Kudos @Moritz_Bunkus
Problem
In system diagnostic you see an error about an invalid certificate.
It might occur after having renewed your certificates based on this article.
Or you have installed external certificates based on this article.
Solution
Step 1
root@ucs:~# univention-run-diagnostic-checks -t 02_certificate_check
Domain Admin Login:Administrator
Password:
You can find the logging messages of the diagnostic modules at /var/log/univention/management-console-module-diagnostic.log
############################
## Check failed: 02_certificate_check - ĂśberprĂĽfe GĂĽltigkeit der SSL Zertifikate
UngĂĽltiges Zertifikat '/etc/simplesaml.php/ucs-sso.multi.ucs.crt' gefunden:
error /etc/simplesaml.php/ucs-sso.multi.ucs.crt: verification failed
Siehe {sdb} fĂĽr Informationen zum Erneuern von Zertifikaten.
########### End #############
Step 2
Verify the certificate in question:
root@ucs:~# openssl verify /etc/simplesaml.php/ucs-sso.multi.ucs.crt
If you see an error message like this proceed with the next step.
error 20 at 0 depth lookup: unable to get local issuer certificate
error /etc/simplesaml.php/ucs-sso.multi.ucs.crt: verification failed
Step 3
Check the issuer of the failing certificate:
root@ucs:~# openssl x509 -in /etc/simplesamlphp/ucs-sso.multi.local-idp-certificate.crt -noout -issuer
issuer=C = DE, ST = DE, L = DE, O = DE, OU = Univention Corporate Server, CN = Univention Corporate Server Root CA (ID=Aa7815D5), emailAddress = ssl@multi.lan
Note: In case you see “Univention Corporate Server Root CA” as issuer proceed to step 4b. If the certificate has been issued by an official (public) CA proceed with step 4a.
Step 4a
Step 4a-A
Get the CA from the issuer:
root@ucs:~# wget http://repository.certum.pl/myIssuerCA.cer
root@ucs:~# file myIssuerCA.cer
myIssuerCA.cer: data
Step 4a-B
Convert the data to pem
root@ucs:~# openssl x509 -inform der -in myIssuerCA.cer -out myIssuerCA.pem
root@ucs:~# file myIssuerCA.pem
myIssuerCA.pem: PEM certificate
Step 4a-C
Rename it into the expected ending and copy it to the destination folder.
root@ucs:~# mv myIssuerCA.pem myIssuerCA.crt
root@ucs:~# cp myIssuerCA.crt /usr/local/share/ca-certificates
Step 4a-D
Update the ca store.
root@ucs:~# update-ca-certificates
Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
This should fix the issue and the certificate check should succeed.
Step 4b
Step 4b-A
Verify the certificate with the certificate of your UCS CA (expect an error message):
openssl verify -CAfile /usr/local/share/ca-certificates/ucsCA.crt /etc/simplesaml.php/ucs-sso.multi.ucs.crt
error 20 at 0 depth lookup: unable to get local issuer certificate
error /etc/simplesaml.php/ucs-sso.multi.ucs.crt: verification failed
Step 4b-B
The CA and the issuer of your certificate do not match. Verify the subject name of the CA:
root@ucsadsrv:~# openssl x509 -noout -subject -in /usr/local/share/ca-certificates/ucsCA.crt
subject=C = DE, ST = DE, L = DE, O = DE, OU = Univention Corporate Server, CN = Univention Corporate Server Root CA (ID=Aa7815D5), emailAddress = ssl@multi.local
The issuer of the host certificate above shows with ssl@multi.lan vs. ssl@multi.local from the CA.
Step 4b-C
Verify the host’s certificate matches the CA:
root@ucsadsrv:~# openssl verify -CAfile /usr/local/share/ca-certificates/ucsCA.crt /etc/univention/ssl/ucs/cert.pem
cert.pem: OK
If this prints “OK” copy the file to the needed location:
root@ucs:~# cp /etc/univention/ssl/ucs/cert.pem /etc/simplesaml.php/ucs-sso.multi.ucs.crt
root@ucs:~# cp /etc/univention/ssl/ucs/private.key /etc/simplesaml.php/ucs-sso.multi.ucs.key
service univention-saml restart