Hello Urs,
did you renew the certificates recently?
The routine throwing this exception has some hints what it does and what to check including some topics on help.univention.com which are related to the renewal.
From/usr/share/pyshared/univention/management/console/modules/diagnostic/plugins/04_saml_certificate_check.py:
def test_service_provider_certificate():
# compare /etc/univention/ssl/$(hostname -f)/cert.pem with
# univention-ldapsearch -LLL "(&(serviceProviderMetadata=*)(univentionObjectType=saml/serviceprovider)(SAMLServiceProviderIdentifier=https://$(hostname -f)/univention/saml/metadata))" serviceProviderMetadata | ldapsearch-wrapper | ldapsearch-decode64
# If it fails: /usr/share/univention-management-console/saml/update_metadata
#
# fails because https://help.univention.com/t/renewing-the-ssl-certificates/37 was not used. https://help.univention.com/t/renewing-the-complete-ssl-certificate-chain/36
lo = univention.uldap.getMachineConnection()
certs = lo.search(filter_format('(&(serviceProviderMetadata=*)(univentionObjectType=saml/serviceprovider)(SAMLServiceProviderIdentifier=https://%s/univention/saml/metadata))', ['%s.%s' % (ucr.get('hostname'), ucr.get('domainname'))]), attr=['serviceProviderMetadata'])
with open('/etc/univention/ssl/%s.%s/cert.pem' % (ucr.get('hostname'), ucr.get('domainname'))) as fd:
for cert in certs:
cert = find_node(fromstring(cert[1]['serviceProviderMetadata'][0]), '{http://www.w3.org/2000/09/xmldsig#}X509Certificate')
if cert.text.strip() not in fd.read():
raise Critical(_('The certificate of the SAML service provider does not match.'))
Best Regards,
Dirk Ahrnke