Problem

If an attempt is made to perform a password change via SSO in this case SimpleSamlPHP, the following error occurs.
For example, if a teacher resets the student password and the student then wants to change their password, the following error occurs.

Curl with the FQDN from the Primary Node, will show the following error.

root@ucs-master# curl https://ucs-master.univention.de
curl: (60) SSL certificate problem: unable to get local issuer certificate</strong>
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

Solution

Step 1: Download the correct certificate for the right issuer.

cd /usr/local/share/ca-certificates

wget https://repository.certum.pl/dvcasha2.pem

--2024-09-24 14:28:49--  https://repository.certum.pl/dvcasha2.pem
Resolving repository.certum.pl (repository.certum.pl)... 23.50.131.139, 23.50.131.137, 2a02:26f0:3500:14::1724:a247, ...
Connecting to repository.certum.pl (repository.certum.pl)|23.50.131.139|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1728 (1,7K)
Saving to: ‘dvcasha2.pem’

dvcasha2.pem                                         100%[=====================================================================================================================>]   1,69K  --.-KB/s    in 0s

2024-09-24 14:28:49 (32,1 MB/s) - ‘dvcasha2.pem’ saved [1728/1728]

Step 2: List the available certs and rename it.

root@ucs-master /usr/local/share/ca-certificates# ls -lah
total 16K
drwxrwsr-x 2 root staff 4,0K 2024-09-24 14:28 ./
drwxrwsr-x 9 root staff 4,0K 2024-07-04 17:25 ../
-rw-r--r-- 1 root staff 1,7K 2020-03-06 10:54 dvcasha2.pem
-rw-r--r-- 1 root staff 2,0K 2019-05-24 14:08 ucs-ca.crt
lrwxrwxrwx 1 root staff   36 2019-05-06 09:12 ucsCA.crt -> /etc/univention/ssl/ucsCA/CAcert.pem

root@ucs-master /usr/local/share/ca-certificates# mv dvcasha2.pem dvcasha2.crt
root@ucs-master /usr/local/share/ca-certificates# ls -lah
total 16K
drwxrwsr-x 2 root staff 4,0K 2024-09-24 14:29 ./
drwxrwsr-x 9 root staff 4,0K 2024-07-04 17:25 ../
-rw-r--r-- 1 root staff 1,7K 2020-03-06 10:54 dvcasha2.crt
-rw-r--r-- 1 root staff 2,0K 2019-05-24 14:08 ucs-ca.crt
lrwxrwxrwx 1 root staff   36 2019-05-06 09:12 ucsCA.crt -> /etc/univention/ssl/ucsCA/CAcert.pem

Step 3: Update the CA-Certificates

root@ucs-master /usr/local/share/ca-certificates# update-ca-certificates
Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...

Adding debian:dvcasha2.pem
done.
Restarting docker-app-ucsschool-id-connector (via systemctl): docker-app-ucsschool-id-connector.service.
done.

Step 4: Curl with the FQDN from the Primary Node.

root@ucs-master /usr/local/share/ca-certificates] curl https://ucs-master.univention.de
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://ucs-master.univention.de/univention/">here</a>.</p>
<hr>
<address>Apache/2.4.59 (Univention) Server at ucs-master.univention.de Port 443</address>
</body></html>

Investigation

Check UCRV for the password change server

ucr set ucs/server/sso/password/change/server=$FQDN
service apache2 restart

We searched for more informations of debug to understand, why the curl to the DC-Master is failing.

root@ucs-master# curl https://ucs-master.univention.de
curl: (60) SSL certificate problem: unable to get local issuer certificate</strong>
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

The password change is not carried out by self-service, as we both suspected, but by SimpleSamlPhp in the UMC.
As a result, we changed the warning part from the code to error the DC-Master to get finally received a usable error message.

In /usr/share/simplesamlphp/modules/uldap/lib/Auth/Source/uLDAP.php

SimpleSAML\Logger::error

default

$response = curl_exec($ch);
                if ($response === FALSE) {
                        SimpleSAML\Logger::warning('Error: ' . curl_error($ch));
                }
                $httpcode = curl_getinfo($ch, CURLINFO_RESPONSE_CODE);
                SimpleSAML\Logger::debug('Password changing response: ' . var_export(array($httpcode, $response), true));
                if (FALSE !== $response && strpos(curl_getinfo($ch, CURLINFO_CONTENT_TYPE), 'application/json') >= 0) {
                        $response = json_decode($response, TRUE);

change

$response = curl_exec($ch);
                if ($response === FALSE) {
                        SimpleSAML\Logger::error('Error: ' . curl_error($ch));
                }
                $httpcode = curl_getinfo($ch, CURLINFO_RESPONSE_CODE);
                SimpleSAML\Logger::error('Password changing response: ' . var_export(array($httpcode, $response), true));
                if (FALSE !== $response && strpos(curl_getinfo($ch, CURLINFO_CONTENT_TYPE), 'application/json') >= 0) {
                        $response = json_decode($response, TRUE);

Restart the UMC service
systemctl restart univention-management-console-server.service

After another try to change the password, you will get the following informations from journal.

journal -e

Sep 24 13:40:09 ucs-master univention-saml-stunnel[10158]: LOG4[29752]: CERT: Pre-verification error: certificate has expired
Sep 24 13:40:09 ucs-master univention-saml-stunnel[10158]: LOG4[29752]: Rejected by CERT at depth=0: C=DE, ST=DE, L=DE, O=Univention, OU=Univention Corporate Server, CN=ucs-sso.univention.de, emailAddress=ssl@univention
Sep 24 13:40:09 ucs-master univention-saml-stunnel[10158]: LOG3[29752]: SSL_connect: 1416F086: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Sep 24 13:40:09 ucs-master univention-saml-stunnel[10158]: LOG3[29753]: SSL_read: 14094438: error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error
Sep 24 13:40:09 ucs-master simplesamlphp[7598]: 5 STAT [1750621820] saml20-idp-SSO https://portal.univention.schule/univention/saml/metadata https://ucs-sso.univention.schule/simplesamlphp/saml2/idp/me
Sep 24 13:40:09 ucs-master simplesamlphp[7598]: 3 [1750621820] SimpleSAML_Error_Exception: Error 8 - MemcachePool::get(): Server unix:///var/run/univention-saml/ucs-backup.univention.de.socket (tcp 0, udp 0) faile
Sep 24 13:40:09 ucs-master simplesamlphp[7598]: 3 [1750621820] SimpleSAML_Error_Exception: Error 8 - MemcachePool::get(): Server unix:///var/run/univention-saml/ucs-keycloak.univention.de.socket (tcp 0, udp 0) fai
Sep 24 13:40:14 ucs-master univention-saml-stunnel[10158]: LOG4[29754]: CERT: Pre-verification error: certificate has expired
Sep 24 13:40:14 ucs-master univention-saml-stunnel[10158]: LOG4[29754]: Rejected by CERT at depth=0: C=DE, ST=DE, L=DE, O=univention, OU=Univention Corporate Server, CN=ucs-sso.univention.de, emailAddress=ssl@univention
Sep 24 13:40:14 ucs-master univention-saml-stunnel[10158]: LOG3[29754]: SSL_connect: 1416F086: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Sep 24 13:40:14 ucs-master univention-saml-stunnel[10158]: LOG3[29755]: SSL_read: 14094438: error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error
Sep 24 13:40:14 ucs-master simplesamlphp[7643]: 3 [87af20eead] Error: SSL certificate problem: unable to get local issuer certificate
Sep 24 13:40:14 ucs-master simplesamlphp[7643]: 3 [87af20eead] Password changing response: array (
Sep 24 13:40:14 ucs-master simplesamlphp[7643]:   0 => 0,
Sep 24 13:40:14 ucs-master simplesamlphp[7643]:   1 => false,
Sep 24 13:40:14 ucs-master simplesamlphp[7643]: )

Under the path for the shared CA-Certificates their was a crt with a wrong Issuer.
/usr/local/share/ca-certificates/ThawteTLSRSACAG1.crt

See also: