Help Needed with UCS – Login Fails Due to LDAP SSL Certificate Error

Hi everyone,

I’m currently experiencing an issue with our UCS. After logging into the web interface, the following traceback error appears, and the login fails:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/univention/management/console/ldap.py", line 188, in getter
    raise KeyError()
KeyError

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/univention/uldap.py", line 220, in _decorated
    return func(self, *args, **kwargs)
  File "/usr/lib/python3/dist-packages/univention/uldap.py", line 416, in __starttls
    self.lo.start_tls_s()
  File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 1220, in start_tls_s
    res = self._apply_method_s(SimpleLDAPObject.start_tls_s,*args,**kwargs)
  File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 1197, in _apply_method_s
    return func(self,*args,**kwargs)
  File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 864, in start_tls_s
    return self._ldap_call(self._l.start_tls_s)
  File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 329, in _ldap_call
    reraise(exc_type, exc_value, exc_traceback)
  File "/usr/lib/python3/dist-packages/ldap/compat.py", line 44, in reraise
    raise exc_value
  File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 313, in _ldap_call
    result = func(*args,**kwargs)
ldap.CONNECT_ERROR: {'desc': 'Connect error', 'info': 'error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (certificate has expired)'}

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/tornado/web.py", line 1595, in _execute
    result = yield result
  File "/usr/lib/python3/dist-packages/tornado/gen.py", line 1133, in run
    value = future.result()
  File "/usr/lib/python3/dist-packages/univention/management/console/resources.py", line 501, in post
    result = await session.authenticate(self.request.body_arguments)
  File "/usr/lib/python3/dist-packages/univention/management/console/session.py", line 151, in authenticate
    self.set_credentials(**result.credentials)
  File "/usr/lib/python3/dist-packages/univention/management/console/session.py", line 175, in set_credentials
    self._search_user_dn()
  File "/usr/lib/python3/dist-packages/univention/management/console/session.py", line 186, in _search_user_dn
    lo = get_machine_connection(write=False)[0]
  File "/usr/lib/python3/dist-packages/univention/management/console/ldap.py", line 144, in get_machine_connection
    return connection()
  File "/usr/lib/python3/dist-packages/univention/management/console/ldap.py", line 200, in _decorated
    kwargs[loarg], kwargs[poarg] = lo, po = getter()
  File "/usr/lib/python3/dist-packages/univention/management/console/ldap.py", line 190, in getter
    conn = connection()
  File "/usr/lib/python3/dist-packages/univention/management/console/ldap.py", line 101, in connection
    return _getMachineConnection(**kwargs)
  File "/usr/lib/python3/dist-packages/univention/admin/uldap.py", line 176, in getMachineConnection
    lo = univention.uldap.getMachineConnection(start_tls, decode_ignorelist=decode_ignorelist, ldap_master=ldap_master)
  File "/usr/lib/python3/dist-packages/univention/uldap.py", line 204, in getMachineConnection
    return access(host=server, port=port, base=ucr['ldap/base'], binddn=ucr['ldap/hostdn'], bindpw=bindpw, start_tls=start_tls, decode_ignorelist=decode_ignorelist, reconnect=reconnect)
  File "/usr/lib/python3/dist-packages/univention/uldap.py", line 303, in __init__
    self.__open(ca_certfile)
  File "/usr/lib/python3/dist-packages/univention/uldap.py", line 402, in __open
    self.__starttls()
  File "/usr/lib/python3/dist-packages/univention/uldap.py", line 228, in _decorated
    return func(self, *args, **kwargs)
  File "/usr/lib/python3/dist-packages/univention/uldap.py", line 416, in __starttls
    self.lo.start_tls_s()
  File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 1220, in start_tls_s
    res = self._apply_method_s(SimpleLDAPObject.start_tls_s,*args,**kwargs)
  File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 1197, in _apply_method_s
    return func(self,*args,**kwargs)
  File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 864, in start_tls_s
    return self._ldap_call(self._l.start_tls_s)
  File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 329, in _ldap_call
    reraise(exc_type, exc_value, exc_traceback)
  File "/usr/lib/python3/dist-packages/ldap/compat.py", line 44, in reraise
    raise exc_value
  File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 313, in _ldap_call
    result = func(*args,**kwargs)
ldap.CONNECT_ERROR: {'desc': 'Connect error', 'info': 'error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (certificate has expired)'}

I tried renewing the certificate, but the error persists.

Has anyone else experienced this? Is there a recommended way to update or renew the certificate in UCS to fix this?

Any help would be greatly appreciated.

Thanks in advance!