Problem
Join fails due certificate error, but the letsencrypt certificate is valid.
root@uc:/# univention-run-join-scripts --run-scripts 92univention-management-console-web-server.inst
univention-run-join-scripts: runs all join scripts existing on local computer.
copyright (c) 2001-2020 Univention GmbH, Germany
Enter DC Master Account : Administrator
Enter DC Master Password:
Search LDAP binddn: done
Running pre-joinscripts hook(s): done
Running 92univention-management-console-web-server.inst failed (exitcode: 3)
Running post-joinscripts hook(s): done
In the logs you find:
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
^M 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0^M 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.haxx.se/docs/sslcerts.html
A test via curl shows the same:
root@ucs:/# wget https://ucs-sso.testschule-intranet/simplesamlphp/saml2/idp/metadata.php
--2021-11-26 08:45:46-- https://ucs-sso.testschule-intranet/simplesamlphp/saml2/idp/metadata.php
Auflösen des Hostnamens »ucs-sso.testschule-intranet (ucs-sso.testschule-intranet)« … 10.10.10.10
Verbindungsaufbau zu ucs-sso.testschule-intranet (ucs-sso.testschule-intranet)|10.10.10.10|:443 … verbunden.
FEHLER: Dem Zertifikat von »ucs-sso.testschule-intranet« wird nicht vertraut.
FEHLER: Das Zertifikat von »ucs-sso.testschule-intranet« ist abgelaufen.
The certificate was checked it is still valid. What is going on? Other systems have no problem with that certificate.
Environment
UCS 4.x before errate 1059
Letsencrypt certificate.
All UCS 4 installation images before errata 1059 will now run into this problem if letsencrypt certificates are used. The root certificate of letsencrypt in the libgnutls and libssl package are expired.
Solution
Simply update the UCS system higher than errata 1059 before join.