Strange network issue on with openid/kopano

I am setting up an ucs 5.x for oidc to use it as external SSO auth source for owncloud and discourse. When accessing the ucs with the owncloud client, i get an error message


We already isolated the issue to the UCS config, see

A local curl call on the ucs shows:

root@idp:~# nslookup

But for

root@idp:~# curl -I
curl: (60) SSL: no alternative certificate subject name matches target host name ''
More details here:

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

How can I fix this?

That error message only means that your test with curling hit this issue, it does not necessarily mean ownCloud has the same issue. In fact it already tell you that it could not verify the certificate chain, which means that the owncloud server does not trust the connection and therefore refuses it. You need to either import the univention ca on the owncloud host or change the certificate on Univention to a trusted one from for example Lets Encrypt.

We already found the root cause:
The Univention UCS provides the OIDC API endpoints on a separate DNS name instead of the main DNS . This ucs-sso DNS name was not listed as a valid (second) DNS name in the LE certificate. Therefore the ssl encryption for the curl call from the owncloud server could not be established correctly.