Solved: Error Login to UMC Webconsole: self signed certificate in certificate chain

Allyfied · June 5, 2024, 8:33pm

Hi,
i can’t login to the web console. Error message short:

Interner Server-Fehler.
{'desc': 'Connect error', 'info': 'error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate in certificate chain)'}

Error message details:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/univention/management/console/ldap.py", line 188, in getter
    raise KeyError()
KeyError

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/univention/uldap.py", line 215, in _decorated
    return func(self, *args, **kwargs)
  File "/usr/lib/python3/dist-packages/univention/uldap.py", line 411, in __starttls
    self.lo.start_tls_s()
  File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 1220, in start_tls_s
    res = self._apply_method_s(SimpleLDAPObject.start_tls_s,*args,**kwargs)
  File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 1197, in _apply_method_s
    return func(self,*args,**kwargs)
  File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 864, in start_tls_s
    return self._ldap_call(self._l.start_tls_s)
  File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 329, in _ldap_call
    reraise(exc_type, exc_value, exc_traceback)
  File "/usr/lib/python3/dist-packages/ldap/compat.py", line 44, in reraise
    raise exc_value
  File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 313, in _ldap_call
    result = func(*args,**kwargs)
ldap.CONNECT_ERROR: {'desc': 'Connect error', 'info': 'error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate in certificate chain)'}

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/tornado/web.py", line 1595, in _execute
    result = yield result
  File "/usr/lib/python3/dist-packages/tornado/gen.py", line 1133, in run
    value = future.result()
  File "/usr/lib/python3/dist-packages/univention/management/console/resources.py", line 496, in post
    result = await session.authenticate(self.request.body_arguments)
  File "/usr/lib/python3/dist-packages/univention/management/console/session.py", line 150, in authenticate
    self.set_credentials(**result.credentials)
  File "/usr/lib/python3/dist-packages/univention/management/console/session.py", line 174, in set_credentials
    self._search_user_dn()
  File "/usr/lib/python3/dist-packages/univention/management/console/session.py", line 185, in _search_user_dn
    lo = get_machine_connection(write=False)[0]
  File "/usr/lib/python3/dist-packages/univention/management/console/ldap.py", line 144, in get_machine_connection
    return connection()
  File "/usr/lib/python3/dist-packages/univention/management/console/ldap.py", line 200, in _decorated
    kwargs[loarg], kwargs[poarg] = lo, po = getter()
  File "/usr/lib/python3/dist-packages/univention/management/console/ldap.py", line 190, in getter
    conn = connection()
  File "/usr/lib/python3/dist-packages/univention/management/console/ldap.py", line 101, in connection
    return _getMachineConnection(**kwargs)
  File "/usr/lib/python3/dist-packages/univention/admin/uldap.py", line 176, in getMachineConnection
    lo = univention.uldap.getMachineConnection(start_tls, decode_ignorelist=decode_ignorelist, ldap_master=ldap_master)
  File "/usr/lib/python3/dist-packages/univention/uldap.py", line 199, in getMachineConnection
    return access(host=server, port=port, base=ucr['ldap/base'], binddn=ucr['ldap/hostdn'], bindpw=bindpw, start_tls=start_tls, decode_ignorelist=decode_ignorelist, reconnect=reconnect)
  File "/usr/lib/python3/dist-packages/univention/uldap.py", line 298, in __init__
    self.__open(ca_certfile)
  File "/usr/lib/python3/dist-packages/univention/uldap.py", line 397, in __open
    self.__starttls()
  File "/usr/lib/python3/dist-packages/univention/uldap.py", line 223, in _decorated
    return func(self, *args, **kwargs)
  File "/usr/lib/python3/dist-packages/univention/uldap.py", line 411, in __starttls
    self.lo.start_tls_s()
  File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 1220, in start_tls_s
    res = self._apply_method_s(SimpleLDAPObject.start_tls_s,*args,**kwargs)
  File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 1197, in _apply_method_s
    return func(self,*args,**kwargs)
  File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 864, in start_tls_s
    return self._ldap_call(self._l.start_tls_s)
  File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 329, in _ldap_call
    reraise(exc_type, exc_value, exc_traceback)
  File "/usr/lib/python3/dist-packages/ldap/compat.py", line 44, in reraise
    raise exc_value
  File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 313, in _ldap_call
    result = func(*args,**kwargs)
ldap.CONNECT_ERROR: {'desc': 'Connect error', 'info': 'error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate in certificate chain)'}

I followed that guide: Renewing the complete SSL certificate chain
without success.

univention-certificate dump tells me, that all certificates are valid until 2029.

What to do? The certificates were self-signed all the time and never were an issue.

Best regards
Andre

Allyfied · June 5, 2024, 9:14pm

additional info:

/etc/univention/ssl/ucsCA/certs# univention-certificate list
List all certificates
01	server.domain.tld
02	univention-directory-manager.domain.tld
03	univention-directory-manager.domain.tld
04	nextc-81041460.domain.local
05	benno-43523496.domain.tld
06	benno-43523496.domain.tld
07	nextc-81041460.domain.tld
08	server.domain.tld
09	univention-directory-manager.domain.tld

verifying all 9 certiciates results in OK:

openssl verify -CApath /etc/univention/ssl/ucsCA/certs/ 09.pem
09.pem: OK

but:

/etc/univention/ssl/tuxserver.burglenzen.local# \
openssl verify -CApath /etc/univention/ssl/server.domain.tld/ cert.pem
C = DE, ST = DE, L = DE, O = domain.local, OU = Univention Corporate Server, CN = server.domain.tld, emailAddress = ssl@domain.tld
error 20 at 0 depth lookup: unable to get local issuer certificate
error cert.pem: verification failed

So it seems there is a missing step anywhere?

Allyfied · June 5, 2024, 9:32pm

2 reboots later, login is working again. Since the last cert renew i did not changed anything. wtf?!

A feature request: Is it possible to add a big warning in the web console one mounth before any certificate runs out? I hate it, sitting half night long in front of the computer!