This is Bug#51889. From that message
There is a problem with the certificate of the App Center server https://appcenter.software-univention.de. ([SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1056)
alone that is hard to diagnose.
Using SSL Labs I found no issues on our side. Bug#53909 only affects certificates by Let’s encrypt.
Can you please check that …
- the package
ca-certificatesis installed:dpkg -l ca-certificates
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-===============-================-============-=================================
ii ca-certificates 20200601~deb10u2 all Common CA certificates
- the CA is there:
ls -l /etc/ssl/certs/DigiCert_Global_Root_G2.pem
lrwxrwxrwx 1 root root 62 Jun 15 2021 /etc/ssl/certs/DigiCert_Global_Root_G2.pem -> /usr/share/ca-certificates/mozilla/DigiCert_Global_Root_G2.crt
https://works as expected:curl --cacert /etc/ssl/certs/DigiCert_Global_Root_G2.pem https://appcenter.software-univention.de/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="https://www.univention.de/">here</a>.</p>
<hr>
<address>Apache/2.4.53 (Debian) Server at appcenter.software-univention.de Port 443</address>
</body></html>
- there are no error messages in
/var/log/univention/management-console-module-appcenter.logbeside the one you posted.
Our server is currently using a certificate from the intermediate Thawte TLS RSA CA G1, where all EV certificates were retired by DigiCert July 2020. Our current certificate is not extended verified and thus should not be affected. There sill exists a trusted path from the trusted root CA certificate DigiCert Global Root G2 included with the Debian package ca-certificates over the intermediate CA Thawte TLS RSA CA G1 to the certificate *.software-univention.de presented by our server to your system.
- Connect to our server to get all 3 certificates as
all.pem:
openssl s_client -connect appcenter.software-univention.de:443 -showcerts </dev/null >./all.pem
- split the certificates into individual files
certX.pem:
csplit -f cert -b %d.pem ./all.pem '/END CERTIFICATE/+1' '{*}'
- Verify the chain:
openssl verify -show_chain -trusted ./cert2.pem -untrusted ./cert1.pem ./cert0.pem
- Get revoked certificates, convert from DER to PEM, and also verify them:
wget http://crl3.digicert.com/DigiCertGlobalRootG2.crl
openssl crl -inform DER -in DigiCertGlobalRootG2.crl -outform PEM -out crl2.pem
wget http://cdp.thawte.com/ThawteTLSRSACAG1.crl
openssl crl -inform DER -in ThawteTLSRSACAG1.crl -outform PEM -out crl1.pem
cat ./crl1.pem ./crl2.pem >./crl.pem
openssl verify -show_chain -CRLfile ./crl.pem -crl_check_all -trusted ./cert2.pem -untrusted ./cert1.pem ./cert0.pem