System diagnostic suddenly gives me: Found invalid certificate '/etc/univention/letsencrypt/signed_chain.crt'

miclan · September 30, 2021, 2:57pm

Yes, I tried to renew certificate and I got errors:

**/usr/share/univention-letsencrypt** # ./refresh-cert-cron

gio 30 set 2021, 16.42.29, CEST

Refreshing certificate for following domains:

mydomain.com

Parsing account key...

Parsing CSR...

Found domains: mydomain.com

Getting directory...

Traceback (most recent call last):

File "/usr/share/univention-letsencrypt/acme_tiny.py", line 197, in <module>

main(sys.argv[1:])

File "/usr/share/univention-letsencrypt/acme_tiny.py", line 193, in main

signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact)

File "/usr/share/univention-letsencrypt/acme_tiny.py", line 105, in get_crt

directory, _, _ = _do_request(directory_url, err_msg="Error getting directory")

File "/usr/share/univention-letsencrypt/acme_tiny.py", line 45, in _do_request

raise ValueError("{0}:\nUrl: {1}\nData: {2}\nResponse Code: {3}\nResponse: {4}".format(err_msg, url, data, code, resp_data))

ValueError: Error getting directory:

Url: https://acme-v02.api.letsencrypt.org/directory

Data: None

Response Code: None

Response: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)>

Setting letsencrypt/status

run-parts: executing /etc/univention/letsencrypt/post-refresh.d//apache2

run-parts: executing /etc/univention/letsencrypt/post-refresh.d//dovecot

run-parts: executing /etc/univention/letsencrypt/post-refresh.d//postfix

tpfann · September 30, 2021, 2:59pm

Yep, same error here.
And it will fail again tonight (cron job that runs every 1st of the month to recreate the certificate)

sccmrb · September 30, 2021, 8:20pm

The Let’s encrypt app is failing to renew it’s certificate. I have run ‘update-ca-certificates’ and restarted apache2 but it still fails like this in the /var/log/univention/letsencrypt.log:

Thu Sep 30 13:34:37 MDT 2021
Refreshing certificate for following domains:
[groups.skaggscatholiccenter.org](http://groups.skaggscatholiccenter.org/)
Parsing account key...
Parsing CSR...
Found domains: [groups.skaggscatholiccenter.org](http://groups.skaggscatholiccenter.org/)
Getting directory...
Traceback (most recent call last):
File "/usr/share/univention-letsencrypt/acme_tiny.py", line 197, in <module>
main(sys.argv[1:])
File "/usr/share/univention-letsencrypt/acme_tiny.py", line 193, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=[args.ca](http://args.ca/), disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact)
File "/usr/share/univention-letsencrypt/acme_tiny.py", line 105, in get_crt
directory, _, _ = _do_request(directory_url, err_msg="Error getting directory")
File "/usr/share/univention-letsencrypt/acme_tiny.py", line 45, in _do_request
raise ValueError("{0}:\nUrl: {1}\nData: {2}\nResponse Code: {3}\nResponse: {4}".format(err_msg, url, data, code, resp_data))
ValueError: Error getting directory:
Url: https://acme-v02.api.letsencrypt.org/directory
Data: None
Response Code: None
Response: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)>
Setting letsencrypt/status

Now they did say they were ending a certificate on September 29th and this is affecting lots of people. It seems UCS has removed the certbot utility and I debug any further. Before you try to curl my server I only allow 80/443 from the lets encrypt server list and it’s been this way for several years without issue.

One comment from a user on the let’s encrypt community was able to solve it with:

sudo certbot renew --force-renewal --preferred-chain "ISRG Root X1"

But we don’t have this option on univention and I cannot see that there is a preferred chain option for the acme_tiny.py script in /usr/share/univention-letsencrypt

sccmrb · October 1, 2021, 3:48pm

I just uninstalled and reinstalled the Let’s Encrypt app and the /etc/univention/letsencrypt/intermediate-r3.pem cert is still expired. This app needs to be updated ASAP

sccmrb · October 1, 2021, 7:09pm

Replacing the contents of the certificate file located at /etc/univention/letsencrypt/intermediate-r3.pem with https://letsencrypt.org/certs/isrgrootx1.pem.txt and re-running a refresh or setup works as expected for me and successfully renews the certificate.

/usr/share/univention-letsencrypt/setup-letsencrypt 
Fri Oct  1 13:06:47 MDT 2021
Refreshing certificate for following domains:
groups.skaggscatholiccenter.org
Parsing account key...
Parsing CSR...
Found domains: groups.skaggscatholiccenter.org
Getting directory...
Directory found!
Registering account...
Already registered!
Creating new order...
Order created!
Verifying groups.skaggscatholiccenter.org...
groups.skaggscatholiccenter.org verified!
Signing certificate...
Certificate signed!
Certificate refreshed at Fri Oct  1 13:06:54 MDT 2021
Setting letsencrypt/status
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.

externa1 · October 2, 2021, 5:03am

As Problem: Connection to let's encryted domains from UCS not trusted did not solve it for mee too your solution worked

rg
Christian

tpfann · October 2, 2021, 5:48am

I can confirm that the recently released updates (errata 1059 an 1060) are NOT fixing our issue:

Replacing the content of the intermediate certificate (intermediate-r3.pem) as proposed by sccmrb allowed me to succesfully refresh my letsencrypt certificates. Thanks to sccmrb for finding out and share with us.

Anyway … my initial issue remains. System diagnostic still says “found invalid certificate”.

r100gs · October 2, 2021, 2:54pm

I tried it, but still no luck.
My iphone and my homeassistant server still complain about the certificate!

Best regards,
Stefan

Mornsgrans · October 2, 2021, 3:47pm

Search in the certificate store of your devices the certificate “DST Root CA X3” expired on Sep, 30th 2012 and remove them.
Apps seem to pull them even, if the successor certificate exists. I had this problem with the Nextcloud desktop-app.

sccmrb · October 2, 2021, 7:18pm

Certificate store is /etc/ca-certificates.conf and comment out with an ! in front like this:

!mozilla/DST_Root_CA_X3.crt

Then save and then run update_ca_certificates

And then restart affected services (apache, dovecot, whatever) using the cert.

r100gs · October 3, 2021, 1:18pm

In my Apple devices and m homeassistant Installation ist still Shows Error with certificate. I did all steps above and Made a restart of my Server, but the Problem still exists.

Heiko · October 3, 2021, 6:54pm

I confirm this.

Three weeks ago i bought an iPad and this doesn‘t have any problems before and after the steps above. But my iPhone and another iPad show the known errors before and after. I made backups of both devices, reset the devices, download the right .ipsw-file of iOS 15 and restored the devices via iTunes with these files. Finally i restored with the backups. Now they are working with my server.

icke · October 4, 2021, 3:40pm

My UCS installation updated the certificate correctly. The certificate in browser seems valid, no error. All services seem to work correctly. But the system diagnosis still reports a critical error (invalid certificate chain).

r100gs · October 11, 2021, 5:15am

Hello together,

I tried all the steps, but still my univention shows ssl error.
I do not know what to do further more.
Can somebody please give me a hint?
I have seen this,

but I do not know how to get it into univention

Best regards,
Stefan

sccmrb · October 11, 2021, 1:52pm

Have you guys updated to the latest errata updates in UCS? 4.4-x and 5.0.x have all updated their errata to include a fix for this now according to the UCS bug report I filed.

icke · October 11, 2021, 2:24pm

I tried this

Certificate store is /etc/ca-certificates.conf and comment out with an ! in front like this:
!mozilla/DST_Root_CA_X3.crt
Then save and then run update_ca_certificates
And then restart affected services (apache, dovecot, whatever) using the cert.

but without success: Still valid certificate with the message “invalid certificate chain”.

Andreas_T · October 11, 2021, 2:55pm

Same problem here (on multiple up-to-date systems): I can successfully create new and valid certificates, but the system diagnostics complains about /etc/univention/letsencrypt/signed_chain.crt. Is it really correct to just replace /etc/univention/letsencrypt/intermediate-r3.pem like suggested by @sccmrb in this earlier post? Shouldn’t we keep an Intermediate Certificate there? Could it lead to other problems with UCS LE in the future? Maybe I’m not completely understanding it yet.

r100gs · October 12, 2021, 4:34am

yes, system is at latest 4.4.8 1067

icke · October 13, 2021, 12:08pm

This does not solve my problem. I get a valid certificate. LE app renews the certificate, I restarted all necessary services and re-run the system diagnosis - again with the critical error

Ungültiges Zertifikat ‘/etc/univention/letsencrypt/signed_chain.crt’ gefunden:
error /etc/univention/letsencrypt/signed_chain.crt: verification failed

File /var/log/univention/letsencrypt.log shows some errors relating to file /usr/share/univention-letsencrypt/acme_tiny.py

ValueError: Error getting directory:
Url: https://acme-v02.api.letsencrypt.org/directory

dejavu · October 17, 2021, 4:29pm

Hi all,

I’ll share my recent experience. Maybe it will be useful for some who is still dealing with the “Critical: Check validity of SSL certificates” warning.

Basically, UCS is reporting issues with Let’s Encrypt SSL certificate if its relevant diagnistics scripts are not seeing the right files at the right locations.

I made the UCS self-diagnostic happy some weeks ago after modifying a few files by hand following this article.

The recent UCS Let’s Encrypt app update (v.2.0.0.2) process brought back the subject warning. This time around, I was paying more attention to the file names and extensions while troubleshooting. I used Midnight Commander (MC) for some simple steps and made backup copies of files that I deleted to recover them later without much pain if needed.

Files to delete if still present (some of them could be named a bit differently on your system):

# rm /usr/local/share/ca-certificates/lets-encrypt-r3.crt
# rm /etc/univention/letsencrypt/lets-encrypt-r3.pem
# rm /etc/ssl/certs/ISRG_Root_X1.pem
# rm /usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt
# update-ca-certificates

Download the current Let’s Encrypt CA SSL Certificates

# wget -O /usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt https://letsencrypt.org/certs/isrgrootx1.pem
# wget -O /usr/share/ca-certificates/mozilla/ISRG_Root_X2.crt https://letsencrypt.org/certs/isrg-root-x2.pem

Create symlinks

# ln -s /usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt /etc/ssl/certs/ISRG_Root_X1.pem
# ln -s /usr/share/ca-certificates/mozilla/ISRG_Root_X2.crt /etc/ssl/certs/ISRG_Root_X2.pem
# update-ca-certificates

Download the current Let’s Encrypt Intermediate SSL Certificate

# wget -O /etc/univention/letsencrypt/lets-encrypt-r3.pem https://letsencrypt.org/certs/lets-encrypt-r3.pem

Create symlink

# ln -s /etc/univention/letsencrypt/lets-encrypt-r3.pem /usr/local/share/ca-certificates/lets-encrypt-r3.crt
# update-ca-certificates

Restart all services using these SSL certificates, run the software, app updates and system diagnostic checks to make sure all are looking good. Hopefully, it is the case as it was on all my UCS machines.

Good luck!