software-univention.de cool-solutions/all/ Packages
Hit https://updates.software-univention.de cool-solutions/all/ Packages
Hit https://updates.software-univention.de cool-solutions/all/ Packages
Hit https://updates.software-univention.de cool-solutions/amd64/ Packages
Hit https://updates.software-univention.de 4.0-1/all/ Packages
Hit https://updates.software-univention.de 4.0-1/amd64/ Packages
Hit https://updates.software-univention.de 4.0-2/all/ Packages
Hit https://updates.software-univention.de 4.0-2/amd64/ Packages
Hit https://updates.software-univention.de 4.0-3/all/ Packages
Hit https://updates.software-univention.de 4.0-3/amd64/ Packages
Hit https://updates.software-univention.de 4.0-4/all/ Packages
Fetched 2,508 B in 46s (53 B/s)
Reading package lists...
Building dependency tree...
Reading state information...
All packages are up to date.

First part is looking better

Regarding the SAML SSO/SSL issues here’s some other details.

The stunnel4.service is not starting after boot on either the master or backup. Is it required for SAML SSO to work? Starting it manually with systemctl will start it, but do I then need to restart any other services to rebind tunnels? Similar to this thread:

When the administrator user attempts to log on via SAML SSO to UMC on the DC backup the DC backup syslog has these entries for SSL|SAML:

:/var/log/univention# tail -f ../syslog|egrep -i 'ssl|saml'
Jul 26 14:06:43 dcm1 univention-saml-stunnel: LOG3[35]: SSL_connect: 14094418: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
Jul 26 14:06:43 dcm1 simplesamlphp[10896]: 5 STAT [9167b94fab] User 'administrator' has been successfully authenticated.
Jul 26 14:06:43 dcm1 simplesamlphp[10896]: 5 STAT [9167b94fab] saml20-idp-SSO-first https://dcbackup.ourdomain-snipped.com.au/univention/saml/metadata https://ucs-sso.ourdomain-snipped.com.au/simplesamlphp/saml2/idp/metadata.php NA
Jul 26 14:06:43 dcm1 simplesamlphp[10896]: 5 STAT [9167b94fab] saml20-idp-SSO https://dcbackup.ourdomain-snipped.com.au/univention/saml/metadata https://ucs-sso.ourdomain-snipped.com.au/simplesamlphp/saml2/idp/metadata.php NA
Jul 26 14:06:43 dcm1 simplesamlphp[10896]: 3 [9167b94fab] SimpleSAML_Error_Exception: Error 8 - MemcachePool::get(): Server unix:///var/run/univention-saml/dcbackup.ourdomain-snipped.com.au.socket (tcp 0, udp 0) failed with: Read failed (socket was unexpectedly closed) (0)
Jul 26 14:06:43 dcm1 simplesamlphp[10896]: 3 [9167b94fab] Backtrace:
Jul 26 14:06:43 dcm1 simplesamlphp[10896]: 3 [9167b94fab] 9 /usr/share/simplesamlphp/www/_include.php:84 (SimpleSAML_error_handler)
Jul 26 14:06:43 dcm1 simplesamlphp[10896]: 3 [9167b94fab] 8 [builtin] (MemcachePool::get)
Jul 26 14:06:43 dcm1 simplesamlphp[10896]: 3 [9167b94fab] 7 /usr/share/simplesamlphp/lib/SimpleSAML/Memcache.php:50 (SimpleSAML_Memcache::get)
Jul 26 14:06:43 dcm1 simplesamlphp[10896]: 3 [9167b94fab] 6 /usr/share/simplesamlphp/lib/SimpleSAML/Store/Memcache.php:42 (SimpleSAML_Store_Memcache::get)
Jul 26 14:06:43 dcm1 simplesamlphp[10896]: 3 [9167b94fab] 5 /usr/share/simplesamlphp/lib/SimpleSAML/SessionHandlerStore.php:52 (SimpleSAML_SessionHandlerStore::loadSession)
Jul 26 14:06:43 dcm1 simplesamlphp[10896]: 3 [9167b94fab] 4 /usr/share/simplesamlphp/lib/SimpleSAML/Session.php:325 (SimpleSAML_Session::getSession)
Jul 26 14:06:43 dcm1 simplesamlphp[10896]: 3 [9167b94fab] 3 /usr/share/simplesamlphp/lib/SimpleSAML/Session.php:245 (SimpleSAML_Session::getSessionFromRequest)
Jul 26 14:06:43 dcm1 simplesamlphp[10896]: 3 [9167b94fab] 2 /usr/share/simplesamlphp/lib/SimpleSAML/Auth/State.php:253 (SimpleSAML_Auth_State::loadState)
Jul 26 14:06:43 dcm1 simplesamlphp[10896]: 3 [9167b94fab] 1 /usr/share/simplesamlphp/modules/core/www/loginuserpass.php:17 (require)
Jul 26 14:06:43 dcm1 simplesamlphp[10896]: 3 [9167b94fab] 0 /usr/share/simplesamlphp/www/module.php:137 (N/A)
Jul 26 14:06:44 dcm1 univention-saml-stunnel: LOG3[36]: SSL_connect: 14094418: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
Jul 26 14:06:44 dcm1 simplesamlphp[10901]: 5 STAT [9167b94fab] saml20-idp-SSO https://dcbackup.ourdomain-snipped.com.au/univention/saml/metadata https://ucs-sso.ourdomain-snipped.com.au/simplesamlphp/saml2/idp/metadata.php NA
Jul 26 14:06:44 dcm1 simplesamlphp[10901]: 3 [9167b94fab] SimpleSAML_Error_Exception: Error 8 - MemcachePool::get(): Server unix:///var/run/univention-saml/dcbackup.ourdomain-snipped.com.au.socket (tcp 0, udp 0) failed with: Read failed (socket was unexpectedly closed) (0)
Jul 26 14:06:44 dcm1 simplesamlphp[10901]: 3 [9167b94fab] Backtrace:
Jul 26 14:06:44 dcm1 simplesamlphp[10901]: 3 [9167b94fab] 11 /usr/share/simplesamlphp/www/_include.php:84 (SimpleSAML_error_handler)
Jul 26 14:06:44 dcm1 simplesamlphp[10901]: 3 [9167b94fab] 10 [builtin] (MemcachePool::get)
Jul 26 14:06:44 dcm1 simplesamlphp[10901]: 3 [9167b94fab] 9 /usr/share/simplesamlphp/lib/SimpleSAML/Memcache.php:50 (SimpleSAML_Memcache::get)
Jul 26 14:06:44 dcm1 simplesamlphp[10901]: 3 [9167b94fab] 8 /usr/share/simplesamlphp/lib/SimpleSAML/Store/Memcache.php:42 (SimpleSAML_Store_Memcache::get)
Jul 26 14:06:44 dcm1 simplesamlphp[10901]: 3 [9167b94fab] 7 /usr/share/simplesamlphp/lib/SimpleSAML/SessionHandlerStore.php:52 (SimpleSAML_SessionHandlerStore::loadSession)
Jul 26 14:06:44 dcm1 simplesamlphp[10901]: 3 [9167b94fab] 6 /usr/share/simplesamlphp/lib/SimpleSAML/Session.php:325 (SimpleSAML_Session::getSession)
Jul 26 14:06:44 dcm1 simplesamlphp[10901]: 3 [9167b94fab] 5 /usr/share/simplesamlphp/lib/SimpleSAML/Session.php:245 (SimpleSAML_Session::getSessionFromRequest)
Jul 26 14:06:44 dcm1 simplesamlphp[10901]: 3 [9167b94fab] 4 /usr/share/simplesamlphp/lib/SimpleSAML/Auth/Simple.php:54 (SimpleSAML_Auth_Simple::isAuthenticated)
Jul 26 14:06:44 dcm1 simplesamlphp[10901]: 3 [9167b94fab] 3 /usr/share/simplesamlphp/lib/SimpleSAML/IdP.php:264 (SimpleSAML_IdP::isAuthenticated)
Jul 26 14:06:44 dcm1 simplesamlphp[10901]: 3 [9167b94fab] 2 /usr/share/simplesamlphp/lib/SimpleSAML/IdP.php:404 (SimpleSAML_IdP::handleAuthenticationRequest)
Jul 26 14:06:44 dcm1 simplesamlphp[10901]: 3 [9167b94fab] 1 /usr/share/simplesamlphp/modules/saml/lib/IdP/SAML2.php:389 (sspmod_saml_IdP_SAML2::receiveAuthnRequest)
Jul 26 14:06:44 dcm1 simplesamlphp[10901]: 3 [9167b94fab] 0 /usr/share/simplesamlphp/www/saml2/idp/SSOService.php:19 (N/A)

This is in the syslog on the master:

:/var/log# tail -f syslog|egrep -i 'ssl|saml'
Jul 26 14:06:43 dcbackup univention-saml-stunnel: LOG4[35]: CERT: Pre-verification error: unable to get local issuer certificate
Jul 26 14:06:43 dcbackup univention-saml-stunnel: LOG4[35]: Rejected by CERT at depth=0: C=AU, ST=AU, L=AU, O=<snipped company>, OU=Univention Corporate Server, CN=ucs-sso.ourdomain-snipped.com.au, emailAddress=ssl@ourdomain-snipped.com.au
Jul 26 14:06:43 dcbackup univention-saml-stunnel: LOG3[35]: SSL_accept: 14089086: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
Jul 26 14:06:44 dcbackup univention-saml-stunnel: LOG4[36]: CERT: Pre-verification error: unable to get local issuer certificate
Jul 26 14:06:44 dcbackup univention-saml-stunnel: LOG4[36]: Rejected by CERT at depth=0: C=AU, ST=AU, L=AU, O=<snipped company>, OU=Univention Corporate Server, CN=ucs-sso.ourdomain-snipped.com.au, emailAddress=ssl@ourdomain-snipped.com.au
Jul 26 14:06:44 dcbackup univention-saml-stunnel: LOG3[36]: SSL_accept: 14089086: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed

A couple of memcache errors and a mention about a CA.

SAML Package versions are the same on both DCs (4.2-1 errata 99):

> dpkg -l|grep -i saml
ii  cy2-saml                                            1.5.0-6A~4.2.0.201703311555                    amd64        SASL plugin for SAML authentication
ii  liblasso3                                           2.4.1-1.10.201508131139                        amd64        Library for Liberty Alliance and SAML protocols - runtime library
ii  pam-saml                                            1.5.0-6A~4.2.0.201703311555                    amd64        PAM module for SAML authentication
ii  python-pysaml2                                      3.0.0-5A~4.2.0.201702151906                    all          SAML Version 2 to be used in a WSGI environment - Python 2.x
ii  simplesamlphp                                       1.14.11-1A~4.2.0.201703101227                  all          Authentication and federation application supporting several protocols
ii  univention-saml                                     4.0.14-6A~4.2.0.201707031430                   all          Integrates simpleSAMLphp Identity Provider into UCS
ii  univention-saml-schema                              4.0.14-6A~4.2.0.201707031430                   all          UCS simpleSAMLphp ldap integration

Hope that helps.

First, the apt problem. Just to make sure: does access to the repositories via HTTPS work for both the DC Master and the DC Backup?

Now to the SAML problem. stunnel doesn’t start due to certificate errors, that’s pretty clear from the error messages you’ve posted. So let’s make sure that the CA certificate of the UCS domain is really installed properly. Please post the output of the following commands:

1. On the DC Backup: ls -l /etc/ssl/certs/ucsCA.pem /usr/local/share/ca-certificates/ucsCA.crt /etc/univention/ssl/ucsCA/CAcert.pem

2. Again on the DC Backup: openssl x509 -in /etc/univention/ssl/ucsCA/CAcert.pem -noout -text

3. Once more on the DC Backup: sha256sum /etc/univention/ssl/ucsCA/CAcert.pem

4. Now on the DC Master: openssl x509 -in /etc/univention/ssl/ucsCA/CAcert.pem -noout -text

5. On the DC Master, too: sha256sum /etc/univention/ssl/ucsCA/CAcert.pem

6. & 4. are the same commands on both servers, as are 3. and 5. Their output should be identical on both servers.

Did you run update-ca-certificates on both servers?

Hi Moritz,

Did you run update-ca-certificates on both servers?

Yes, the results were identical on both:

update-ca-certificates
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.

First, the apt problem. Just to make sure: does access to the repositories via HTTPS work for both the DC Master and the DC Backup?

That issue appears to be fixed now, I’m getting good hits on all repos with no failures anymore (although there are no current updates to confirm package downloads work too, but assuming yes for the moment ).

Now to the SAML problem. stunnel doesn’t start due to certificate errors, that’s pretty clear from the error messages you’ve posted. So let’s make sure that the CA certificate of the UCS domain is really installed properly. Please post the output of the following commands:

On the DC Backup: ls -l /etc/ssl/certs/ucsCA.pem /usr/local/share/ca-certificates/ucsCA.crt /etc/univention/ssl/ucsCA/CAcert.pem

DC Backup results:

ls -l /etc/ssl/certs/ucsCA.pem /usr/local/share/ca-certificates/ucsCA.crt /etc/univention/ssl/ucsCA/CAcert.pem
lrwxrwxrwx 1 root root              42 Dec 29  2016 /etc/ssl/certs/ucsCA.pem -> /usr/local/share/ca-certificates/ucsCA.crt
-rw-rw-r-- 1 root DC Backup Hosts 1992 Jan  4  2016 /etc/univention/ssl/ucsCA/CAcert.pem
lrwxrwxrwx 1 root staff             36 Dec 29  2016 /usr/local/share/ca-certificates/ucsCA.crt -> /etc/univention/ssl/ucsCA/CAcert.pem

Whereas on the DC Master:

ls -l /etc/ssl/certs/ucsCA.pem /usr/local/share/ca-certificates/ucsCA.crt /etc/univention/ssl/ucsCA/CAcert.pem
lrwxrwxrwx 1 root root              42 Dec 29  2016 /etc/ssl/certs/ucsCA.pem -> /usr/local/share/ca-certificates/ucsCA.crt
-rw-rw-r-- 1 root DC Backup Hosts 1992 Jan  4  2016 /etc/univention/ssl/ucsCA/CAcert.pem
lrwxrwxrwx 1 root staff             36 Dec 29  2016 /usr/local/share/ca-certificates/ucsCA.crt -> /etc/univention/ssl/ucsCA/CAcert.pem

Again on the DC Backup: openssl x509 -in /etc/univention/ssl/ucsCA/CAcert.pem -noout -text
Once more on the DC Backup: sha256sum /etc/univention/ssl/ucsCA/CAcert.pem
Now on the DC Master: openssl x509 -in /etc/univention/ssl/ucsCA/CAcert.pem -noout -text
On the DC Master, too: sha256sum /etc/univention/ssl/ucsCA/CAcert.pem
6 & 4. are the same commands on both servers, as are 3. and 5. Their output should be identical on both servers.

DC backup results:
The openssl command gives exactly the same cert on both DCs (fingerprints/keys all match) as does the SHA256 for /etc/univention/ssl/ucsCA/CAcert.pem.

openssl x509 -in /etc/univention/ssl/ucsCA/CAcert.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            <snipped>
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=AU, ST=<snipped>, L=AU, O=<snipped>, OU=<snipped>, CN=Corporate Server Root CA (ID=<snipped>)/emailAddress=ssl@<snipped>.com.au
        Validity
            Not Before: Jan  4 01:40:59 2016 GMT
            Not After : Jan  2 01:40:59 2021 GMT
        Subject: C=AU, ST=<snipped>, L=AU, O=<snipped>, OU=<snipped>, CN=Corporate Server Root CA (ID=<snipped>)/emailAddress=ssl@<snipped>.com.au
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    <snipped>
                Exponent: <snipped>

X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier:
                8E:<snipped>:AD
            X509v3 Authority Key Identifier:
                keyid:8E:<snipped>:AD
                DirName:/C=AU/ST=<snipped>/L=AU/O=<snipped>/OU=<snipped>/CN=Corporate Server Root CA (ID=<snipped>)/emailAddress=ssl@<snipped>.com.au
                serial:DD:<snipped>:B9

            X509v3 Key Usage:
                Certificate Sign, CRL Sign
            Netscape Cert Type:
                SSL CA, S/MIME CA, Object Signing CA
            X509v3 Subject Alternative Name:
                email:ssl@<snipped>.com.au
            X509v3 Issuer Alternative Name:
                email:ssl@<snipped>.com.au
            Netscape Comment:
                This certificate is a Root CA Certificate
    Signature Algorithm: sha256WithRSAEncryption
         68:<snipped>da

Same on both.

sha256sum /etc/univention/ssl/ucsCA/CAcert.pem
28d139e1fd5be22f4add5c1f9b0eb6fc4af38f318df765c3614094db594dbfb8  /etc/univention/ssl/ucsCA/CAcert.pem

All seems to look OK so far?

Thanks for the help!

Yeah, all that looks good to me so far.

To be honest, I’m not quite sure what the issue might be. What I’d do (as it’s a DC Backup) now is update both the master and the backup to the latest packages (Univention has just released a couple of errata bug fixes) and then re-join the DC Backup into the domain. No data is lost by such a re-join; quite the opposite: during the join process a lot of data is copied from the DC Master including the whole LDAP and all SSL certificates.

Went to apply the latest errata today and during the univention-upgrade process downloading the actual packages failed with the errors from the other thread I mentioned.

Switching back to http repo as he did, allowed the packages to download. In terms of networking there’s no proxies in the way and the server is reachable as some packages do download. And updates work on the other DC backup and UCS member servers.

34 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 22.6 MB of archives.
After this operation, 218 kB of additional disk space will be used.
Err https://updates.software-univention.de/4.2/maintained/component/ 4.2-1-errata/all/ univention-web-js 1.0.42-25A~4.2.0.201707241347
  Failed to connect to updates.software-univention.de port 443: Network is unreachable
Err https://updates.software-univention.de/4.2/maintained/component/ 4.2-1-errata/all/ univention-web-style 1.0.42-25A~4.2.0.201707241347
  Failed to connect to updates.software-univention.de port 443: Network is unreachable
Err https://updates.software-univention.de/4.2/maintained/component/ 4.2-1-errata/all/ univention-management-console-login 9.0.80-59A~4.2.0.201707241109
  Failed to connect to updates.software-univention.de port 443: Network is unreachable
Err https://updates.software-univention.de/4.2/maintained/component/ 4.2-1-errata/all/ univention-management-console-frontend 9.0.80-59A~4.2.0.201707241109
  Failed to connect to updates.software-univention.de port 443: Network is unreachable
Err https://updates.software-univention.de/4.2/maintained/ 4.2-0/all/ python-pyasn1-modules 0.0.5-0.1
  Failed to connect to updates.software-univention.de port 443: Network is unreachable
Get:1 https://updates.software-univention.de/4.2/maintained/component/ 4.2-1-errata/all/ python-univention 10.0.4-3A~4.2.0.201707200928 [20.6 kB]
Get:2 https://updates.software-univention.de/4.2/maintained/component/ 4.2-1-errata/all/ univention-directory-manager-tools 12.0.18-5A~4.2.0.201707251539 [91.7 kB]
Get:3 https://updates.software-univention.de/4.2/maintained/component/ 4.2-1-errata/all/ python-univention-directory-manager 12.0.18-5A~4.2.0.201707251539 [271 kB]
Get:4 https://updates.software-univention.de/4.2/maintained/component/ 4.2-1-errata/all/ python-univention-directory-manager-cli 12.0.18-5A~4.2.0.201707251539 [84.5 kB]
Get:5 https://updates.software-univention.de/4.2/maintained/component/ 4.2-1-errata/all/ univention-saml 4.0.14-7A~4.2.0.201707181543 [36.1 kB]
Get:6 https://updates.software-univention.de/4.2/maintained/component/ 4.2-1-errata/all/ univention-saml-schema 4.0.14-7A~4.2.0.201707181543 [19.1 kB]
Get:7 https://updates.software-univention.de/4.2/maintained/component/ 4.2-1-errata/all/ univention-management-console-web-server 9.0.80-59A~4.2.0.201707241109 [68.1 kB]
Get:8 https://updates.software-univention.de/4.2/maintained/component/ 4.2-1-errata/all/ univention-management-console 9.0.80-59A~4.2.0.201707241109 [45.0 kB]
Get:9 https://updates.software-univention.de/4.2/maintained/component/ 4.2-1-errata/all/ univention-management-console-server 9.0.80-59A~4.2.0.201707241109 [67.4 kB]
Get:10 https://updates.software-univention.de/4.2/maintained/component/ 4.2-1-errata/all/ python-univention-management-console 9.0.80-59A~4.2.0.201707241109 [98.8 kB]
Get:11 https://updates.software-univention.de/4.2/maintained/component/ 4.2-1-errata/all/ univention-management-console-module-setup 10.0.10-36A~4.2.0.201707201114 [744 kB]
Get:12 https://updates.software-univention.de/4.2/maintained/component/ 4.2-1-errata/all/ univention-system-setup 10.0.10-36A~4.2.0.201707201114 [134 kB]
Get:13 https://updates.software-univention.de/4.2/maintained/component/ 4.2-1-errata/all/ univention-server-master 12.0.0-10A~4.2.0.201707182054 [157 kB]
Get:14 https://updates.software-univention.de/4.2/maintained/component/ 4.2-1-errata/all/ univention-role-server-common 12.0.0-10A~4.2.0.201707182054 [15.2 kB]
Get:15 https://updates.software-univention.de/4.2/maintained/component/ 4.2-1-errata/all/ univention-role-common 12.0.0-10A~4.2.0.201707182054 [10.7 kB]
Get:16 https://updates.software-univention.de/4.2/maintained/component/ 4.2-1-errata/all/ univention-management-console-module-udm 7.0.10-18A~4.2.0.201707141049 [1,110 kB]
Get:17 https://updates.software-univention.de/4.2/maintained/component/ 4.2-1-errata/amd64/ plymouth 0.9.0-9A~4.2.0.201707031208 [189 kB]
Get:18 https://updates.software-univention.de/4.2/maintained/component/ 4.2-1-errata/amd64/ plymouth-themes 0.9.0-9A~4.2.0.201707031208 [664 kB]
Get:19 https://updates.software-univention.de/4.2/maintained/component/ 4.2-1-errata/amd64/ ldap-utils 2.4.42+dfsg-2.A~4.2.0.201707261131 [191 kB]
Get:20 https://updates.software-univention.de/4.2/maintained/component/ 4.2-1-errata/amd64/ slapd 2.4.42+dfsg-2.A~4.2.0.201707261131 [1,451 kB]
Get:21 https://updates.software-univention.de/4.2/maintained/component/ 4.2-1-errata/amd64/ libldap-2.4-2 2.4.42+dfsg-2.A~4.2.0.201707261131 [228 kB]
Get:22 https://updates.software-univention.de/4.2/maintained/component/ 4.2-1-errata/all/ univention-dhcp 11.0.0-9A~4.2.0.201707251103 [14.5 kB]
Get:23 https://updates.software-univention.de/4.2/maintained/component/ 4.2-1-errata/all/ univention-s4-connector 11.0.8-3A~4.2.0.201707251634 [69.1 kB]
Get:24 https://updates.software-univention.de/4.2/maintained/component/ 4.2-1-errata/all/ python-univention-connector-s4 11.0.8-3A~4.2.0.201707251634 [97.5 kB]
Get:25 https://updates.software-univention.de/4.2/maintained/component/ 4.2-1-errata/all/ univention-virtual-machine-manager-daemon 6.0.4-5A~4.2.0.201707201459 [56.7 kB]
Get:26 https://updates.software-univention.de/4.2/maintained/component/ 4.2-1-errata/all/ univention-management-console-module-uvmm 6.0.4-5A~4.2.0.201707201459 [155 kB]
Get:27 https://updates.software-univention.de/4.2/maintained/component/ 4.2-1-errata/all/ python-univention-virtual-machine-manager 6.0.4-5A~4.2.0.201707201459 [75.2 kB]
Get:28 https://updates.software-univention.de/4.2/maintained/component/ 4.2-1-errata/all/ univention-welcome-screen 8.0.0-15A~4.2.0.201707241330 [9,552 B]
Get:29 https://updates.software-univention.de/4.2/maintained/component/ 4.2-1-errata/all/ univention-bootsplash 8.0.0-15A~4.2.0.201707241330 [1,371 kB]
Get:30 https://updates.software-univention.de/4.2/maintained/component/ 4.2-1-errata/all/ univention-errata-level 4.2.1-118 [792 B]
Fetched 7,546 kB in 1min 13s (102 kB/s)
E: Failed to fetch https://updates.software-univention.de/4.2/maintained/component/4.2-1-errata/all/univention-web-js_1.0.42-25A~4.2.0.201707241347_all.deb  Failed to connect to updates.software-univention.de port 443: Network is unreach
able

E: Failed to fetch https://updates.software-univention.de/4.2/maintained/component/4.2-1-errata/all/univention-web-style_1.0.42-25A~4.2.0.201707241347_all.deb  Failed to connect to updates.software-univention.de port 443: Network is unre
achable

E: Failed to fetch https://updates.software-univention.de/4.2/maintained/component/4.2-1-errata/all/univention-management-console-login_9.0.80-59A~4.2.0.201707241109_all.deb  Failed to connect to updates.software-univention.de port 443:
Network is unreachable

E: Failed to fetch https://updates.software-univention.de/4.2/maintained/component/4.2-1-errata/all/univention-management-console-frontend_9.0.80-59A~4.2.0.201707241109_all.deb  Failed to connect to updates.software-univention.de port 44
3: Network is unreachable

E: Failed to fetch https://updates.software-univention.de/4.2/maintained/4.2-0/all/python-pyasn1-modules_0.0.5-0.1_all.deb  Failed to connect to updates.software-univention.de port 443: Network is unreachable

E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing?
 exitcode of apt-get dist-upgrade: 100
ERROR: update failed. Please check /var/log/univention/updater.log

It sounds to me like you do have IPv6 addresses configured on your machine, but your IPv6 connectivity doesn’t actually work. Univention’s update server (and appcenter server, too) is reachable via both IPv4 and IPv6. Whether you use HTTP or HTTPS should not make a difference: the kernel tries IPv6 first, and if it finds out that the server isn’t actually reachable via IPv6 from your machine, it’ll switch to IPv4 and stick with that for a while.

Meaning I guess you’ll see some reachability issues with HTTP sometime, too, and therefore only switching to HTTP won’t actually solve the issue permanently.

Please post the output of ip address show and ip route show from the server where you couldn’t download via HTTPS.

You could be right there, I have been testing IPv6 on that subnet for our internal use, but we don’t have reachability to the interent over anything but IPv4. I’ll look into it.

In that case you should disable the use of IPv6 on your UCS servers completely until you’re ready to use it in production. Otherwise you’ll continue to see strange behavior that happens only sometimes; I can almost guarantee that.