Problem: Join fails due certificate error but the letsencrypt certificate is valid

Problem

Join fails due certificate error, but the letsencrypt certificate is valid.

root@uc:/# univention-run-join-scripts --run-scripts  92univention-management-console-web-server.inst
univention-run-join-scripts: runs all join scripts existing on local computer.
copyright (c) 2001-2020 Univention GmbH, Germany
 
Enter DC Master Account : Administrator
Enter DC Master Password:
 
Search LDAP binddn:                                        done
Running pre-joinscripts hook(s):                           done
Running 92univention-management-console-web-server.inst    failed (exitcode: 3)
Running post-joinscripts hook(s):                          done

In the logs you find:

curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
^M  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0^M  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.haxx.se/docs/sslcerts.html

A test via curl shows the same:

root@ucs:/# wget https://ucs-sso.testschule-intranet/simplesamlphp/saml2/idp/metadata.php
--2021-11-26 08:45:46--  https://ucs-sso.testschule-intranet/simplesamlphp/saml2/idp/metadata.php
Auflösen des Hostnamens »ucs-sso.testschule-intranet (ucs-sso.testschule-intranet)« … 10.10.10.10
Verbindungsaufbau zu ucs-sso.testschule-intranet (ucs-sso.testschule-intranet)|10.10.10.10|:443 … verbunden.
FEHLER: Dem Zertifikat von »ucs-sso.testschule-intranet« wird nicht vertraut.
FEHLER: Das Zertifikat von »ucs-sso.testschule-intranet« ist abgelaufen.

The certificate was checked it is still valid. What is going on? Other systems have no problem with that certificate.

Environment

UCS 4.x before errate 1059
Letsencrypt certificate.

All UCS 4 installation images before errata 1059 will now run into this problem if letsencrypt certificates are used. The root certificate of letsencrypt in the libgnutls and libssl package are expired.

Solution

Simply update the UCS system higher than errata 1059 before join.

Mastodon