Hello,
before updating to 5.0-2 errata467 (from 460) I checked both system diagnosis and running service, all worked fine. After updating I get a system diagnosis error “Critical: SAML certificate verification failed” and “Certificate https://<My_IP>/simplesamlphp/saml2/idp/certificate could not be loaded: Unable to load certificate”. And as description “Run the Join script” with the buttons “test again” and “run the join script again”.
I did both, ran the join script again, rebooted, ran the rejoin script in bash.
When I look into /var/log/univention/check_join_status.log, everything looks like working (“Success” resp. “successfully joined”). We did not observe any malfunction after the update. But that critical system dignosis message worries me.
What can I do to correct it?
Thank you.
Same here…
“Join-Skript 92univention-management-console-web-server” fails with exitcode 1
logfile report:
univention-run-join-scripts started
Sa 22. Okt 10:57:27 CEST 2022
univention-join-hooks: looking for hook type “join/pre-joinscripts” on mailserver.donop.info
Found hooks:
RUNNING 92univention-management-console-web-server.inst
2022-10-22 10:57:30.864399186+02:00 (in joinscript_init)
W: The config registry variable ‘ucs/web/overview/entries/admin/umc/icon’ does not exist
W: The config registry variable ‘ucs/web/overview/entries/admin/umc/link’ does not exist
W: The config registry variable ‘ucs/web/overview/entries/admin/umc/link/de’ does not exist
W: The config registry variable ‘ucs/web/overview/entries/admin/umc/priority’ does not exist
W: The config registry variable ‘ucs/web/overview/entries/admin/umc/label’ does not exist
W: The config registry variable ‘ucs/web/overview/entries/admin/umc/label/de’ does not exist
W: The config registry variable ‘ucs/web/overview/entries/admin/umc/description’ does not exist
W: The config registry variable ‘ucs/web/overview/entries/admin/umc/description/de’ does not exist
LDAP Error: No such object
92univention-management-console-web-server.inst:
EXITCODE=1
397cbbe5-09ca-4fa3-a94e-026b3e865500
univention-join-hooks: looking for hook type “join/post-joinscripts” on mailserver.donop.info
Found hooks:
Sa 22. Okt 10:57:37 CEST 2022
univention-run-join-scripts finished
Any idea? System works ok, but I cannot access the portal startpage
Me too.
I can‘t access the portal page and not the subdomain of my cloud. That is the worst case.
tvdonop, I check the /var/log/univention/join.log
It looks similiar
univention-run-join-scripts started
Fr 21. Okt 10:40:55 CEST 2022univention-join-hooks: looking for hook type “join/pre-joinscripts” on
Found hooks:RUNNING 92univention-management-console-web-server.inst
2022-10-21 10:40:57.140937058+02:00 (in joinscript_init)
W: The config registry variable ‘ucs/web/overview/entries/admin/umc/icon’ does not exist
W: The config registry variable ‘ucs/web/overview/entries/admin/umc/link’ does not exist
W: The config registry variable ‘ucs/web/overview/entries/admin/umc/link/de’ does not exist
W: The config registry variable ‘ucs/web/overview/entries/admin/umc/priority’ does not exist
W: The config registry variable ‘ucs/web/overview/entries/admin/umc/label’ does not exist
W: The config registry variable ‘ucs/web/overview/entries/admin/umc/label/de’ does not exist
W: The config registry variable ‘ucs/web/overview/entries/admin/umc/description’ does not exist
W: The config registry variable ‘ucs/web/overview/entries/admin/umc/description/de’ does not exist
Object exists: SAMLServiceProviderIdentifier=https:///univention/saml/metadata,cn=saml-serviceprovider,cn=univention,dc=,dc=,dc=
No modification: SAMLServiceProviderIdentifier=https:///univention/saml/metadata,cn=saml-serviceprovider,cn=univention,dc=,dc=,dc=
Not updating ucs/server/sso/fqdn
Reloading apache2 configuration (via systemctl): apache2.service.
rm: das Entfernen von ‘/usr/share/univention-management-console/saml/idp/*.xml’ ist nicht möglich: Datei oder Verzeichnis nicht gefunden% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speedcurl: (22) The requested URL returned error: 404 Not Found
Multifile: /etc/pam.d/univention-management-console
File: /etc/ldap/sasl2/slapd.conf
Create umc/saml/idp-server
Module: setup_saml_sp
Try to download idp metadata (1/60)
(…)
Try to download idp metadata (60/60)
Could not download IDP metadata for hppps://ucs-sso./simplesamlphp/saml2/idp/metadata.php
Unsetting umc/saml/idp-server
Module: setup_saml_sp
umc/saml/idp-server not set, nothing to do
EXITCODE=3
0e8d0e21-6eca-4b9e-a454-e008300b05a2
univention-join-hooks: looking for hook type “join/post-joinscripts” on
Found hooks:Fr 21. Okt 10:42:10 CEST 2022
univention-run-join-scripts finished
Updating to 5.0-2 errata476 does not change the situation. Everything seems to work, but the critical message of the system diagnosis persists on both servers.
Hello!
Just updated 5.0.2 454 to 476 and have the same situation. Everything seems to be working, only this message disturbs me. Trying to rerun the join script does not change it.
Regards
KaBi
FYI: Next update (5.0.2 errata 479), next failure.
And again: Next update (5.0.2 errata 491), same failure.
check the dns variable “ucs-sso” under the domain server, that you can ping it.
as in ucs-sso.
Thank you.
check the dns variable “ucs-sso” under the domain server, that you can ping it.
I can ping that address.
But unfortunately it does not work anyway.
The next update (to 5.0.2 errata 498) does not change the behavior (all seems to work correctly but critical system diagnosis message remains).
The only time i saw this was when my DNS value was broken.
and i got exactly the same type of data as you are seeing.
so you know the ip address is up…
Is the port open?
if you open that address in a web browser as in:
https:///simplesamlphp/saml2/idp/certificate
it will allow you to download a “.rar” file, no authentication is needed.
so rather than trying to debug it from inside univention , you can do it using a web browser/curl.
Is the port open?
Yes (“telnet ucs-sso.my.domain.ext 443” is answering).
https:///simplesamlphp/saml2/idp/certificate
https://ucs-sso.my.domain.ext/simplesamlphp/saml2/idp/certificate leads to “404. The requested URL was not found on this server.” This occurs using the browser or curl as well.
And “same procedure as last update, … same procedure as every update …” after updating to 5.0.2 errata505.
The solution is easy 
Beim Upgrade auf UCS 5 werden einige SAML Pakete scheinbar nicht automatisch (mit-)installiert. Nach der Installation ist der Fehler im Systemcheck weg
Glad you got it sorted.
I’m having this same issue.
telnet answers, https://ucs-sso.my.domain/simplesamlphp/saml2/idp/certificate
allows me to download a crt file. Doing curl on the same domain returns:
curl: (60) SSL certificate problem: self-signed certificate in certificate chain
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
I also checked that all the packages were installed per:
But I still see the Critical error on Primary and both Backup nodes:
SAML certificate verification failed!