Letsencrypt verification failed

Thank you. Now I know, that this is not caused by my special configuration.

@boopsy:
But only in the case, that the Letsencrypt-App will have been upgraded, too.

The UCS system diagnostic module has issues when trying to verify certificates from external CAs, so this may be a false positive.

Are any services currently restricted in the environment?

See also the following bugs, there is some information why openssl verify is not always the best tool to check cert chain validity, especially https://mail.python.org/pipermail/cryptography-dev/2016-August/000676.html

https://forge.univention.org/bugzilla/show_bug.cgi?id=52517
https://forge.univention.org/bugzilla/show_bug.cgi?id=52546

But the issue has arrived after errata update (don’t know which) as it is working till 4.4-7 errata850 also with the new Let’s encrypt CA ? (openssl version is the same there as on actual errata - so it must be something different not wroking anymore)

And yes the SSL Cert is still healthy - only the integrated univention test brings warnings

rg
Christian

Letsencrypt had issued a new CA in September and deactivates the older ones stap by step.
There are a few more changes Letsencrypt pubilshed on their homepage.

I am not involved in Letsencrypt - I am a simple user - but I guess, that the Lentencrypt scrips of the Univention app will need to be adapted to the new certificate properties and chains.

Same over here. After errata update to 873 I got that error message for let’s encrypt certificates.

See:

We have released a Let’s Encrypt App update. Version 1.2.2-16 should fix the errors reported in the system diagnostic module.

2 Likes

Very thanks. It works perfectly. Good Work!

I get this error after the update.
the cert itself is correct, I also renewed it on my host by running “/usr/share/univention-letsencrypt/setup-letsencrypt”

I run the latest version on UCS 5: LE:2.0.0-2

I got the same failure with UCS 5.01.
After fresh installation of UCS and enabling letsencrypt in the AppCenter all checks are running without error. Then I installed NexCloud HUB and I got the error messages when running the system analysis and the same by running the openssl verify command.
Also I can not start Nextcloud. Browser says unsafe connection. When say trust: The browser shows : Zugriff über eine nicht vertrauenswürdige Domain
Bitte kontaktiere Deinen Administrator. Wenn Du Administrator bist, bearbeite die „trusted_domains“-Einstellung in config/config.php. Siehe Beispiel in config/config.sample.php.
When I had this with UCS 4.7 with some checks there was a hint that I have wrong settings in a metafile regarding NextCloud.
How can this be solved? I think there is a failiure in the install-script or container.yml . Isn’t it?

Yes the Bug is back again
5.0-7 errata1032

1 Like

Yes, I can confirm that. 5.07 / 5.08

One of my UCS running Let’s Encrypt app generated the same warning yesterday after an update:

/etc/univention/letsencrypt/signed_chain.crt: verification failed

Online search brought back Let’s Encrypt earlier announcements about changes to their intermediate CA certificates.

My current LE certificate was valid, but the absence of the R10 intermediate certificate locally, which was used to issue the LE SSL was failing the UCS diagnostics. I’m not sure if R10 would ever flip to R11 in the future or not, so I downloaded both R10 and R11, created needed symlinks and refreshed the certificates to fix the issue.

wget -O /etc/univention/letsencrypt/lets-encrypt-r10.pem https://letsencrypt.org/certs/2024/r10.pem

wget -O /etc/univention/letsencrypt/lets-encrypt-r11.pem https://letsencrypt.org/certs/2024/r11.pem

ln -s /etc/univention/letsencrypt/lets-encrypt-r10.pem /etc/ssl/certs/lets-encrypt-r10.crt

ln -s /etc/univention/letsencrypt/lets-encrypt-r11.pem /etc/ssl/certs/lets-encrypt-r11.crt

update-ca-certificates -f

Hopefully this will be helpful to someone. Cheers.

7 Likes

I encounter the same problem on my UCS instance, so I want to have a look into the source code. However, I didn’t find it on Github.

Is the source code for this app available somewhere?

It looks like the same problem still exists on UCS 5.0-9 errata1149 / Let’s Encrypt 2.0.0-2.

On different systems Systemdiagnose says:

Critical: Check validity of SSL certificates

Found invalid certificate ‘/etc/univention/letsencrypt/signed_chain.crt’:
error /etc/univention/letsencrypt/signed_chain.crt: verification failed

Found invalid certificate ‘/etc/univention/letsencrypt/signed_chain.crt’:
error /etc/univention/letsencrypt/signed_chain.crt: verification failed

Please see Univention Support Database - Renewing the TLS/SSL certificates on how to renew certificates.

Did you follow the instructions on the linked page

Yes I did without success.

Please compare the mentioned domain names in signed_chain.crt with the /etc/apache2/sites-enabled/*

In my case there was a missing entry “ServerName” in one of the apache cfg-files, so this domain could not be verified.

I don’t know how to do this.

signed_chain.crt contains two encrypted certificates. I can not see the (server?) name the certificates belong to.

If I do grep -i servername /etc/apache2/sites-enabled/* I get one line from /etc/apache2/sites-enabled/univention-letsencrypt.conf and two lines from /etc/apache2/sites-enabled/univention-saml.conf (ports 443 and 80 for mod_ssl.c). Each line contains the text ServerName ucs-sso.<DOMAINNAME>. There is no line containing the name of the server you get if you ask the DNS.

openssl x509 -in /etc/univention/letsencrypt/signed_chain.crt -noout -text | grep DNS
Mastodon