Search in the certificate store of your devices the certificate “DST Root CA X3” expired on Sep, 30th 2012 and remove them.
Apps seem to pull them even, if the successor certificate exists. I had this problem with the Nextcloud desktop-app.
Certificate store is /etc/ca-certificates.conf and comment out with an ! in front like this:
!mozilla/DST_Root_CA_X3.crt
Then save and then run update_ca_certificates
And then restart affected services (apache, dovecot, whatever) using the cert.
In my Apple devices and m homeassistant Installation ist still Shows Error with certificate. I did all steps above and Made a restart of my Server, but the Problem still exists.
I confirm this.
Three weeks ago i bought an iPad and this doesn‘t have any problems before and after the steps above. But my iPhone and another iPad show the known errors before and after. I made backups of both devices, reset the devices, download the right .ipsw-file of iOS 15 and restored the devices via iTunes with these files. Finally i restored with the backups. Now they are working with my server.
My UCS installation updated the certificate correctly. The certificate in browser seems valid, no error. All services seem to work correctly. But the system diagnosis still reports a critical error (invalid certificate chain).
Hello together,
I tried all the steps, but still my univention shows ssl error.
I do not know what to do further more.
Can somebody please give me a hint?
I have seen this,
but I do not know how to get it into univention
Best regards,
Stefan
Have you guys updated to the latest errata updates in UCS? 4.4-x and 5.0.x have all updated their errata to include a fix for this now according to the UCS bug report I filed.
I tried this
Certificate store is /etc/ca-certificates.conf and comment out with an ! in front like this:
!mozilla/DST_Root_CA_X3.crt
Then save and then run update_ca_certificates
And then restart affected services (apache, dovecot, whatever) using the cert.
but without success: Still valid certificate with the message “invalid certificate chain”.
Same problem here (on multiple up-to-date systems): I can successfully create new and valid certificates, but the system diagnostics complains about /etc/univention/letsencrypt/signed_chain.crt
. Is it really correct to just replace /etc/univention/letsencrypt/intermediate-r3.pem
like suggested by @sccmrb in this earlier post? Shouldn’t we keep an Intermediate Certificate there? Could it lead to other problems with UCS LE in the future? Maybe I’m not completely understanding it yet.
yes, system is at latest 4.4.8 1067
This does not solve my problem. I get a valid certificate. LE app renews the certificate, I restarted all necessary services and re-run the system diagnosis - again with the critical error
Ungültiges Zertifikat ‘/etc/univention/letsencrypt/signed_chain.crt’ gefunden:
error /etc/univention/letsencrypt/signed_chain.crt: verification failed
File /var/log/univention/letsencrypt.log shows some errors relating to file /usr/share/univention-letsencrypt/acme_tiny.py
ValueError: Error getting directory:
Url: https://acme-v02.api.letsencrypt.org/directory
Hi all,
I’ll share my recent experience. Maybe it will be useful for some who is still dealing with the “Critical: Check validity of SSL certificates” warning.
Basically, UCS is reporting issues with Let’s Encrypt SSL certificate if its relevant diagnistics scripts are not seeing the right files at the right locations.
I made the UCS self-diagnostic happy some weeks ago after modifying a few files by hand following this article.
The recent UCS Let’s Encrypt app update (v.2.0.0.2) process brought back the subject warning. This time around, I was paying more attention to the file names and extensions while troubleshooting. I used Midnight Commander (MC) for some simple steps and made backup copies of files that I deleted to recover them later without much pain if needed.
Files to delete if still present (some of them could be named a bit differently on your system):
# rm /usr/local/share/ca-certificates/lets-encrypt-r3.crt
# rm /etc/univention/letsencrypt/lets-encrypt-r3.pem
# rm /etc/ssl/certs/ISRG_Root_X1.pem
# rm /usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt
# update-ca-certificates
Download the current Let’s Encrypt CA SSL Certificates
# wget -O /usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt https://letsencrypt.org/certs/isrgrootx1.pem
# wget -O /usr/share/ca-certificates/mozilla/ISRG_Root_X2.crt https://letsencrypt.org/certs/isrg-root-x2.pem
Create symlinks
# ln -s /usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt /etc/ssl/certs/ISRG_Root_X1.pem
# ln -s /usr/share/ca-certificates/mozilla/ISRG_Root_X2.crt /etc/ssl/certs/ISRG_Root_X2.pem
# update-ca-certificates
Download the current Let’s Encrypt Intermediate SSL Certificate
# wget -O /etc/univention/letsencrypt/lets-encrypt-r3.pem https://letsencrypt.org/certs/lets-encrypt-r3.pem
Create symlink
# ln -s /etc/univention/letsencrypt/lets-encrypt-r3.pem /usr/local/share/ca-certificates/lets-encrypt-r3.crt
# update-ca-certificates
Restart all services using these SSL certificates, run the software, app updates and system diagnostic checks to make sure all are looking good. Hopefully, it is the case as it was on all my UCS machines.
Good luck!
There is an update for LE. Unfortunately it does not fix my problem (valid certificate, renew is working, but an error message in the system diagnosis).
icke, system diagnostic on all of mine servers with LE installed was failing after the LE v2.0.0.2 update with the below alert.
error /etc/univention/letsencrypt/signed_chain.crt: verification failed
The steps I shared above helped me resolve the issue on every server. I realize that mine and your systems could differ. So, it’s hard to guess what could be an issue on your end without more information. Can you PM me outputs from the following commands?
Show broken symlinks
# find /etc/ssl/certs/ -xtype l
# find /usr/local/share/ca-certificates/ -xtype l
Show folder contents
# ls -l /etc/ssl/certs/
# ls -l /etc/univention/letsencrypt/
# ls -l /usr/local/share/ca-certificates/
# ls -l /usr/share/ca-certificates/mozilla/
I wonder if the reason you are seeing the following is because your system still has an invalid LE intermediate certificate per this article.
ValueError: Error getting directory:
Url: https://acme-v02.api.letsencrypt.org/directory
ok, if I install the new LE my webserver does not start anymore.
But the apache service tells you the reason.
Login on console with SSH
Type in
systemctl status apache2.service
Read the output. I guess, the error message will claim a Letsencrypt error.
Post the output in this thread.
Are there any new points to report?
I am also in the same situation. After the tips of @sccmrb and @dejavu and the update of the LE app my system renews the certificates but the system diagnostic puts the same error messages signed_chain.crt: verification failed
A test on ssllabs.com even shows me an old certificate which expired in 17.3.2021.
In my opinion, the suggestion to replace LE intermediate certificate with LE root certificate in /etc/univention/letsencrypt/ is not a good one. Implementing it with steps I suggested at the same time is not good either. If you are comfortable with CLI, have root or sudo access to your system and OK to share some info about your system with me, so that I could try to help you, send me a personal message.
My UCS server had no lets-encrypt-r3.pem (see #75).
I downloaded it using the wget command and did the two following steps (symlink and update ca).
Now the error message is gone.
@dejavu Thank you very much for your help and your patience!
I’m glad! Take care