System diagnostic suddenly gives me: Found invalid certificate '/etc/univention/letsencrypt/signed_chain.crt'

r100gs · October 26, 2021, 4:52am

Hello, if I try to download the letsencrypt certificate I get following error:

--2021-10-26 06:32:40--  https://letsencrypt.org/certs/lets-encrypt-r3.pem
Auflösen des Hostnamens »letsencrypt.org (letsencrypt.org)« … 3.125.252.47, 159.65.118.56, 2a05:d014:275:cb00:c26c:5b6d:e2c8:e5a, ...
Verbindungsaufbau zu letsencrypt.org (letsencrypt.org)|3.125.252.47|:443 … verbunden.
GnuTLS: Resource temporarily unavailable, try again.
GnuTLS: Resource temporarily unavailable, try again.
GnuTLS: Resource temporarily unavailable, try again.
FEHLER: Dem Zertifikat von »letsencrypt.org« wird nicht vertraut.
FEHLER: Das Zertifikat von »»letsencrypt.org«« wurde von einem unbekannten Austeller herausgegeben.

tpfann · October 26, 2021, 6:30am

Hi,

I have downloaded (wget) the certificate lets-encrypt-r3.pem to /etc/univention/letsencrypt/
wget -O /etc/univention/letsencrypt/lets-encrypt-r3.pem https://letsencrypt.org/certs/lets-encrypt-r3.pem

Next I have created the symlink:
ln -s /etc/univention/letsencrypt/lets-encrypt-r3.pem /usr/local/share/ca-certificates/lets-encrypt-r3.crt

Running “update-ca-certificates” gives me (nothing was added or removed):

Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.

System diagnostic still complains about invalid certificate. Did I missed something here?

icke · October 26, 2021, 3:29pm

This was exactly the way that worked for my UCS installation.

dejavu · October 26, 2021, 3:32pm

When wget is used to download a file over secure http, its relying on the available relevant SSL certificate on the server wget is running on to validate the SSL certificate offered by the LE website on the HTTPS port. I think, the download fails because ISRG_Root_X1.crt may be invalid on your server. You can check ISRG_Root_X1.crt validity with this command:

# openssl verify /usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt

Try to run this command to freshen up local SSL certificates and run wget again.

# update-ca-certificates --fresh

If after the above step wget download still does not behave, you could force wget not to check for the server certificate while requesting a download. This is not a secure method and should be used with due caution. The downloaded certificate can later be verified to make sure it is genuine if in doubt.

# wget --no-check-certificate -O /etc/univention/letsencrypt/lets-encrypt-r3.pem https://letsencrypt.org/certs/lets-encrypt-r3.pem

If ISRG_Root_X1.crt validity check fails, you would also need to update it on your server manually.

icke · October 26, 2021, 3:42pm

You can download the lets-encrypt-r3.pem file on a client computer and upload to your UCS server.
Or you download it with “no-check-certifcate” option on the UCS server and on a client computer and compare both files.

tpfann · October 26, 2021, 3:51pm

icke, dejavu thank you both for your support!

Finally “update-ca-certificates –fresh” did the trick for me
System diagnostic is back to normal now and shows no more errors.

In my case these are the 3 steps in order to get rid of the system diagnostic error:

1. wget -O /etc/univention/letsencrypt/lets-encrypt-r3.pem https://letsencrypt.org/certs/lets-encrypt-r3.pem
2. ln -s /etc/univention/letsencrypt/lets-encrypt-r3.pem /usr/local/share/ca-certificates/lets-encrypt-r3.crt
3. update-ca-certificates --fresh

systemdiag

r100gs · October 27, 2021, 9:54am

If I try this I get this error:

openssl verify /usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt
unable to load certificate
140288394727488:error:0906D06C:PEM routines:PEM_read_bio:no start line:../crypto/pem/pem_lib.c:686:Expecting: TRUSTED CERTIFICATE

dejavu · October 27, 2021, 7:25pm

r100gs, update ISRG_Root_X1 on your system with these steps.

# wget -O /usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt https://letsencrypt.org/certs/isrgrootx1.pem
# ln -s /usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt /etc/ssl/certs/ISRG_Root_X1.pem
# update-ca-certificates

If wget returns a download error, download the LE root certificate to a trusted computer and then transfer the file to the server or use --no-check-certificate like so (with caution as discussed above).

# wget --no-check-certificate -O /usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt https://letsencrypt.org/certs/isrgrootx1.pem

r100gs · October 28, 2021, 4:47am

finaly

update-ca-certificates --fresh

did the trick for my system too!

So everything is fine atm.
THX @dejavu for your patience!

Best regards,
Stefan

dejavu · October 28, 2021, 5:33pm

Glad it worked for you!

B)

r100gs · October 29, 2021, 4:13am

ok, now the error in univention system diagnostic is gone, but on my android phone and iphone I still can´t access my nextcloud without certificate error.
On android its possible to accept the certificate, but on iphone its not

nirjhar · October 29, 2021, 6:08am

You just solved my problem. Thanks a lot.

dejavu · October 30, 2021, 12:20am

This SSL issue is rather pesky, isn’t it? And many folks have their own flavor of it. What does https://www.ssllabs.com/ssltest/ have to say about your server FQDN?

r100gs · October 30, 2021, 2:51pm

Yes, thats true. It drives me crazy.

SSL Test

dejavu · October 30, 2021, 4:44pm

r100gs, are the UCR variables you posted earlier still the same? I’m assuming that letsencrypt/domains is not blank, but your FQDN.

apache2/ssl/certificate	/etc/univention/letsencrypt/signed_chain.crt
apache2/ssl/certificatechain	/etc/univention/letsencrypt/intermediate.pem
apache2/ssl/key	/etc/univention/letsencrypt/domain.key
appcenter/apps/letsencrypt/status	installed
appcenter/apps/letsencrypt/ucs	4.4
appcenter/apps/letsencrypt/version	1.2.2-16
kopano/cfg/ical/ssl_certificate_file	/etc/univention/letsencrypt/intermediate.pem
kopano/cfg/ical/ssl_private_key_file	/etc/univention/letsencrypt/domain.key
letsencrypt/domains	......................................
letsencrypt/services/apache2	true
letsencrypt/services/dovecot	false
letsencrypt/services/postfix	true
letsencrypt/staging	false
letsencrypt/status	Certificate refreshed at Do 28. Jan 18:57:23 CET 2021
letsencrypt/v2migrated	true
mail/postfix/ssl/cafile

Is /etc/univention/letsencrypt/intermediate.pem valid?

# openssl verify /etc/univention/letsencrypt/intermediate.pem
# openssl x509 -noout -in /etc/univention/letsencrypt/intermediate.pem -issuer -dates -fingerprint -subject

r100gs · November 2, 2021, 5:25am

No, its not valid

openssl verify /etc/univention/letsencrypt/intermediate.pem
C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
error 20 at 0 depth lookup: unable to get local issuer certificate
error /etc/univention/letsencrypt/intermediate.pem: verification failed

 openssl x509 -noout -in /etc/univention/letsencrypt/intermediate.pem -issuer -dates -fingerprint -subject
issuer=O = Digital Signature Trust Co., CN = DST Root CA X3
notBefore=Mar 17 16:40:46 2016 GMT
notAfter=Mar 17 16:40:46 2021 GMT
SHA1 Fingerprint=E6:A3:B4:5B:06:2D:50:9B:33:82:28:2D:19:6E:FE:97:D5:95:6C:CB
subject=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3

Mornsgrans · November 2, 2021, 6:38am

Outdated since last March

icke · January 31, 2022, 3:53pm

After problems with upgrade to v5.0.0 I got finally again this LetsEncrypt Error. But I remembered this thread - and could solve the problem again. That’s why: Again many thanks.

riess82 · May 12, 2022, 12:31pm

I am also still stuck at

notAfter=Mar 17 16:40:46 2021 GMT

tried the suggestions in this thread already, including

update-ca-certificates --fresh

Heiko · November 16, 2022, 3:16pm

After fresh installation of UCS 5.0.2 with Let’s Encrypt i got the same error in system diagnostic again. But the the solution of tpfann in #87 was the right tip.

Many thanks