Certificate has expired

dark957 · May 31, 2022, 4:53pm

Hello Supporter,
hopefully someone can help me with this failure which happened since yesterday. If I want to login in the web base setting I get the followed message:

“Interner Server-Fehler: Der Dienst ist momentan nicht erreichbar!
Konnte nicht zum LDAP-Dienst verbinden.
Fehlermeldung: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (certificate has expired)”

Is there an easy way how I can renew this certificate. Keep in mind that sending and recieving of mail isnt also possible

thx for some help!

Rudi · May 31, 2022, 6:56pm

Hello!

I just had that same exact issue. The solution I used was to launch a browser (in my case, Microsoft Edge) which is insecure/ignores Certificate validation and then update your certificate via the Management console.

Also, if you use the Univention LetsEncrypt app, you can update your other servers’ certificates from a single host if it has a valid cert.

dark957 · May 31, 2022, 7:31pm

Hello Rudi,
thx for your feedback! I think we havent realy the same topic because I cant enter if I ignor this meassage by press ok. I cant enter to management consol. this toipc came up because I count recive and send mails. therfore I want to log in the managment consol. The server certivicate needs to be updated but how?! This is the meassage which i get. Hopefully you can give me more details how you fixed this:

ulf.kosack · June 1, 2022, 4:05am

Renew your certificates How-to: Extend the end date of the UCS CA root certificate

jlk · June 1, 2022, 6:04am

Renewing the certificates is the right thing to do, but you linked the How-To on extending the CA certificate.
The right article is this one: Renewing the complete SSL certificate chain

Best regards
Jan-Luca

dark957 · June 1, 2022, 6:18am

Thx a lot for the workaround! I create based on a new privat certificat and that works but now I stick to get “DC Slave Hosts”. With which comand can shown this information? I dont know, sorry.

chgrp “DC Slave Hosts” CAcert.pem

ulf.kosack · June 1, 2022, 6:40am

Ooops. To early in the morning. Thanks

Rudi · June 3, 2022, 12:56pm

I couldn’t either, unless I used a less-secure browser like Microsoft Edge which allowed me to ignore the expired certificate. I’m not sure which browser you’re using in your screenshots, however I explained in my first post why Edge was my solution

dark957 · July 28, 2022, 12:26pm

Thanks for the feedbacks regarding the renewing of the certificate. Sorry but I wasn’t successful with the instruction! But I fund a easy way to renew the certificate by webapp surface as followed:

1.) Starting of web surface of server and login in module “System und Domäneionstellungen”
2.) Go to “System” in the sub menu is shown “Zertifikats Einstellungen”
3.)

4.) Change under the general setting the ID (only one letter of number change is enough) and store this with “Änderungen übenehmen”. Now the server will create a new certificate which be applicable directly.
5.)

6.) Please keep in mind that this is only possible if the “old” 5 years valid certificate isn’t over the expired date.
Hope this helps somebody!

pixel · September 28, 2022, 10:38am

I have exactly the same message on a UCS 4:

I have the certificates as described here:

renewed (On the master) and restarted the server. The message still appears when trying to log in on the master. What have I forgotten?

jlk · September 28, 2022, 10:45am

Hey,

as written above this article is not sufficient to renew the whole chain:

Best regards
Jan-Luca

pixel · September 29, 2022, 10:23am

Crap, I have overlooked. Thanks, I will try.

pixel · October 15, 2022, 10:03am

I have recreated the CA as described in the link. What I noticed is that on this system (UCS 4) there is no folder for ucs-sso.[domain] in the path /etc/univention/ssl.

On a UCS5 there is this directory. Is this relevant?

pixel · October 15, 2022, 10:27am

Accordingly, in the further execution of the instruction fails:

SAML SSO

eval "$(ucr shell domainname)"
install -o root -g samlcgi -m 0644 /etc/univention/ssl/"ucs-sso.${domainname}"/cert.pem /etc/simplesamlphp/"ucs-sso.${domainname}-idp-certificate.crt"
install -o root -g samlcgi -m 0640 /etc/univention/ssl/"ucs-sso.${domainname}"/private.key /etc/simplesamlphp/"ucs-sso.${domainname}-idp-certificate.key"
service univention-saml restart

with the error:

root@tux:/etc/univention/ssl# eval "$(ucr shell domainname)"
root@tux:/etc/univention/ssl# install -o root -g samlcgi -m 0644 /etc/univention/ssl/"ucs-sso.${domainname}"/cert.pem /etc/simplesamlphp/"ucs-sso.${domainname}-idp-certificate.crt"
install: der Aufruf von stat für '/etc/univention/ssl/ucs-sso.dawa.lan/cert.pem' ist nicht möglich: Datei oder Verzeichnis nicht gefunden

externa1 · October 15, 2022, 6:24pm

In the past i followed this guide on ucs4 and it worked for me every time Renewing the SSL certificates

rg
Christian