Letsencrypt verification failed

dejavu · June 27, 2024, 5:25pm

One of my UCS running Let’s Encrypt app generated the same warning yesterday after an update:

/etc/univention/letsencrypt/signed_chain.crt: verification failed

Online search brought back Let’s Encrypt earlier announcements about changes to their intermediate CA certificates.

My current LE certificate was valid, but the absence of the R10 intermediate certificate locally, which was used to issue the LE SSL was failing the UCS diagnostics. I’m not sure if R10 would ever flip to R11 in the future or not, so I downloaded both R10 and R11, created needed symlinks and refreshed the certificates to fix the issue.

wget -O /etc/univention/letsencrypt/lets-encrypt-r10.pem https://letsencrypt.org/certs/2024/r10.pem

wget -O /etc/univention/letsencrypt/lets-encrypt-r11.pem https://letsencrypt.org/certs/2024/r11.pem

ln -s /etc/univention/letsencrypt/lets-encrypt-r10.pem /etc/ssl/certs/lets-encrypt-r10.crt

ln -s /etc/univention/letsencrypt/lets-encrypt-r11.pem /etc/ssl/certs/lets-encrypt-r11.crt

update-ca-certificates -f

Hopefully this will be helpful to someone. Cheers.

krda79 · August 15, 2024, 10:24am

I encounter the same problem on my UCS instance, so I want to have a look into the source code. However, I didn’t find it on Github.

Is the source code for this app available somewhere?

MarkD · October 24, 2024, 11:21am

It looks like the same problem still exists on UCS 5.0-9 errata1149 / Let’s Encrypt 2.0.0-2.

On different systems Systemdiagnose says:

Critical: Check validity of SSL certificates

Found invalid certificate ‘/etc/univention/letsencrypt/signed_chain.crt’:
error /etc/univention/letsencrypt/signed_chain.crt: verification failed

Found invalid certificate ‘/etc/univention/letsencrypt/signed_chain.crt’:
error /etc/univention/letsencrypt/signed_chain.crt: verification failed

Please see Univention Support Database - Renewing the TLS/SSL certificates on how to renew certificates.

Mornsgrans · October 26, 2024, 8:49pm

Did you follow the instructions on the linked page

MarkD · October 27, 2024, 8:56am

Yes I did without success.

Mornsgrans · October 27, 2024, 9:19am

Please compare the mentioned domain names in signed_chain.crt with the /etc/apache2/sites-enabled/*

In my case there was a missing entry “ServerName” in one of the apache cfg-files, so this domain could not be verified.

MarkD · October 27, 2024, 12:39pm

I don’t know how to do this.

signed_chain.crt contains two encrypted certificates. I can not see the (server?) name the certificates belong to.

If I do grep -i servername /etc/apache2/sites-enabled/* I get one line from /etc/apache2/sites-enabled/univention-letsencrypt.conf and two lines from /etc/apache2/sites-enabled/univention-saml.conf (ports 443 and 80 for mod_ssl.c). Each line contains the text ServerName ucs-sso.<DOMAINNAME>. There is no line containing the name of the server you get if you ask the DNS.

Andreas_T · October 28, 2024, 9:26am

openssl x509 -in /etc/univention/letsencrypt/signed_chain.crt -noout -text | grep DNS

MarkD · October 28, 2024, 9:43am

The result of the command is one line. It contains:

DNS:<HOSTNAME>.<DOMAINNAME>, DNS:ucs-sso.<DOMAINNAME>

What does this mean?

Mornsgrans · October 28, 2024, 11:20am

Are both DNS-entries the same as the really used domains (no spelling mistake)?

MarkD · October 28, 2024, 11:43am

DNS Queries for the two names work and answers given are the same IPv4 Adresse.

Mornsgrans · October 28, 2024, 12:50pm

Please check, whether /var/log/letsencrypt.log or /var/log/univention/letsencrypt.log exists.
Maybe you will find more details in it.