If I try this I get this error:
openssl verify /usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt
unable to load certificate
140288394727488:error:0906D06C:PEM routines:PEM_read_bio:no start line:../crypto/pem/pem_lib.c:686:Expecting: TRUSTED CERTIFICATE
r100gs, update ISRG_Root_X1 on your system with these steps.
# wget -O /usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt https://letsencrypt.org/certs/isrgrootx1.pem
# ln -s /usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt /etc/ssl/certs/ISRG_Root_X1.pem
# update-ca-certificates
If wget returns a download error, download the LE root certificate to a trusted computer and then transfer the file to the server or use --no-check-certificate like so (with caution as discussed above).
# wget --no-check-certificate -O /usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt https://letsencrypt.org/certs/isrgrootx1.pem
finaly
update-ca-certificates --fresh
did the trick for my system too!
So everything is fine atm.
THX @dejavu for your patience!
Best regards,
Stefan
Glad it worked for you!
B)
ok, now the error in univention system diagnostic is gone, but on my android phone and iphone I still can´t access my nextcloud without certificate error.
On android its possible to accept the certificate, but on iphone its not
You just solved my problem. Thanks a lot.
This SSL issue is rather pesky, isn’t it? And many folks have their own flavor of it. What does https://www.ssllabs.com/ssltest/ have to say about your server FQDN?
r100gs, are the UCR variables you posted earlier still the same? I’m assuming that letsencrypt/domains is not blank, but your FQDN.
apache2/ssl/certificate /etc/univention/letsencrypt/signed_chain.crt
apache2/ssl/certificatechain /etc/univention/letsencrypt/intermediate.pem
apache2/ssl/key /etc/univention/letsencrypt/domain.key
appcenter/apps/letsencrypt/status installed
appcenter/apps/letsencrypt/ucs 4.4
appcenter/apps/letsencrypt/version 1.2.2-16
kopano/cfg/ical/ssl_certificate_file /etc/univention/letsencrypt/intermediate.pem
kopano/cfg/ical/ssl_private_key_file /etc/univention/letsencrypt/domain.key
letsencrypt/domains ......................................
letsencrypt/services/apache2 true
letsencrypt/services/dovecot false
letsencrypt/services/postfix true
letsencrypt/staging false
letsencrypt/status Certificate refreshed at Do 28. Jan 18:57:23 CET 2021
letsencrypt/v2migrated true
mail/postfix/ssl/cafile
Is /etc/univention/letsencrypt/intermediate.pem valid?
# openssl verify /etc/univention/letsencrypt/intermediate.pem
# openssl x509 -noout -in /etc/univention/letsencrypt/intermediate.pem -issuer -dates -fingerprint -subject
No, its not valid
openssl verify /etc/univention/letsencrypt/intermediate.pem
C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
error 20 at 0 depth lookup: unable to get local issuer certificate
error /etc/univention/letsencrypt/intermediate.pem: verification failed
openssl x509 -noout -in /etc/univention/letsencrypt/intermediate.pem -issuer -dates -fingerprint -subject
issuer=O = Digital Signature Trust Co., CN = DST Root CA X3
notBefore=Mar 17 16:40:46 2016 GMT
notAfter=Mar 17 16:40:46 2021 GMT
SHA1 Fingerprint=E6:A3:B4:5B:06:2D:50:9B:33:82:28:2D:19:6E:FE:97:D5:95:6C:CB
subject=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
Outdated since last March
After problems with upgrade to v5.0.0 I got finally again this LetsEncrypt Error. But I remembered this thread - and could solve the problem again. That’s why: Again many thanks.
I am also still stuck at
notAfter=Mar 17 16:40:46 2021 GMT
tried the suggestions in this thread already, including
update-ca-certificates --fresh
After fresh installation of UCS 5.0.2 with Let’s Encrypt i got the same error in system diagnostic again. But the the solution of tpfann in #87 was the right tip.
Many thanks
Same for me.
A fresh installation, system diagnostic error about invalid certificate and the solution of tpfann (step 1, 2 and 3) worked for me.
Same here on a fresh 5.0.4.
Step 1, 2 and 3 and everything ist OK
Same here before going from 5.0-4 to 5.0-6
wget -O /etc/univention/letsencrypt/lets-encrypt-r3.pem https://letsencrypt.org/certs/lets-encrypt-r3.pem
ln -s /etc/univention/letsencrypt/lets-encrypt-r3.pem /usr/local/share/ca-certificates/lets-encrypt-r3.crt
update-ca-certificates
And the problem was solved.
Just in case the System Diagnostic Error hits you again after the changes last night on LetsEncrypt-side here are the updated instructions in order to solve the issue:
This did not work for me.
But the commands at the end of the posting here:
did it.
After checking my current LetsEncrypt-Certificate that was created on 01.07.2024, I found out that the R11- Intermediate-Certificate seems the one to be relevant (see screenshot):
But good to know if you want to be on the save side, you better install the R10- Intermediate-Certificate as well.