Letsencrypt verification failed

One of my UCS running Let’s Encrypt app generated the same warning yesterday after an update:

/etc/univention/letsencrypt/signed_chain.crt: verification failed

Online search brought back Let’s Encrypt earlier announcements about changes to their intermediate CA certificates.

My current LE certificate was valid, but the absence of the R10 intermediate certificate locally, which was used to issue the LE SSL was failing the UCS diagnostics. I’m not sure if R10 would ever flip to R11 in the future or not, so I downloaded both R10 and R11, created needed symlinks and refreshed the certificates to fix the issue.

wget -O /etc/univention/letsencrypt/lets-encrypt-r10.pem https://letsencrypt.org/certs/2024/r10.pem

wget -O /etc/univention/letsencrypt/lets-encrypt-r11.pem https://letsencrypt.org/certs/2024/r11.pem

ln -s /etc/univention/letsencrypt/lets-encrypt-r10.pem /etc/ssl/certs/lets-encrypt-r10.crt

ln -s /etc/univention/letsencrypt/lets-encrypt-r11.pem /etc/ssl/certs/lets-encrypt-r11.crt

update-ca-certificates -f

Hopefully this will be helpful to someone. Cheers.

I encounter the same problem on my UCS instance, so I want to have a look into the source code. However, I didn’t find it on Github.

Is the source code for this app available somewhere?

It looks like the same problem still exists on UCS 5.0-9 errata1149 / Let’s Encrypt 2.0.0-2.

On different systems Systemdiagnose says:

Critical: Check validity of SSL certificates

Found invalid certificate ‘/etc/univention/letsencrypt/signed_chain.crt’:
error /etc/univention/letsencrypt/signed_chain.crt: verification failed

Found invalid certificate ‘/etc/univention/letsencrypt/signed_chain.crt’:
error /etc/univention/letsencrypt/signed_chain.crt: verification failed

Please see Univention Support Database - Renewing the TLS/SSL certificates on how to renew certificates.

Did you follow the instructions on the linked page

Yes I did without success.

Please compare the mentioned domain names in signed_chain.crt with the /etc/apache2/sites-enabled/*

In my case there was a missing entry “ServerName” in one of the apache cfg-files, so this domain could not be verified.

I don’t know how to do this.

signed_chain.crt contains two encrypted certificates. I can not see the (server?) name the certificates belong to.

If I do grep -i servername /etc/apache2/sites-enabled/* I get one line from /etc/apache2/sites-enabled/univention-letsencrypt.conf and two lines from /etc/apache2/sites-enabled/univention-saml.conf (ports 443 and 80 for mod_ssl.c). Each line contains the text ServerName ucs-sso.<DOMAINNAME>. There is no line containing the name of the server you get if you ask the DNS.

openssl x509 -in /etc/univention/letsencrypt/signed_chain.crt -noout -text | grep DNS

The result of the command is one line. It contains:

DNS:<HOSTNAME>.<DOMAINNAME>, DNS:ucs-sso.<DOMAINNAME>

What does this mean?

Are both DNS-entries the same as the really used domains (no spelling mistake)?

DNS Queries for the two names work and answers given are the same IPv4 Adresse.

Please check, whether /var/log/letsencrypt.log or /var/log/univention/letsencrypt.log exists.
Maybe you will find more details in it.

This worked for me with small changes. I found and added two more symbolic links using these commands:

wget -O /etc/univention/letsencrypt/lets-encrypt-r10.pem https://letsencrypt.org/certs/2024/r10.pem
wget -O /etc/univention/letsencrypt/lets-encrypt-r11.pem https://letsencrypt.org/certs/2024/r11.pem

ln -s /etc/univention/letsencrypt/lets-encrypt-r10.pem /usr/local/share/ca-certificates/lets-encrypt-r10.crt
ln -s /etc/univention/letsencrypt/lets-encrypt-r11.pem /usr/local/share/ca-certificates/lets-encrypt-r11.crt

ln -s /usr/local/share/ca-certificates/lets-encrypt-r10.crt /etc/ssl/certs/lets-encrypt-r10.pem
ln -s /usr/local/share/ca-certificates/lets-encrypt-r11.crt /etc/ssl/certs/lets-encrypt-r11.pem
 
update-ca-certificates -f

I also checked the ownership and the access rights.