But the issue has arrived after errata update (don’t know which) as it is working till 4.4-7 errata850 also with the new Let’s encrypt CA ? (openssl version is the same there as on actual errata - so it must be something different not wroking anymore)
And yes the SSL Cert is still healthy - only the integrated univention test brings warnings
Letsencrypt had issued a new CA in September and deactivates the older ones stap by step.
There are a few more changes Letsencrypt pubilshed on their homepage.
I am not involved in Letsencrypt - I am a simple user - but I guess, that the Lentencrypt scrips of the Univention app will need to be adapted to the new certificate properties and chains.
I get this error after the update.
the cert itself is correct, I also renewed it on my host by running “/usr/share/univention-letsencrypt/setup-letsencrypt”
I got the same failure with UCS 5.01.
After fresh installation of UCS and enabling letsencrypt in the AppCenter all checks are running without error. Then I installed NexCloud HUB and I got the error messages when running the system analysis and the same by running the openssl verify command.
Also I can not start Nextcloud. Browser says unsafe connection. When say trust: The browser shows : Zugriff über eine nicht vertrauenswürdige Domain
Bitte kontaktiere Deinen Administrator. Wenn Du Administrator bist, bearbeite die „trusted_domains“-Einstellung in config/config.php. Siehe Beispiel in config/config.sample.php.
When I had this with UCS 4.7 with some checks there was a hint that I have wrong settings in a metafile regarding NextCloud.
How can this be solved? I think there is a failiure in the install-script or container.yml . Isn’t it?
Online search brought back Let’s Encrypt earlier announcements about changes to their intermediate CA certificates.
My current LE certificate was valid, but the absence of the R10 intermediate certificate locally, which was used to issue the LE SSL was failing the UCS diagnostics. I’m not sure if R10 would ever flip to R11 in the future or not, so I downloaded both R10 and R11, created needed symlinks and refreshed the certificates to fix the issue.
signed_chain.crt contains two encrypted certificates. I can not see the (server?) name the certificates belong to.
If I do grep -i servername /etc/apache2/sites-enabled/* I get one line from /etc/apache2/sites-enabled/univention-letsencrypt.conf and two lines from /etc/apache2/sites-enabled/univention-saml.conf (ports 443 and 80 for mod_ssl.c). Each line contains the text ServerName ucs-sso.<DOMAINNAME>. There is no line containing the name of the server you get if you ask the DNS.
