When trying to log on to the UMC you will get an error similar to the following:
IFehlermeldung: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (unable to get local issuer certificate)
Logging in to the console not even univention-ldapsearch is working and shows the same error:
root@ucs:/etc/ldap# univention-ldapsearch "uid=admi*" ldap_start_tls: Connect error (-11) additional info: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (unable to get local issuer certificate)
Note: The following applies to default UCS certificates. In case you have installed other certificates it might be slightly different.
Verify the configured certificate for LDAP service. It should look like this:
root@fps:/etc/ldap# rgrep -i pem * ldap.conf:TLS_CACERT /etc/univention/ssl/ucsCA/CAcert.pem slapd.conf:TLSCertificateFile /etc/univention/ssl/ucs.multi.ucs/cert.pem slapd.conf:TLSCACertificateFile /etc/univention/ssl/ucsCA/CAcert.pem slapd.conf:TLSDHParamFile /etc/ldap/dh_2048.pem
Verify the certificate thte LDAP service presents to clients when connecting:
root@ucs:/etc/ldap# openssl s_client -debug -connect localhost:7636 CONNECTED(00000003) write to 0x56484c9cdd90 [0x56484c9dedf0] (176 bytes => 176 (0xB0)) [...] subject=/CN=ucs.public.zone issuer=/C=AT/O=ZeroSSL/CN=ZeroSSL RSA Domain Secure Site CA --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: X25519, 253 bits --- SSL handshake has read 4057 bytes and written 269 bytes Verification: OK
The presented certificate is created for the public hostname of the ucs server (subject=/CN=ucs.public.zone) while LDAP service should not be presented as public service and therefore does not need the public certificates.
Additionally, the LDAP service is correctly configured according to step 1. So the service currently does not use the configured yertificates yet.
As the configuration is fine we simply need to restart the service.
systemctl restart slapd
After this all processes where running fine.