System diagnostic suddenly gives me: Found invalid certificate '/etc/univention/letsencrypt/signed_chain.crt'

damrose,
Thank you for your provided feedback and taking care.

Our certificate problem was noch only this “signed_chain” verify error and the critical message in the system diagnosis GUI, but also the ost connection to the mail server.
Right now after drawing some screws (and go backward) and 3 UCS updates, I tried to renew the certificate. Both errors (openssl verify and GUI system diagnosis) still appear, but now themail transfer works. So we only have to ignore the error messages.
When checking the certificate in Mozilla Firefox it seems to be valid.

Hi,

I can confirm that with the todays release of Letsencrypt (version 1.2.2-16) system diagnostic is green now and back to normal. :+1:

BR,
Thomas

1 Like

Thanks for the confirmation, i was just about to write here that we released the App update.

1 Like

It’s the same with our system. All is up and running and green, “openssl verify …” is also OK now.
Thank you very much!

It seems that the certificate created by the new LE version is no SAN certificate (it contains only one of the names).

The Let’sEncrypt update changed the UCR-value “letsencrypt/services/apache2” from “true” to “false”. So there was some trouble because Apache used the old self-signend certificate. After going back to “true” everything works fine again.

Thanks for the hint, on my system it was still set to “true”.

Just wondering if the according checkbox was ticked on your system or not?

image

I don’t know where to find “Dienste”. On “Systemdienste” I can only start or stop the services.
But I think the meaning of the UCR-value “letsencrypt/services/apache2” (and the same with postfix and dovecot) is unambiguously.

I have the same problem.
In nextcloud on ucs or bitwarden my certificate is not working.

In my browser its fine so far.

So are my settings in ucs:

apache2/ssl/certificate	/etc/univention/letsencrypt/signed_chain.crt
apache2/ssl/certificatechain	/etc/univention/letsencrypt/intermediate.pem
apache2/ssl/key	/etc/univention/letsencrypt/domain.key
appcenter/apps/letsencrypt/status	installed
appcenter/apps/letsencrypt/ucs	4.4
appcenter/apps/letsencrypt/version	1.2.2-16
kopano/cfg/ical/ssl_certificate_file	/etc/univention/letsencrypt/intermediate.pem
kopano/cfg/ical/ssl_private_key_file	/etc/univention/letsencrypt/domain.key
letsencrypt/domains	......................................
letsencrypt/services/apache2	true
letsencrypt/services/dovecot	false
letsencrypt/services/postfix	true
letsencrypt/staging	false
letsencrypt/status	Certificate refreshed at Do 28. Jan 18:57:23 CET 2021
letsencrypt/v2migrated	true
mail/postfix/ssl/cafile	

After todays update to 4.4-8 errata1057 im facing the same issue again that
System diagnostic says “Found invalid certificate” (see first post). Also tried to recreate the letsencrypt certificate but the script fails.

Please can someone from the UCS staff have a look?

Update: Just did a restore of my UCS Backup from last night and noticed that system diagnostic gives me the same error on 4.4-8 errata1054. Sorry for misleading information.

So obviously the error is not related to the last update. Maybe letsencrypt needs an update again (intermediate certificate)?

Update 2: Seems there was a change on letsencrypt-side (root certificate): https://community.letsencrypt.org/t/help-thread-for-dst-root-ca-x3-expiration-september-2021/149190/99

Hello,

I got this error today:


Ungültiges Zertifikat '/etc/univention/letsencrypt/signed_chain.crt' gefunden:
error /etc/univention/letsencrypt/signed_chain.crt: verification failed

Ungültiges Zertifikat '/etc/univention/letsencrypt/signed_chain.crt' gefunden:
error /etc/univention/letsencrypt/signed_chain.crt: verification failed

Siehe Univention Support Database - Erneuern der TLS/SSL-Zertifikate für Informationen zum Erneuern von Zertifikaten.

Hello,
we also have the same problem. The certificate (as shown in browser) seems to be valid. But system diagnosis shows the same error signed_chain.crt: verification failed.

Same here, the current (letsencrsypt) certificate that is used by Apache is still valid. But due to the root certificate constraint you wont be able to create a new cerficate. At least I failed when I tried to recreate the certificate.

Same problem here. Let’s Encrypt DST Root CA X3 expired today and we have warnings from browser about certificate validity.

openssl s_client -connect mydomain.com:443

CONNECTED(00000003)

depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3

verify error:num=10:certificate has expired

notAfter=Sep 30 14:01:15 2021 GMT

---

Certificate chain

0 s:/CN=mydomain.com

i:/C=US/O=Let's Encrypt/CN=R3

1 s:/C=US/O=Let's Encrypt/CN=R3

i:/O=Digital Signature Trust Co./CN=DST Root CA X3

Yes, I tried to renew certificate and I got errors:

**/usr/share/univention-letsencrypt** # ./refresh-cert-cron

gio 30 set 2021, 16.42.29, CEST

Refreshing certificate for following domains:

mydomain.com

Parsing account key...

Parsing CSR...

Found domains: mydomain.com

Getting directory...

Traceback (most recent call last):

File "/usr/share/univention-letsencrypt/acme_tiny.py", line 197, in <module>

main(sys.argv[1:])

File "/usr/share/univention-letsencrypt/acme_tiny.py", line 193, in main

signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact)

File "/usr/share/univention-letsencrypt/acme_tiny.py", line 105, in get_crt

directory, _, _ = _do_request(directory_url, err_msg="Error getting directory")

File "/usr/share/univention-letsencrypt/acme_tiny.py", line 45, in _do_request

raise ValueError("{0}:\nUrl: {1}\nData: {2}\nResponse Code: {3}\nResponse: {4}".format(err_msg, url, data, code, resp_data))

ValueError: Error getting directory:

Url: https://acme-v02.api.letsencrypt.org/directory

Data: None

Response Code: None

Response: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)>

Setting letsencrypt/status

run-parts: executing /etc/univention/letsencrypt/post-refresh.d//apache2

run-parts: executing /etc/univention/letsencrypt/post-refresh.d//dovecot

run-parts: executing /etc/univention/letsencrypt/post-refresh.d//postfix

Yep, same error here.
And it will fail again tonight (cron job that runs every 1st of the month to recreate the certificate)

The Let’s encrypt app is failing to renew it’s certificate. I have run ‘update-ca-certificates’ and restarted apache2 but it still fails like this in the /var/log/univention/letsencrypt.log:

Thu Sep 30 13:34:37 MDT 2021
Refreshing certificate for following domains:
[groups.skaggscatholiccenter.org](http://groups.skaggscatholiccenter.org/)
Parsing account key...
Parsing CSR...
Found domains: [groups.skaggscatholiccenter.org](http://groups.skaggscatholiccenter.org/)
Getting directory...
Traceback (most recent call last):
File "/usr/share/univention-letsencrypt/acme_tiny.py", line 197, in <module>
main(sys.argv[1:])
File "/usr/share/univention-letsencrypt/acme_tiny.py", line 193, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=[args.ca](http://args.ca/), disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact)
File "/usr/share/univention-letsencrypt/acme_tiny.py", line 105, in get_crt
directory, _, _ = _do_request(directory_url, err_msg="Error getting directory")
File "/usr/share/univention-letsencrypt/acme_tiny.py", line 45, in _do_request
raise ValueError("{0}:\nUrl: {1}\nData: {2}\nResponse Code: {3}\nResponse: {4}".format(err_msg, url, data, code, resp_data))
ValueError: Error getting directory:
Url: https://acme-v02.api.letsencrypt.org/directory
Data: None
Response Code: None
Response: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)>
Setting letsencrypt/status

Now they did say they were ending a certificate on September 29th and this is affecting lots of people. It seems UCS has removed the certbot utility and I debug any further. Before you try to curl my server I only allow 80/443 from the lets encrypt server list and it’s been this way for several years without issue.

One comment from a user on the let’s encrypt community was able to solve it with:

sudo certbot renew --force-renewal --preferred-chain "ISRG Root X1"

But we don’t have this option on univention and I cannot see that there is a preferred chain option for the acme_tiny.py script in /usr/share/univention-letsencrypt

I just uninstalled and reinstalled the Let’s Encrypt app and the /etc/univention/letsencrypt/intermediate-r3.pem cert is still expired. This app needs to be updated ASAP

Replacing the contents of the certificate file located at /etc/univention/letsencrypt/intermediate-r3.pem with https://letsencrypt.org/certs/isrgrootx1.pem.txt and re-running a refresh or setup works as expected for me and successfully renews the certificate.

/usr/share/univention-letsencrypt/setup-letsencrypt 
Fri Oct  1 13:06:47 MDT 2021
Refreshing certificate for following domains:
groups.skaggscatholiccenter.org
Parsing account key...
Parsing CSR...
Found domains: groups.skaggscatholiccenter.org
Getting directory...
Directory found!
Registering account...
Already registered!
Creating new order...
Order created!
Verifying groups.skaggscatholiccenter.org...
groups.skaggscatholiccenter.org verified!
Signing certificate...
Certificate signed!
Certificate refreshed at Fri Oct  1 13:06:54 MDT 2021
Setting letsencrypt/status
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
2 Likes
Mastodon