System diagnostic suddenly gives me: Found invalid certificate '/etc/univention/letsencrypt/signed_chain.crt'

Hello, if I try to download the letsencrypt certificate I get following error:

--2021-10-26 06:32:40--  https://letsencrypt.org/certs/lets-encrypt-r3.pem
Auflösen des Hostnamens »letsencrypt.org (letsencrypt.org)« … 3.125.252.47, 159.65.118.56, 2a05:d014:275:cb00:c26c:5b6d:e2c8:e5a, ...
Verbindungsaufbau zu letsencrypt.org (letsencrypt.org)|3.125.252.47|:443 … verbunden.
GnuTLS: Resource temporarily unavailable, try again.
GnuTLS: Resource temporarily unavailable, try again.
GnuTLS: Resource temporarily unavailable, try again.
FEHLER: Dem Zertifikat von »letsencrypt.org« wird nicht vertraut.
FEHLER: Das Zertifikat von »»letsencrypt.org«« wurde von einem unbekannten Austeller herausgegeben.

Hi,

I have downloaded (wget) the certificate lets-encrypt-r3.pem to /etc/univention/letsencrypt/
wget -O /etc/univention/letsencrypt/lets-encrypt-r3.pem https://letsencrypt.org/certs/lets-encrypt-r3.pem

Next I have created the symlink:
ln -s /etc/univention/letsencrypt/lets-encrypt-r3.pem /usr/local/share/ca-certificates/lets-encrypt-r3.crt

Running “update-ca-certificates” gives me (nothing was added or removed):

Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.

System diagnostic still complains about invalid certificate. Did I missed something here?

This was exactly the way that worked for my UCS installation.

When wget is used to download a file over secure http, its relying on the available relevant SSL certificate on the server wget is running on to validate the SSL certificate offered by the LE website on the HTTPS port. I think, the download fails because ISRG_Root_X1.crt may be invalid on your server. You can check ISRG_Root_X1.crt validity with this command:

# openssl verify /usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt

Try to run this command to freshen up local SSL certificates and run wget again.

# update-ca-certificates --fresh

If after the above step wget download still does not behave, you could force wget not to check for the server certificate while requesting a download. This is not a secure method and should be used with due caution. The downloaded certificate can later be verified to make sure it is genuine if in doubt.

# wget --no-check-certificate -O /etc/univention/letsencrypt/lets-encrypt-r3.pem https://letsencrypt.org/certs/lets-encrypt-r3.pem

If ISRG_Root_X1.crt validity check fails, you would also need to update it on your server manually.

You can download the lets-encrypt-r3.pem file on a client computer and upload to your UCS server.
Or you download it with “no-check-certifcate” option on the UCS server and on a client computer and compare both files.

icke, dejavu thank you both for your support!

Finally :slight_smile: “update-ca-certificates –fresh” did the trick for me
System diagnostic is back to normal now and shows no more errors.

In my case these are the 3 steps in order to get rid of the system diagnostic error:

1. wget -O /etc/univention/letsencrypt/lets-encrypt-r3.pem https://letsencrypt.org/certs/lets-encrypt-r3.pem
2. ln -s /etc/univention/letsencrypt/lets-encrypt-r3.pem /usr/local/share/ca-certificates/lets-encrypt-r3.crt
3. update-ca-certificates --fresh

systemdiag

7 Likes

If I try this I get this error:

openssl verify /usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt
unable to load certificate
140288394727488:error:0906D06C:PEM routines:PEM_read_bio:no start line:../crypto/pem/pem_lib.c:686:Expecting: TRUSTED CERTIFICATE

r100gs, update ISRG_Root_X1 on your system with these steps.

# wget -O /usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt https://letsencrypt.org/certs/isrgrootx1.pem
# ln -s /usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt /etc/ssl/certs/ISRG_Root_X1.pem
# update-ca-certificates

If wget returns a download error, download the LE root certificate to a trusted computer and then transfer the file to the server or use --no-check-certificate like so (with caution as discussed above).

# wget --no-check-certificate -O /usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt https://letsencrypt.org/certs/isrgrootx1.pem

finaly

update-ca-certificates --fresh

did the trick for my system too!

So everything is fine atm.
THX @dejavu for your patience!

Best regards,
Stefan

Glad it worked for you!

B)

ok, now the error in univention system diagnostic is gone, but on my android phone and iphone I still can´t access my nextcloud without certificate error.
On android its possible to accept the certificate, but on iphone its not

You just solved my problem. Thanks a lot.

This SSL issue is rather pesky, isn’t it? And many folks have their own flavor of it. What does https://www.ssllabs.com/ssltest/ have to say about your server FQDN?

Yes, thats true. It drives me crazy.

SSL Test

r100gs, are the UCR variables you posted earlier still the same? I’m assuming that letsencrypt/domains is not blank, but your FQDN.

apache2/ssl/certificate	/etc/univention/letsencrypt/signed_chain.crt
apache2/ssl/certificatechain	/etc/univention/letsencrypt/intermediate.pem
apache2/ssl/key	/etc/univention/letsencrypt/domain.key
appcenter/apps/letsencrypt/status	installed
appcenter/apps/letsencrypt/ucs	4.4
appcenter/apps/letsencrypt/version	1.2.2-16
kopano/cfg/ical/ssl_certificate_file	/etc/univention/letsencrypt/intermediate.pem
kopano/cfg/ical/ssl_private_key_file	/etc/univention/letsencrypt/domain.key
letsencrypt/domains	......................................
letsencrypt/services/apache2	true
letsencrypt/services/dovecot	false
letsencrypt/services/postfix	true
letsencrypt/staging	false
letsencrypt/status	Certificate refreshed at Do 28. Jan 18:57:23 CET 2021
letsencrypt/v2migrated	true
mail/postfix/ssl/cafile	

Is /etc/univention/letsencrypt/intermediate.pem valid?

# openssl verify /etc/univention/letsencrypt/intermediate.pem
# openssl x509 -noout -in /etc/univention/letsencrypt/intermediate.pem -issuer -dates -fingerprint -subject

No, its not valid

openssl verify /etc/univention/letsencrypt/intermediate.pem
C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
error 20 at 0 depth lookup: unable to get local issuer certificate
error /etc/univention/letsencrypt/intermediate.pem: verification failed

 openssl x509 -noout -in /etc/univention/letsencrypt/intermediate.pem -issuer -dates -fingerprint -subject
issuer=O = Digital Signature Trust Co., CN = DST Root CA X3
notBefore=Mar 17 16:40:46 2016 GMT
notAfter=Mar 17 16:40:46 2021 GMT
SHA1 Fingerprint=E6:A3:B4:5B:06:2D:50:9B:33:82:28:2D:19:6E:FE:97:D5:95:6C:CB
subject=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3

Outdated since last March

After problems with upgrade to v5.0.0 I got finally again this LetsEncrypt Error. But I remembered this thread - and could solve the problem again. That’s why: Again many thanks.

I am also still stuck at

notAfter=Mar 17 16:40:46 2021 GMT

tried the suggestions in this thread already, including

update-ca-certificates --fresh

After fresh installation of UCS 5.0.2 with Let’s Encrypt i got the same error in system diagnostic again. But the the solution of tpfann in #87 was the right tip.

Many thanks

Mastodon