Problem

A move of the DC backup caused the customer to completely rejoin the system to the domain, but this was not possible and the following error message occurred in /var/log/univention/join.log.

5.04.18 13:04:25.021 MODULE ( PROCESS ) : Could not connect to the DC master ucs.univention.de: (‘Could not send request.’, SSLError(1, u’[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)’))

Solution

Not all steps from the article Renewing the SSL certificates were carried out when updating/moving the DC. The copying of the current certificates to a path for Apache was missing.

The last step is not required on a UCS backup computer as it occurs automatically via cron.

Is is now mandatory to make the newly created certificate available to all users via the UCS master’s central administration website.
The following command can be used to make the newly created certificate available to all users.

cp ucsCA/CAcert.pem /var/www/ucs-root-ca.crt

The new server wanted to log on to the master via SSL, but needed the CA first. However, this certificate was out of date, which is why the error occurred during the SSL handshake.