Problem: Log in to UMC Fails With TLS error

Problem

When trying to log on to the UMC you will get an error similar to the following:

IFehlermeldung: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (unable to get local issuer certificate)

Environment

Logging in to the console not even univention-ldapsearch is working and shows the same error:

root@ucs:/etc/ldap# univention-ldapsearch "uid=admi*"
ldap_start_tls: Connect error (-11)
    additional info: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (unable to get local issuer certificate)

Solution

Note: The following applies to default UCS certificates. In case you have installed other certificates it might be slightly different.

Step 1

Verify the configured certificate for LDAP service. It should look like this:

root@fps:/etc/ldap# rgrep -i pem  *
ldap.conf:TLS_CACERT /etc/univention/ssl/ucsCA/CAcert.pem
slapd.conf:TLSCertificateFile    /etc/univention/ssl/ucs.multi.ucs/cert.pem
slapd.conf:TLSCACertificateFile    /etc/univention/ssl/ucsCA/CAcert.pem
slapd.conf:TLSDHParamFile    /etc/ldap/dh_2048.pem

Step 2

Verify the certificate thte LDAP service presents to clients when connecting:

root@ucs:/etc/ldap# openssl s_client -debug -connect localhost:7636
CONNECTED(00000003)
write to 0x56484c9cdd90 [0x56484c9dedf0] (176 bytes => 176 (0xB0))
[...]
subject=/CN=ucs.public.zone
issuer=/C=AT/O=ZeroSSL/CN=ZeroSSL RSA Domain Secure Site CA
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4057 bytes and written 269 bytes
Verification: OK

The presented certificate is created for the public hostname of the ucs server (subject=/CN=ucs.public.zone) while LDAP service should not be presented as public service and therefore does not need the public certificates.
Additionally, the LDAP service is correctly configured according to step 1. So the service currently does not use the configured yertificates yet.

Step 3

As the configuration is fine we simply need to restart the service.
systemctl restart slapd

After this all processes where running fine.

Optional / Step 4

If the Verification is not ok, your ucsCA might be expired. You can check this with

openssl x509 -noout -in /etc/univention/ssl/ucsCA/CAcert.pem -enddate

In case it is expired, take a look at Renewing the SSL certificates

Mastodon