"Critical: SAML certificate verification failed" after Update to 5.0-2 errata467

Hello,
before updating to 5.0-2 errata467 (from 460) I checked both system diagnosis and running service, all worked fine. After updating I get a system diagnosis error “Critical: SAML certificate verification failed” and “Certificate https://<My_IP>/simplesamlphp/saml2/idp/certificate could not be loaded: Unable to load certificate”. And as description “Run the Join script” with the buttons “test again” and “run the join script again”.
I did both, ran the join script again, rebooted, ran the rejoin script in bash.
When I look into /var/log/univention/check_join_status.log, everything looks like working (“Success” resp. “successfully joined”). We did not observe any malfunction after the update. But that critical system dignosis message worries me.
What can I do to correct it?
Thank you.

1 Like

Same here…
“Join-Skript 92univention-management-console-web-server” fails with exitcode 1

logfile report:

univention-run-join-scripts started
Sa 22. Okt 10:57:27 CEST 2022

univention-join-hooks: looking for hook type “join/pre-joinscripts” on mailserver.donop.info
Found hooks:

RUNNING 92univention-management-console-web-server.inst
2022-10-22 10:57:30.864399186+02:00 (in joinscript_init)
W: The config registry variable ‘ucs/web/overview/entries/admin/umc/icon’ does not exist
W: The config registry variable ‘ucs/web/overview/entries/admin/umc/link’ does not exist
W: The config registry variable ‘ucs/web/overview/entries/admin/umc/link/de’ does not exist
W: The config registry variable ‘ucs/web/overview/entries/admin/umc/priority’ does not exist
W: The config registry variable ‘ucs/web/overview/entries/admin/umc/label’ does not exist
W: The config registry variable ‘ucs/web/overview/entries/admin/umc/label/de’ does not exist
W: The config registry variable ‘ucs/web/overview/entries/admin/umc/description’ does not exist
W: The config registry variable ‘ucs/web/overview/entries/admin/umc/description/de’ does not exist
LDAP Error: No such object
92univention-management-console-web-server.inst:
EXITCODE=1
397cbbe5-09ca-4fa3-a94e-026b3e865500
univention-join-hooks: looking for hook type “join/post-joinscripts” on mailserver.donop.info
Found hooks:

Sa 22. Okt 10:57:37 CEST 2022
univention-run-join-scripts finished

Any idea? System works ok, but I cannot access the portal startpage

Me too.

I can‘t access the portal page and not the subdomain of my cloud. That is the worst case.

tvdonop, I check the /var/log/univention/join.log
It looks similiar

univention-run-join-scripts started
Fr 21. Okt 10:40:55 CEST 2022

univention-join-hooks: looking for hook type “join/pre-joinscripts” on
Found hooks:

RUNNING 92univention-management-console-web-server.inst
2022-10-21 10:40:57.140937058+02:00 (in joinscript_init)
W: The config registry variable ‘ucs/web/overview/entries/admin/umc/icon’ does not exist
W: The config registry variable ‘ucs/web/overview/entries/admin/umc/link’ does not exist
W: The config registry variable ‘ucs/web/overview/entries/admin/umc/link/de’ does not exist
W: The config registry variable ‘ucs/web/overview/entries/admin/umc/priority’ does not exist
W: The config registry variable ‘ucs/web/overview/entries/admin/umc/label’ does not exist
W: The config registry variable ‘ucs/web/overview/entries/admin/umc/label/de’ does not exist
W: The config registry variable ‘ucs/web/overview/entries/admin/umc/description’ does not exist
W: The config registry variable ‘ucs/web/overview/entries/admin/umc/description/de’ does not exist
Object exists: SAMLServiceProviderIdentifier=https:///univention/saml/metadata,cn=saml-serviceprovider,cn=univention,dc=,dc=,dc=
No modification: SAMLServiceProviderIdentifier=https:///univention/saml/metadata,cn=saml-serviceprovider,cn=univention,dc=,dc=,dc=
Not updating ucs/server/sso/fqdn
Reloading apache2 configuration (via systemctl): apache2.service.
rm: das Entfernen von ‘/usr/share/univention-management-console/saml/idp/*.xml’ ist nicht möglich: Datei oder Verzeichnis nicht gefunden

% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed

curl: (22) The requested URL returned error: 404 Not Found

Multifile: /etc/pam.d/univention-management-console
File: /etc/ldap/sasl2/slapd.conf
Create umc/saml/idp-server
Module: setup_saml_sp
Try to download idp metadata (1/60)
(…)
Try to download idp metadata (60/60)
Could not download IDP metadata for hppps://ucs-sso./simplesamlphp/saml2/idp/metadata.php
Unsetting umc/saml/idp-server
Module: setup_saml_sp
umc/saml/idp-server not set, nothing to do
EXITCODE=3
0e8d0e21-6eca-4b9e-a454-e008300b05a2
univention-join-hooks: looking for hook type “join/post-joinscripts” on
Found hooks:

Fr 21. Okt 10:42:10 CEST 2022
univention-run-join-scripts finished

Updating to 5.0-2 errata476 does not change the situation. Everything seems to work, but the critical message of the system diagnosis persists on both servers.

Hello!
Just updated 5.0.2 454 to 476 and have the same situation. Everything seems to be working, only this message disturbs me. Trying to rerun the join script does not change it.

Regards
KaBi

FYI: Next update (5.0.2 errata 479), next failure.

And again: Next update (5.0.2 errata 491), same failure.

check the dns variable “ucs-sso” under the domain server, that you can ping it.

as in ucs-sso.

Thank you.

check the dns variable “ucs-sso” under the domain server, that you can ping it.

I can ping that address.
But unfortunately it does not work anyway.
The next update (to 5.0.2 errata 498) does not change the behavior (all seems to work correctly but critical system diagnosis message remains).

The only time i saw this was when my DNS value was broken.
and i got exactly the same type of data as you are seeing.

so you know the ip address is up…

Is the port open?

if you open that address in a web browser as in:

https:///simplesamlphp/saml2/idp/certificate

it will allow you to download a “.rar” file, no authentication is needed.

so rather than trying to debug it from inside univention , you can do it using a web browser/curl.