Error checking SAML ucs-sso certificate

ucs-4-2
saml
sso

#1

My UCS server (4.2-2) is a virtual guest and runs as a AD-DC. There is also another slave UCS AD-DC on the same host. The host runs Proxmox.

On running “diagnostics” within UMC I get the following error. Please help with solving the issue.

Check validity of SSL certificates

Found invalid certificate '/etc/simplesamlphp/ucs-sso...-idp-certificate.crt’:
/etc/simplesamlphp/ucs-sso.
..-idp-certificate.crt: C = IN, ST = IN, L = IN, O = , OU = Univention Corporate Server, CN = ucs-sso..., emailAddress = ssl@..*
error 20 at 0 depth lookup:unable to get local issuer certificate

I did the following checks:

  1. I used the openssl “verify” and checked it against the CAcert on the DC (which happens to be the same machine). This produced the same error as above.

  2. I copied the ucs-sso-<>.crt to a windows machine and checked the rootCA name. The names were different. That is: The rootCA name shown in the CAcert file is different from the rootCA name displayed in the ucs-sso*.crt.

Should I re-generate the file? Also:

  1. How to do that?

  2. After above, how to ensure they are copied to all relevant locations?

.Thanks,

Ramesh


UCS 4.2-2 update issue when running "apt list"
#2

I managed to solve this issue by following this link:
http://univention6.rssing.com/chan-57977775/latest.php Under title "SAML SSO"

For some reason the certificate and key file inside “/etc/simplsamlphp/” did NOT verify against the rootCA.

After copying the files as mentioned in the link, the problem stopped. NOTE: I did not use the instructions under “RENEWAL …” as my certificates have not expired.


#3

For the record: that rssing.com site seems to be a scam site re-using content from other sites (in this case: from sdb.univention.de) trying to sell their own ads. Please don’t post links to such sites. Instead links to the original content provided by Univention.

Recently Univention has moved content from the old support database site (sdb.univention.de) to this help forum. You can find all support database entries via this link. The original “SSL certificate renewal” article is this one.


#4

My apologies!
Just pasted a link after a google search. Did not even check the source. Had no idea this would cause an issue.

Ramesh,