Hi Moritz,
Did you run update-ca-certificates on both servers?
Yes, the results were identical on both:
update-ca-certificates
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
First, the apt problem. Just to make sure: does access to the repositories via HTTPS work for both the DC Master and the DC Backup?
That issue appears to be fixed now, I’m getting good hits on all repos with no failures anymore (although there are no current updates to confirm package downloads work too, but assuming yes for the moment 
).
Now to the SAML problem. stunnel doesn’t start due to certificate errors, that’s pretty clear from the error messages you’ve posted. So let’s make sure that the CA certificate of the UCS domain is really installed properly. Please post the output of the following commands:
On the DC Backup: ls -l /etc/ssl/certs/ucsCA.pem /usr/local/share/ca-certificates/ucsCA.crt /etc/univention/ssl/ucsCA/CAcert.pem
DC Backup results:
ls -l /etc/ssl/certs/ucsCA.pem /usr/local/share/ca-certificates/ucsCA.crt /etc/univention/ssl/ucsCA/CAcert.pem
lrwxrwxrwx 1 root root 42 Dec 29 2016 /etc/ssl/certs/ucsCA.pem -> /usr/local/share/ca-certificates/ucsCA.crt
-rw-rw-r-- 1 root DC Backup Hosts 1992 Jan 4 2016 /etc/univention/ssl/ucsCA/CAcert.pem
lrwxrwxrwx 1 root staff 36 Dec 29 2016 /usr/local/share/ca-certificates/ucsCA.crt -> /etc/univention/ssl/ucsCA/CAcert.pem
Whereas on the DC Master:
ls -l /etc/ssl/certs/ucsCA.pem /usr/local/share/ca-certificates/ucsCA.crt /etc/univention/ssl/ucsCA/CAcert.pem
lrwxrwxrwx 1 root root 42 Dec 29 2016 /etc/ssl/certs/ucsCA.pem -> /usr/local/share/ca-certificates/ucsCA.crt
-rw-rw-r-- 1 root DC Backup Hosts 1992 Jan 4 2016 /etc/univention/ssl/ucsCA/CAcert.pem
lrwxrwxrwx 1 root staff 36 Dec 29 2016 /usr/local/share/ca-certificates/ucsCA.crt -> /etc/univention/ssl/ucsCA/CAcert.pem
Again on the DC Backup: openssl x509 -in /etc/univention/ssl/ucsCA/CAcert.pem -noout -text
Once more on the DC Backup: sha256sum /etc/univention/ssl/ucsCA/CAcert.pem
Now on the DC Master: openssl x509 -in /etc/univention/ssl/ucsCA/CAcert.pem -noout -text
On the DC Master, too: sha256sum /etc/univention/ssl/ucsCA/CAcert.pem
6 & 4. are the same commands on both servers, as are 3. and 5. Their output should be identical on both servers.
DC backup results:
The openssl command gives exactly the same cert on both DCs (fingerprints/keys all match) as does the SHA256 for /etc/univention/ssl/ucsCA/CAcert.pem.
openssl x509 -in /etc/univention/ssl/ucsCA/CAcert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
<snipped>
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=AU, ST=<snipped>, L=AU, O=<snipped>, OU=<snipped>, CN=Corporate Server Root CA (ID=<snipped>)/emailAddress=ssl@<snipped>.com.au
Validity
Not Before: Jan 4 01:40:59 2016 GMT
Not After : Jan 2 01:40:59 2021 GMT
Subject: C=AU, ST=<snipped>, L=AU, O=<snipped>, OU=<snipped>, CN=Corporate Server Root CA (ID=<snipped>)/emailAddress=ssl@<snipped>.com.au
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
<snipped>
Exponent: <snipped>
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
8E:<snipped>:AD
X509v3 Authority Key Identifier:
keyid:8E:<snipped>:AD
DirName:/C=AU/ST=<snipped>/L=AU/O=<snipped>/OU=<snipped>/CN=Corporate Server Root CA (ID=<snipped>)/emailAddress=ssl@<snipped>.com.au
serial:DD:<snipped>:B9
X509v3 Key Usage:
Certificate Sign, CRL Sign
Netscape Cert Type:
SSL CA, S/MIME CA, Object Signing CA
X509v3 Subject Alternative Name:
email:ssl@<snipped>.com.au
X509v3 Issuer Alternative Name:
email:ssl@<snipped>.com.au
Netscape Comment:
This certificate is a Root CA Certificate
Signature Algorithm: sha256WithRSAEncryption
68:<snipped>da
Same on both.
sha256sum /etc/univention/ssl/ucsCA/CAcert.pem
28d139e1fd5be22f4add5c1f9b0eb6fc4af38f318df765c3614094db594dbfb8 /etc/univention/ssl/ucsCA/CAcert.pem
All seems to look OK so far?
Thanks for the help!