Certificate has expired

Hello Supporter,
hopefully someone can help me with this failure which happened since yesterday. If I want to login in the web base setting I get the followed message:

“Interner Server-Fehler: Der Dienst ist momentan nicht erreichbar!
Konnte nicht zum LDAP-Dienst verbinden.
Fehlermeldung: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (certificate has expired)”

Is there an easy way how I can renew this certificate. Keep in mind that sending and recieving of mail isnt also possible :frowning:

thx for some help!


I just had that same exact issue. The solution I used was to launch a browser (in my case, Microsoft Edge) which is insecure/ignores Certificate validation and then update your certificate via the Management console.

Also, if you use the Univention LetsEncrypt app, you can update your other servers’ certificates from a single host if it has a valid cert.

Hello Rudi,
thx for your feedback! I think we havent realy the same topic because I cant enter if I ignor this meassage by press ok. I cant enter to management consol. this toipc came up because I count recive and send mails. therfore I want to log in the managment consol. The server certivicate needs to be updated but how?! This is the meassage which i get. Hopefully you can give me more details how you fixed this:

Renew your certificates How-to: Extend the end date of the UCS CA root certificate

Renewing the certificates is the right thing to do, but you linked the How-To on extending the CA certificate. :wink:
The right article is this one: Renewing the complete SSL certificate chain

Best regards

Thx a lot for the workaround! I create based on a new privat certificat and that works but now I stick to get “DC Slave Hosts”. With which comand can shown this information? I dont know, sorry.

chgrp “DC Slave Hosts” CAcert.pem

Ooops. To early in the morning. Thanks

I couldn’t either, unless I used a less-secure browser like Microsoft Edge which allowed me to ignore the expired certificate. I’m not sure which browser you’re using in your screenshots, however I explained in my first post why Edge was my solution :slight_smile:

Thanks for the feedbacks regarding the renewing of the certificate. Sorry but I wasn’t successful with the instruction! But I fund a easy way to renew the certificate by webapp surface as followed:

1.) Starting of web surface of server and login in module “System und Domäneionstellungen”
2.) Go to “System” in the sub menu is shown “Zertifikats Einstellungen”
3.) image

4.) Change under the general setting the ID (only one letter of number change is enough) and store this with “Änderungen übenehmen”. Now the server will create a new certificate which be applicable directly.
5.) image

6.) Please keep in mind that this is only possible if the “old” 5 years valid certificate isn’t over the expired date.
Hope this helps somebody!

I have exactly the same message on a UCS 4:


I have the certificates as described here:

renewed (On the master) and restarted the server. The message still appears when trying to log in on the master. What have I forgotten?


as written above this article is not sufficient to renew the whole chain:

Best regards

Crap, I have overlooked. Thanks, I will try.

1 Like

I have recreated the CA as described in the link. What I noticed is that on this system (UCS 4) there is no folder for ucs-sso.[domain] in the path /etc/univention/ssl.

On a UCS5 there is this directory. Is this relevant?

Accordingly, in the further execution of the instruction fails:


eval "$(ucr shell domainname)"
install -o root -g samlcgi -m 0644 /etc/univention/ssl/"ucs-sso.${domainname}"/cert.pem /etc/simplesamlphp/"ucs-sso.${domainname}-idp-certificate.crt"
install -o root -g samlcgi -m 0640 /etc/univention/ssl/"ucs-sso.${domainname}"/private.key /etc/simplesamlphp/"ucs-sso.${domainname}-idp-certificate.key"
service univention-saml restart

with the error:

root@tux:/etc/univention/ssl# eval "$(ucr shell domainname)"
root@tux:/etc/univention/ssl# install -o root -g samlcgi -m 0644 /etc/univention/ssl/"ucs-sso.${domainname}"/cert.pem /etc/simplesamlphp/"ucs-sso.${domainname}-idp-certificate.crt"
install: der Aufruf von stat für '/etc/univention/ssl/ucs-sso.dawa.lan/cert.pem' ist nicht möglich: Datei oder Verzeichnis nicht gefunden

In the past i followed this guide on ucs4 and it worked for me every time Renewing the SSL certificates