How to FIX Certificate

Dear friends.

Currently I have UCS in production mode and when trying to install RocketChat to perform performance and integration tests, it shows this SSL error, could you help me solve this problem?

Thank you all.

Caros Amigos.

Atualmente encontro com UCS em modo produção e ao tentar instalar RocketChat para realizar testes de performance e integração o mesmo apresenta este erro de SSL, poderiam me ajudar a resolver este problema?

Grato a todos.

This is Bug#51889. From that message

There is a problem with the certificate of the App Center server ([SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1056)

alone that is hard to diagnose.

Using SSL Labs I found no issues on our side. Bug#53909 only affects certificates by Let’s encrypt.

Can you please check that …

  1. the package ca-certificates is installed: dpkg -l ca-certificates
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name            Version          Architecture Description
ii  ca-certificates 20200601~deb10u2 all          Common CA certificates
  1. the CA is there: ls -l /etc/ssl/certs/DigiCert_Global_Root_G2.pem
lrwxrwxrwx 1 root root 62 Jun 15  2021 /etc/ssl/certs/DigiCert_Global_Root_G2.pem -> /usr/share/ca-certificates/mozilla/DigiCert_Global_Root_G2.crt
  1. https:// works as expected: curl --cacert /etc/ssl/certs/DigiCert_Global_Root_G2.pem
<title>301 Moved Permanently</title>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="">here</a>.</p>
<address>Apache/2.4.53 (Debian) Server at Port 443</address>
  1. there are no error messages in /var/log/univention/management-console-module-appcenter.log beside the one you posted.

Our server is currently using a certificate from the intermediate Thawte TLS RSA CA G1, where all EV certificates were retired by DigiCert July 2020. Our current certificate is not extended verified and thus should not be affected. There sill exists a trusted path from the trusted root CA certificate DigiCert Global Root G2 included with the Debian package ca-certificates over the intermediate CA Thawte TLS RSA CA G1 to the certificate * presented by our server to your system.

  1. Connect to our server to get all 3 certificates as all.pem:
openssl s_client -connect -showcerts </dev/null >./all.pem
  1. split the certificates into individual files certX.pem:
csplit -f cert -b %d.pem ./all.pem '/END CERTIFICATE/+1' '{*}'
  1. Verify the chain:
openssl verify -show_chain -trusted ./cert2.pem -untrusted ./cert1.pem ./cert0.pem
  1. Get revoked certificates, convert from DER to PEM, and also verify them:
openssl crl -inform DER -in DigiCertGlobalRootG2.crl -outform PEM -out crl2.pem
openssl crl -inform DER -in ThawteTLSRSACAG1.crl -outform PEM -out crl1.pem
cat ./crl1.pem ./crl2.pem >./crl.pem
openssl verify -show_chain -CRLfile ./crl.pem -crl_check_all -trusted ./cert2.pem -untrusted ./cert1.pem ./cert0.pem