The second issue shows 2 things: permissions that should get fixed easily with
chmod 755 /etc/univention/ssl
chmod 750 /etc/univention/ssl/ucs-4.veera.intranet
The remaining part, the missing ucs-sso… directory could be related to the first and critical issue as the files from this directory are copied to /etc/simplesamlphp when following the instructions to renew the certificates.
I’d check carefully what happens during the step “ucs-sso requires a separate handling” from Renewing the complete SSL certificate chain. This includes the review of the join.log and the proof that the directory and its files will exist afterwards. (note: I havent verified that this is the step where it happens but following the docs it looks like that).
The S4 reject seems to be unrelated but needs separate handling.
Best Regards,
Dirk