System diagnostic suddenly gives me: Found invalid certificate '/etc/univention/letsencrypt/signed_chain.crt'

sccmrb · October 1, 2021, 7:09pm

Replacing the contents of the certificate file located at /etc/univention/letsencrypt/intermediate-r3.pem with https://letsencrypt.org/certs/isrgrootx1.pem.txt and re-running a refresh or setup works as expected for me and successfully renews the certificate.

/usr/share/univention-letsencrypt/setup-letsencrypt 
Fri Oct  1 13:06:47 MDT 2021
Refreshing certificate for following domains:
groups.skaggscatholiccenter.org
Parsing account key...
Parsing CSR...
Found domains: groups.skaggscatholiccenter.org
Getting directory...
Directory found!
Registering account...
Already registered!
Creating new order...
Order created!
Verifying groups.skaggscatholiccenter.org...
groups.skaggscatholiccenter.org verified!
Signing certificate...
Certificate signed!
Certificate refreshed at Fri Oct  1 13:06:54 MDT 2021
Setting letsencrypt/status
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.

externa1 · October 2, 2021, 5:03am

As Problem: Connection to let's encryted domains from UCS not trusted did not solve it for mee too your solution worked

rg
Christian

tpfann · October 2, 2021, 5:48am

I can confirm that the recently released updates (errata 1059 an 1060) are NOT fixing our issue:

Replacing the content of the intermediate certificate (intermediate-r3.pem) as proposed by sccmrb allowed me to succesfully refresh my letsencrypt certificates. Thanks to sccmrb for finding out and share with us.

Anyway … my initial issue remains. System diagnostic still says “found invalid certificate”.

r100gs · October 2, 2021, 2:54pm

I tried it, but still no luck.
My iphone and my homeassistant server still complain about the certificate!

Best regards,
Stefan

Mornsgrans · October 2, 2021, 3:47pm

Search in the certificate store of your devices the certificate “DST Root CA X3” expired on Sep, 30th 2012 and remove them.
Apps seem to pull them even, if the successor certificate exists. I had this problem with the Nextcloud desktop-app.

sccmrb · October 2, 2021, 7:18pm

Certificate store is /etc/ca-certificates.conf and comment out with an ! in front like this:

!mozilla/DST_Root_CA_X3.crt

Then save and then run update_ca_certificates

And then restart affected services (apache, dovecot, whatever) using the cert.

r100gs · October 3, 2021, 1:18pm

In my Apple devices and m homeassistant Installation ist still Shows Error with certificate. I did all steps above and Made a restart of my Server, but the Problem still exists.

Heiko · October 3, 2021, 6:54pm

I confirm this.

Three weeks ago i bought an iPad and this doesn‘t have any problems before and after the steps above. But my iPhone and another iPad show the known errors before and after. I made backups of both devices, reset the devices, download the right .ipsw-file of iOS 15 and restored the devices via iTunes with these files. Finally i restored with the backups. Now they are working with my server.

icke · October 4, 2021, 3:40pm

My UCS installation updated the certificate correctly. The certificate in browser seems valid, no error. All services seem to work correctly. But the system diagnosis still reports a critical error (invalid certificate chain).

r100gs · October 11, 2021, 5:15am

Hello together,

I tried all the steps, but still my univention shows ssl error.
I do not know what to do further more.
Can somebody please give me a hint?
I have seen this,

but I do not know how to get it into univention

Best regards,
Stefan

sccmrb · October 11, 2021, 1:52pm

Have you guys updated to the latest errata updates in UCS? 4.4-x and 5.0.x have all updated their errata to include a fix for this now according to the UCS bug report I filed.

icke · October 11, 2021, 2:24pm

I tried this

Certificate store is /etc/ca-certificates.conf and comment out with an ! in front like this:
!mozilla/DST_Root_CA_X3.crt
Then save and then run update_ca_certificates
And then restart affected services (apache, dovecot, whatever) using the cert.

but without success: Still valid certificate with the message “invalid certificate chain”.

Andreas_T · October 11, 2021, 2:55pm

Same problem here (on multiple up-to-date systems): I can successfully create new and valid certificates, but the system diagnostics complains about /etc/univention/letsencrypt/signed_chain.crt. Is it really correct to just replace /etc/univention/letsencrypt/intermediate-r3.pem like suggested by @sccmrb in this earlier post? Shouldn’t we keep an Intermediate Certificate there? Could it lead to other problems with UCS LE in the future? Maybe I’m not completely understanding it yet.

r100gs · October 12, 2021, 4:34am

yes, system is at latest 4.4.8 1067

icke · October 13, 2021, 12:08pm

This does not solve my problem. I get a valid certificate. LE app renews the certificate, I restarted all necessary services and re-run the system diagnosis - again with the critical error

Ungültiges Zertifikat ‘/etc/univention/letsencrypt/signed_chain.crt’ gefunden:
error /etc/univention/letsencrypt/signed_chain.crt: verification failed

File /var/log/univention/letsencrypt.log shows some errors relating to file /usr/share/univention-letsencrypt/acme_tiny.py

ValueError: Error getting directory:
Url: https://acme-v02.api.letsencrypt.org/directory

dejavu · October 17, 2021, 4:29pm

Hi all,

I’ll share my recent experience. Maybe it will be useful for some who is still dealing with the “Critical: Check validity of SSL certificates” warning.

Basically, UCS is reporting issues with Let’s Encrypt SSL certificate if its relevant diagnistics scripts are not seeing the right files at the right locations.

I made the UCS self-diagnostic happy some weeks ago after modifying a few files by hand following this article.

The recent UCS Let’s Encrypt app update (v.2.0.0.2) process brought back the subject warning. This time around, I was paying more attention to the file names and extensions while troubleshooting. I used Midnight Commander (MC) for some simple steps and made backup copies of files that I deleted to recover them later without much pain if needed.

Files to delete if still present (some of them could be named a bit differently on your system):

# rm /usr/local/share/ca-certificates/lets-encrypt-r3.crt
# rm /etc/univention/letsencrypt/lets-encrypt-r3.pem
# rm /etc/ssl/certs/ISRG_Root_X1.pem
# rm /usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt
# update-ca-certificates

Download the current Let’s Encrypt CA SSL Certificates

# wget -O /usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt https://letsencrypt.org/certs/isrgrootx1.pem
# wget -O /usr/share/ca-certificates/mozilla/ISRG_Root_X2.crt https://letsencrypt.org/certs/isrg-root-x2.pem

Create symlinks

# ln -s /usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt /etc/ssl/certs/ISRG_Root_X1.pem
# ln -s /usr/share/ca-certificates/mozilla/ISRG_Root_X2.crt /etc/ssl/certs/ISRG_Root_X2.pem
# update-ca-certificates

Download the current Let’s Encrypt Intermediate SSL Certificate

# wget -O /etc/univention/letsencrypt/lets-encrypt-r3.pem https://letsencrypt.org/certs/lets-encrypt-r3.pem

Create symlink

# ln -s /etc/univention/letsencrypt/lets-encrypt-r3.pem /usr/local/share/ca-certificates/lets-encrypt-r3.crt
# update-ca-certificates

Restart all services using these SSL certificates, run the software, app updates and system diagnostic checks to make sure all are looking good. Hopefully, it is the case as it was on all my UCS machines.

Good luck!

icke · October 20, 2021, 3:31pm

There is an update for LE. Unfortunately it does not fix my problem (valid certificate, renew is working, but an error message in the system diagnosis).

dejavu · October 20, 2021, 10:46pm

icke, system diagnostic on all of mine servers with LE installed was failing after the LE v2.0.0.2 update with the below alert.

error /etc/univention/letsencrypt/signed_chain.crt: verification failed

The steps I shared above helped me resolve the issue on every server. I realize that mine and your systems could differ. So, it’s hard to guess what could be an issue on your end without more information. Can you PM me outputs from the following commands?

Show broken symlinks

# find /etc/ssl/certs/ -xtype l
# find /usr/local/share/ca-certificates/ -xtype l

Show folder contents

# ls -l /etc/ssl/certs/
# ls -l /etc/univention/letsencrypt/
# ls -l /usr/local/share/ca-certificates/
# ls -l /usr/share/ca-certificates/mozilla/

I wonder if the reason you are seeing the following is because your system still has an invalid LE intermediate certificate per this article.

ValueError: Error getting directory:
Url: https://acme-v02.api.letsencrypt.org/directory

r100gs · October 21, 2021, 7:32am

ok, if I install the new LE my webserver does not start anymore.

Mornsgrans · October 21, 2021, 10:35am

But the apache service tells you the reason.
Login on console with SSH
Type in

systemctl status apache2.service

Read the output. I guess, the error message will claim a Letsencrypt error.

Post the output in this thread.