Apache2 Returns “Not Found” for Login Page After Certificate Renewal
Problem:
After renewing SSL certificates on a Univention Corporate Server (UCS) environment, the Apache2 web server is no longer able to load the Apache Guacamole login page.
When accessing the Guacamole URL, the following error is displayed:
Not Found
The requested URL was not found on this server.
Apache/2.4.59 (Univention) Server at guacamole.univention.de Port 443
As a result, the Guacamole web interface is inaccessible.
Environment:
- UCS environment with a Guacamole app installation
- Apache2 used as reverse proxy
- SSL certificates managed via
univention-certificate - Certificates recently renewed or recreated on the Primary Node
Renewing the SSL certificates
Investigation:
1. Check for Duplicate Certificates on the Primary Node
First, verify whether multiple certificates exist for the Guacamole host. Duplicate certificates may occur after renewals or re-joins and can lead to inconsistent Apache configurations.
root@master:~/univention-support# univention-certificate list-all | grep guac*
17 guacamole.univention.de (V)
18 guaca-48303696.univention.de (V)
24 guaca-48303696.univention.de (V)
25 guacamole.univention.de (V)
Inspect the certificate details to identify the newest valid certificate:
root@master:~/univention-support# univention-certificate dump -id 17 | grep -P 'Subject:|Not'
Not Before: Mar 22 08:36:32 2023 GMT
Not After : Mar 20 08:36:32 2028 GMT
Subject: C = DE, ST = DE, L = DE, O = Stadt Bremen, OU = Univention Corporate Server, CN = guacamole.univention.de, emailAddress = ssl@univention.de
root@master:~/univention-support# univention-certificate dump -id 25 | grep -P 'Subject:|Not'
Not Before: Jan 5 10:53:01 2026 GMT
Not After : Jan 4 10:53:01 2031 GMT
Subject: C = DE, ST = DE, L = DE, O = Stadt Bremen, OU = Univention Corporate Server, CN = guacamole.univention.de, emailAddress = ssl@univention.de
2. Revoke Duplicate / Outdated Certificates
Revoke all outdated or duplicate certificates and keep only the newest valid certificate:
root@master:~/univention-support# univention-certificate revoke -id 17
root@master:~/univention-support# univention-certificate revoke -id 18
root@master:~/univention-support# univention-certificate revoke -id 24
Verification:
root@master:~/univention-support# univention-certificate list-all | grep guac*
17 guacamole.univention.de (R)
18 guaca-48303696.univention.de (R)
24 guaca-48303696.univention.de (R)
25 guacamole.univention.de (V)
3. Verify Apache2 Configuration for Guacamole
Search for Guacamole-related entries in the Apache configuration on the Guacamole server:
root@guacamole:/etc/apache2# grep -Ri guacamole /etc/apache2/
At this point, the SSL certificate directives were present, but ProxyPass rules were missing from the active SSL virtual host.
/etc/apache2/conf-enabled/ucs.conf:ServerAdmin webmaster@guacamole.univention.de
/etc/apache2/sites-enabled/default-ssl.conf: SSLCertificateFile /etc/univention/ssl/guacamole.univention.de/cert.pem
/etc/apache2/sites-enabled/default-ssl.conf: SSLCertificateKeyFile /etc/univention/ssl/guacamole.univention.de/private.key
/etc/apache2/sso-vhost.conf.d/01redirect.conf:RewriteRule ^/univention/(.*)$ %{REQUEST_SCHEME}://guacamole.univention.de/univention/$1 [L,QSA,R=301,END]
/etc/apache2/conf-available/ucs.conf:ServerAdmin webmaster@guacamole.univention.de
/etc/apache2/sites-available/default-ssl.conf: SSLCertificateFile /etc/univention/ssl/guacamole.univention.de/cert.pem
/etc/apache2/sites-available/default-ssl.conf: SSLCertificateKeyFile /etc/univention/ssl/guacamole.univention.de/private.key
Root Cause
The file:
/etc/apache2/sites-enabled/default-ssl.conf
was missing the required reverse proxy configuration for Guacamole. As a result, Apache2 could not forward requests to the internal Guacamole service, leading to the Not Found error.
Missing directives:
ProxyPass /guacamole/ http://127.0.0.1:40001/guacamole/ retry=0
ProxyPassReverse /guacamole/ http://127.0.0.1:40001/guacamole/
Solution
Option 1: Rebuild the Apache Configuration via UCR
Recreate the affected Apache configuration file using Univention Configuration Registry (UCR) and restart the Apach2 Service:
ucr commit /etc/apache2/sites-enabled/default-ssl.confsystemctl restart apache2.service
Option 2: Update the Guacamole App Configuration
Alternatively, updating the Univention Appcenter cache, also regenerates the required Apache configuration file:
univention-app update
Downloading "https://appcenter.software-univention.de/meta-inf/app-categories.ini"...
Downloading "https://appcenter.software-univention.de/meta-inf/rating.ini"...
Downloading "https://appcenter.software-univention.de/meta-inf/license_types.ini"...
Downloading "https://appcenter.software-univention.de/meta-inf/ucs.ini"...
Downloading "https://appcenter.software-univention.de/meta-inf/suggestions.json"...
Downloading "https://appcenter.software-univention.de/meta-inf/5.0/all.tar.gpg"...
Downloading "http://appcenter.software-univention.de/meta-inf/5.0/all.tar.zsync"...
Downloading "https://appcenter.software-univention.de/meta-inf/4.4/all.tar.gpg"...
Downloading "http://appcenter.software-univention.de/meta-inf/4.4/all.tar.zsync"...
Downloading "https://appcenter.software-univention.de/meta-inf/4.3/all.tar.gpg"...
Multifile: /etc/apache2/sites-available/000-default.conf
File: /usr/share/univention-management-console/modules/apps.xml
File: /usr/share/univention-management-console/i18n/de/apps.mo
Multifile: /etc/apache2/sites-available/default-ssl.conf
During this process, the following config is rebuilt:
/etc/apache2/sites-available/default-ssl.conf
Then restart the Apach2 Service:
systemctl restart apache2.service
Fixed Result
After rebuilding the configuration, the Guacamole proxy directives are present:
root@guacamole:/etc/apache2# grep -Ri guacamole /etc/apache2/
/etc/apache2/conf-enabled/ucs.conf:ServerAdmin webmaster@guacamole.univention.de
/etc/apache2/sites-enabled/default-ssl.conf: SSLCertificateFile /etc/univention/ssl/guacamole.univention.de/cert.pem
/etc/apache2/sites-enabled/default-ssl.conf: SSLCertificateKeyFile /etc/univention/ssl/guacamole.univention.de/private.key
/etc/apache2/sites-enabled/default-ssl.conf: ProxyPass /guacamole/ http://127.0.0.1:40001/guacamole/ retry=0
/etc/apache2/sites-enabled/default-ssl.conf: ProxyPassReverse /guacamole/ http://127.0.0.1:40001/guacamole/
/etc/apache2/sites-enabled/default-ssl.conf: ProxyPass /guacamole/ http://127.0.0.1:40001/guacamole/ retry=0
/etc/apache2/sites-enabled/default-ssl.conf: ProxyPassReverse /guacamole/ http://127.0.0.1:40001/guacamole/
/etc/apache2/sso-vhost.conf.d/01redirect.conf:RewriteRule ^/univention/(.*)$ %{REQUEST_SCHEME}://guacamole.univention.de/univention/$1 [L,QSA,R=301,END]
/etc/apache2/conf-available/ucs.conf:ServerAdmin webmaster@guacamole.univention.de
/etc/apache2/sites-available/default-ssl.conf: SSLCertificateFile /etc/univention/ssl/guacamole.univention.de/cert.pem
/etc/apache2/sites-available/default-ssl.conf: SSLCertificateKeyFile /etc/univention/ssl/guacamole.univention.de/private.key
/etc/apache2/sites-enabled/default-ssl.conf: ProxyPass /guacamole/ http://127.0.0.1:40001/guacamole/ retry=0
/etc/apache2/sites-enabled/default-ssl.conf: ProxyPassReverse /guacamole/ http://127.0.0.1:40001/guacamole/
/etc/apache2/sites-enabled/default-ssl.conf: ProxyPass /guacamole/ http://127.0.0.1:40001/guacamole/ retry=0
/etc/apache2/sites-enabled/default-ssl.conf: ProxyPassReverse /guacamole/ http://127.0.0.1:40001/guacamole/
Verification
Test the Guacamole endpoint directly:
curl -I http://guacamole.univention.de/guacamole/
Result:
HTTP/1.1 200 OK
Date: Fri, 09 Jan 2026 14:05:27 GMT
Server: Apache-Coyote/1.1
Accept-Ranges: bytes
ETag: W/"4464-1499537050000"
Last-Modified: Sat, 08 Jul 2017 18:04:10 GMT
Content-Type: text/html
Content-Length: 4464
Via: 1.1 guacamole.univention.de
HTTP 200 confirms that the Guacamole web interface is accessible again.
Conclusion
After SSL certificate renewal, outdated certificates and missing Apache reverse proxy entries can prevent Guacamole from being reached.
Ensuring that only the newest certificate is active and rebuilding the Apache configuration via UCR or univention-app update resolves the issue reliably.