System diagnostic suddenly gives me: Found invalid certificate '/etc/univention/letsencrypt/signed_chain.crt'

We only can wait, until Letsencrypt-App will have been upgraded by Univention.

But time is running, our workaround has only a few days left

1 Like

Groundhog Day: update to 4.4-7 errata873: No valid certificate chain
But in https://forge.univention.org/bugzilla/show_bug.cgi?id=52517 the bug is marked as RESOLVED FIXED
Does it mean I have to reinstall the LetsEncrypt app?

The UCS system diagnostic module has issues when trying to verify certificates from external CAs, so this may be a false positive.

Are any services currently restricted in the environment? Or is only the diagnostic module complaining.

See also the following bugs, there is some information why openssl verify is not always the best tool to check cert chain validity, especially https://mail.python.org/pipermail/cryptography-dev/2016-August/000676.html

https://forge.univention.org/bugzilla/show_bug.cgi?id=52517
https://forge.univention.org/bugzilla/show_bug.cgi?id=52546

Thx for having a look and comming back to us!

As already stated in my first posting the certifcate seems to be valid (currently).

Correct, it seems that '“only” the diagnostic module is complaining - And tbh, its not nice at all when system diagnostic is reporting an critical issue since over a month now.

Okay? Why not change the logic then or fix it?

Okay? Not sure what you want me to do instead …

Thanks, i just wanted to make sure.

I understand and totally agree, it causes uncertainty. I will try to bump the priority in our backlog for Bug 52546 - LetsEncrypt signing chain broken - UCS System Diagnostic reports errors now

Sorry if this came across wrong, i just wanted to provide more information for the technically interested readers.

damrose,
Thank you for your provided feedback and taking care.

Our certificate problem was noch only this “signed_chain” verify error and the critical message in the system diagnosis GUI, but also the ost connection to the mail server.
Right now after drawing some screws (and go backward) and 3 UCS updates, I tried to renew the certificate. Both errors (openssl verify and GUI system diagnosis) still appear, but now themail transfer works. So we only have to ignore the error messages.
When checking the certificate in Mozilla Firefox it seems to be valid.

Hi,

I can confirm that with the todays release of Letsencrypt (version 1.2.2-16) system diagnostic is green now and back to normal. :+1:

BR,
Thomas

1 Like

Thanks for the confirmation, i was just about to write here that we released the App update.

1 Like

It’s the same with our system. All is up and running and green, “openssl verify …” is also OK now.
Thank you very much!

It seems that the certificate created by the new LE version is no SAN certificate (it contains only one of the names).

The Let’sEncrypt update changed the UCR-value “letsencrypt/services/apache2” from “true” to “false”. So there was some trouble because Apache used the old self-signend certificate. After going back to “true” everything works fine again.

Thanks for the hint, on my system it was still set to “true”.

Just wondering if the according checkbox was ticked on your system or not?

image

I don’t know where to find “Dienste”. On “Systemdienste” I can only start or stop the services.
But I think the meaning of the UCR-value “letsencrypt/services/apache2” (and the same with postfix and dovecot) is unambiguously.

I have the same problem.
In nextcloud on ucs or bitwarden my certificate is not working.

In my browser its fine so far.

So are my settings in ucs:

apache2/ssl/certificate	/etc/univention/letsencrypt/signed_chain.crt
apache2/ssl/certificatechain	/etc/univention/letsencrypt/intermediate.pem
apache2/ssl/key	/etc/univention/letsencrypt/domain.key
appcenter/apps/letsencrypt/status	installed
appcenter/apps/letsencrypt/ucs	4.4
appcenter/apps/letsencrypt/version	1.2.2-16
kopano/cfg/ical/ssl_certificate_file	/etc/univention/letsencrypt/intermediate.pem
kopano/cfg/ical/ssl_private_key_file	/etc/univention/letsencrypt/domain.key
letsencrypt/domains	......................................
letsencrypt/services/apache2	true
letsencrypt/services/dovecot	false
letsencrypt/services/postfix	true
letsencrypt/staging	false
letsencrypt/status	Certificate refreshed at Do 28. Jan 18:57:23 CET 2021
letsencrypt/v2migrated	true
mail/postfix/ssl/cafile	

After todays update to 4.4-8 errata1057 im facing the same issue again that
System diagnostic says “Found invalid certificate” (see first post). Also tried to recreate the letsencrypt certificate but the script fails.

Please can someone from the UCS staff have a look?

Update: Just did a restore of my UCS Backup from last night and noticed that system diagnostic gives me the same error on 4.4-8 errata1054. Sorry for misleading information.

So obviously the error is not related to the last update. Maybe letsencrypt needs an update again (intermediate certificate)?

Update 2: Seems there was a change on letsencrypt-side (root certificate): https://community.letsencrypt.org/t/help-thread-for-dst-root-ca-x3-expiration-september-2021/149190/99

Hello,

I got this error today:


Ungültiges Zertifikat '/etc/univention/letsencrypt/signed_chain.crt' gefunden:
error /etc/univention/letsencrypt/signed_chain.crt: verification failed

Ungültiges Zertifikat '/etc/univention/letsencrypt/signed_chain.crt' gefunden:
error /etc/univention/letsencrypt/signed_chain.crt: verification failed

Siehe Univention Support Database - Erneuern der TLS/SSL-Zertifikate für Informationen zum Erneuern von Zertifikaten.

Hello,
we also have the same problem. The certificate (as shown in browser) seems to be valid. But system diagnosis shows the same error signed_chain.crt: verification failed.

Same here, the current (letsencrsypt) certificate that is used by Apache is still valid. But due to the root certificate constraint you wont be able to create a new cerficate. At least I failed when I tried to recreate the certificate.

Mastodon