dejavu
June 27, 2024, 5:25pm
21
One of my UCS running Let’s Encrypt app generated the same warning yesterday after an update:
/etc/univention/letsencrypt/signed_chain.crt: verification failed
Online search brought back Let’s Encrypt earlier announcements about changes to their intermediate CA certificates.
On Wednesday, March 13, 2024, Let’s Encrypt generated 10 new Intermediate CA Key Pairs, and issued 15 new Intermediate CA Certificates containing the new public keys. These new intermediate certificates provide smaller and more efficient certificate...
On Thursday, June 6th, 2024, we will be switching issuance to use our new intermediate certificates. Simultaneously, we are removing the DST Root CA X3 cross-sign from our API, aligning with our strategy to shorten the Let’s Encrypt chain of trust....
My current LE certificate was valid, but the absence of the R10 intermediate certificate locally, which was used to issue the LE SSL was failing the UCS diagnostics. I’m not sure if R10 would ever flip to R11 in the future or not, so I downloaded both R10 and R11, created needed symlinks and refreshed the certificates to fix the issue.
wget -O /etc/univention/letsencrypt/lets-encrypt-r10.pem https://letsencrypt.org/certs/2024/r10.pem
wget -O /etc/univention/letsencrypt/lets-encrypt-r11.pem https://letsencrypt.org/certs/2024/r11.pem
ln -s /etc/univention/letsencrypt/lets-encrypt-r10.pem /etc/ssl/certs/lets-encrypt-r10.crt
ln -s /etc/univention/letsencrypt/lets-encrypt-r11.pem /etc/ssl/certs/lets-encrypt-r11.crt
update-ca-certificates -f
Hopefully this will be helpful to someone. Cheers.
7 Likes
krda79
August 15, 2024, 10:24am
22
I encounter the same problem on my UCS instance, so I want to have a look into the source code. However, I didn’t find it on Github.
Is the source code for this app available somewhere?
MarkD
October 24, 2024, 11:21am
23
It looks like the same problem still exists on UCS 5.0-9 errata1149 / Let’s Encrypt 2.0.0-2.
On different systems Systemdiagnose says:
Critical: Check validity of SSL certificates
Found invalid certificate ‘/etc/univention/letsencrypt/signed_chain.crt’:
error /etc/univention/letsencrypt/signed_chain.crt: verification failed
Found invalid certificate ‘/etc/univention/letsencrypt/signed_chain.crt’:
error /etc/univention/letsencrypt/signed_chain.crt: verification failed
Please see Univention Support Database - Renewing the TLS/SSL certificates on how to renew certificates.
1 Like
Did you follow the instructions on the linked page
MarkD
October 27, 2024, 8:56am
25
Yes I did without success.
1 Like
Please compare the mentioned domain names in signed_chain.crt with the /etc/apache2/sites-enabled/*
In my case there was a missing entry “ServerName” in one of the apache cfg-files, so this domain could not be verified.
MarkD
October 27, 2024, 12:39pm
27
I don’t know how to do this.
signed_chain.crt contains two encrypted certificates. I can not see the (server?) name the certificates belong to.
If I do grep -i servername /etc/apache2/sites-enabled/*
I get one line from /etc/apache2/sites-enabled/univention-letsencrypt.conf
and two lines from /etc/apache2/sites-enabled/univention-saml.conf
(ports 443 and 80 for mod_ssl.c). Each line contains the text ServerName ucs-sso.<DOMAINNAME>
. There is no line containing the name of the server you get if you ask the DNS.
openssl x509 -in /etc/univention/letsencrypt/signed_chain.crt -noout -text | grep DNS
MarkD
October 28, 2024, 9:43am
29
The result of the command is one line. It contains:
DNS:<HOSTNAME>.<DOMAINNAME>, DNS:ucs-sso.<DOMAINNAME>
What does this mean?
Are both DNS-entries the same as the really used domains (no spelling mistake)?
MarkD
October 28, 2024, 11:43am
31
DNS Queries for the two names work and answers given are the same IPv4 Adresse.
Please check, whether /var/log/letsencrypt.log or /var/log/univention/letsencrypt.log exists.
Maybe you will find more details in it.
MarkD
December 8, 2024, 7:09pm
33
This worked for me with small changes. I found and added two more symbolic links using these commands:
wget -O /etc/univention/letsencrypt/lets-encrypt-r10.pem https://letsencrypt.org/certs/2024/r10.pem
wget -O /etc/univention/letsencrypt/lets-encrypt-r11.pem https://letsencrypt.org/certs/2024/r11.pem
ln -s /etc/univention/letsencrypt/lets-encrypt-r10.pem /usr/local/share/ca-certificates/lets-encrypt-r10.crt
ln -s /etc/univention/letsencrypt/lets-encrypt-r11.pem /usr/local/share/ca-certificates/lets-encrypt-r11.crt
ln -s /usr/local/share/ca-certificates/lets-encrypt-r10.crt /etc/ssl/certs/lets-encrypt-r10.pem
ln -s /usr/local/share/ca-certificates/lets-encrypt-r11.crt /etc/ssl/certs/lets-encrypt-r11.pem
update-ca-certificates -f
I also checked the ownership and the access rights.