Letsencrypt verification failed

lw3234 · January 23, 2021, 3:37pm

Same over here. After errata update to 873 I got that error message for let’s encrypt certificates.

Mornsgrans · January 23, 2021, 4:23pm

See:

damrose · January 25, 2021, 1:08pm

We have released a Let’s Encrypt App update. Version 1.2.2-16 should fix the errors reported in the system diagnostic module.

boospy · January 25, 2021, 3:58pm

Very thanks. It works perfectly. Good Work!

letmesetupthis · November 3, 2021, 2:04pm

I get this error after the update.
the cert itself is correct, I also renewed it on my host by running “/usr/share/univention-letsencrypt/setup-letsencrypt”

I run the latest version on UCS 5: LE:2.0.0-2

gabreitenbach · February 9, 2022, 11:44am

I got the same failure with UCS 5.01.
After fresh installation of UCS and enabling letsencrypt in the AppCenter all checks are running without error. Then I installed NexCloud HUB and I got the error messages when running the system analysis and the same by running the openssl verify command.
Also I can not start Nextcloud. Browser says unsafe connection. When say trust: The browser shows : Zugriff über eine nicht vertrauenswürdige Domain
Bitte kontaktiere Deinen Administrator. Wenn Du Administrator bist, bearbeite die „trusted_domains“-Einstellung in config/config.php. Siehe Beispiel in config/config.sample.php.
When I had this with UCS 4.7 with some checks there was a hint that I have wrong settings in a metafile regarding NextCloud.
How can this be solved? I think there is a failiure in the install-script or container.yml . Isn’t it?

boospy · April 27, 2024, 3:28pm

Yes the Bug is back again
5.0-7 errata1032

pixel · June 19, 2024, 4:46am

Yes, I can confirm that. 5.07 / 5.08

dejavu · June 27, 2024, 5:25pm

One of my UCS running Let’s Encrypt app generated the same warning yesterday after an update:

/etc/univention/letsencrypt/signed_chain.crt: verification failed

Online search brought back Let’s Encrypt earlier announcements about changes to their intermediate CA certificates.

My current LE certificate was valid, but the absence of the R10 intermediate certificate locally, which was used to issue the LE SSL was failing the UCS diagnostics. I’m not sure if R10 would ever flip to R11 in the future or not, so I downloaded both R10 and R11, created needed symlinks and refreshed the certificates to fix the issue.

wget -O /etc/univention/letsencrypt/lets-encrypt-r10.pem https://letsencrypt.org/certs/2024/r10.pem

wget -O /etc/univention/letsencrypt/lets-encrypt-r11.pem https://letsencrypt.org/certs/2024/r11.pem

ln -s /etc/univention/letsencrypt/lets-encrypt-r10.pem /etc/ssl/certs/lets-encrypt-r10.crt

ln -s /etc/univention/letsencrypt/lets-encrypt-r11.pem /etc/ssl/certs/lets-encrypt-r11.crt

update-ca-certificates -f

Hopefully this will be helpful to someone. Cheers.

krda79 · August 15, 2024, 10:24am

I encounter the same problem on my UCS instance, so I want to have a look into the source code. However, I didn’t find it on Github.

Is the source code for this app available somewhere?

MarkD · October 24, 2024, 11:21am

It looks like the same problem still exists on UCS 5.0-9 errata1149 / Let’s Encrypt 2.0.0-2.

On different systems Systemdiagnose says:

Critical: Check validity of SSL certificates

Found invalid certificate ‘/etc/univention/letsencrypt/signed_chain.crt’:
error /etc/univention/letsencrypt/signed_chain.crt: verification failed

Found invalid certificate ‘/etc/univention/letsencrypt/signed_chain.crt’:
error /etc/univention/letsencrypt/signed_chain.crt: verification failed

Please see Univention Support Database - Renewing the TLS/SSL certificates on how to renew certificates.

Mornsgrans · October 26, 2024, 8:49pm

Did you follow the instructions on the linked page

MarkD · October 27, 2024, 8:56am

Yes I did without success.

Mornsgrans · October 27, 2024, 9:19am

Please compare the mentioned domain names in signed_chain.crt with the /etc/apache2/sites-enabled/*

In my case there was a missing entry “ServerName” in one of the apache cfg-files, so this domain could not be verified.

MarkD · October 27, 2024, 12:39pm

I don’t know how to do this.

signed_chain.crt contains two encrypted certificates. I can not see the (server?) name the certificates belong to.

If I do grep -i servername /etc/apache2/sites-enabled/* I get one line from /etc/apache2/sites-enabled/univention-letsencrypt.conf and two lines from /etc/apache2/sites-enabled/univention-saml.conf (ports 443 and 80 for mod_ssl.c). Each line contains the text ServerName ucs-sso.<DOMAINNAME>. There is no line containing the name of the server you get if you ask the DNS.

Andreas_T · October 28, 2024, 9:26am

openssl x509 -in /etc/univention/letsencrypt/signed_chain.crt -noout -text | grep DNS

MarkD · October 28, 2024, 9:43am

The result of the command is one line. It contains:

DNS:<HOSTNAME>.<DOMAINNAME>, DNS:ucs-sso.<DOMAINNAME>

What does this mean?

Mornsgrans · October 28, 2024, 11:20am

Are both DNS-entries the same as the really used domains (no spelling mistake)?

MarkD · October 28, 2024, 11:43am

DNS Queries for the two names work and answers given are the same IPv4 Adresse.

Mornsgrans · October 28, 2024, 12:50pm

Please check, whether /var/log/letsencrypt.log or /var/log/univention/letsencrypt.log exists.
Maybe you will find more details in it.