System diagnostic suddenly gives me: Found invalid certificate '/etc/univention/letsencrypt/signed_chain.crt'

As Problem: Connection to let's encryted domains from UCS not trusted did not solve it for mee too your solution worked

rg
Christian

I can confirm that the recently released updates (errata 1059 an 1060) are NOT fixing our issue:

Replacing the content of the intermediate certificate (intermediate-r3.pem) as proposed by sccmrb allowed me to succesfully refresh my letsencrypt certificates. Thanks to sccmrb for finding out and share with us.

Anyway ā€¦ my initial issue remains. System diagnostic still says ā€œfound invalid certificateā€.

1 Like

I tried it, but still no luck.
My iphone and my homeassistant server still complain about the certificate!

Best regards,
Stefan

Search in the certificate store of your devices the certificate ā€œDST Root CA X3ā€ expired on Sep, 30th 2012 and remove them.
Apps seem to pull them even, if the successor certificate exists. I had this problem with the Nextcloud desktop-app.

Certificate store is /etc/ca-certificates.conf and comment out with an ! in front like this:

!mozilla/DST_Root_CA_X3.crt

Then save and then run update_ca_certificates

And then restart affected services (apache, dovecot, whatever) using the cert.

1 Like

In my Apple devices and m homeassistant Installation ist still Shows Error with certificate. I did all steps above and Made a restart of my Server, but the Problem still exists.

I confirm this.

Three weeks ago i bought an iPad and this doesnā€˜t have any problems before and after the steps above. But my iPhone and another iPad show the known errors before and after. I made backups of both devices, reset the devices, download the right .ipsw-file of iOS 15 and restored the devices via iTunes with these files. Finally i restored with the backups. Now they are working with my server.

My UCS installation updated the certificate correctly. The certificate in browser seems valid, no error. All services seem to work correctly. But the system diagnosis still reports a critical error (invalid certificate chain).

Hello together,

I tried all the steps, but still my univention shows ssl error.
I do not know what to do further more.
Can somebody please give me a hint?
I have seen this,

but I do not know how to get it into univention

Best regards,
Stefan

Have you guys updated to the latest errata updates in UCS? 4.4-x and 5.0.x have all updated their errata to include a fix for this now according to the UCS bug report I filed.

I tried this

Certificate store is /etc/ca-certificates.conf and comment out with an ! in front like this:
!mozilla/DST_Root_CA_X3.crt
Then save and then run update_ca_certificates
And then restart affected services (apache, dovecot, whatever) using the cert.

but without success: Still valid certificate with the message ā€œinvalid certificate chainā€.

Same problem here (on multiple up-to-date systems): I can successfully create new and valid certificates, but the system diagnostics complains about /etc/univention/letsencrypt/signed_chain.crt. Is it really correct to just replace /etc/univention/letsencrypt/intermediate-r3.pem like suggested by @sccmrb in this earlier post? Shouldnā€™t we keep an Intermediate Certificate there? Could it lead to other problems with UCS LE in the future? Maybe Iā€™m not completely understanding it yet.

yes, system is at latest 4.4.8 1067

This does not solve my problem. I get a valid certificate. LE app renews the certificate, I restarted all necessary services and re-run the system diagnosis - again with the critical error

UngĆ¼ltiges Zertifikat ā€˜/etc/univention/letsencrypt/signed_chain.crtā€™ gefunden:
error /etc/univention/letsencrypt/signed_chain.crt: verification failed

File /var/log/univention/letsencrypt.log shows some errors relating to file /usr/share/univention-letsencrypt/acme_tiny.py

ValueError: Error getting directory:
Url: https://acme-v02.api.letsencrypt.org/directory

Hi all,

Iā€™ll share my recent experience. Maybe it will be useful for some who is still dealing with the ā€œCritical: Check validity of SSL certificatesā€ warning.

Basically, UCS is reporting issues with Letā€™s Encrypt SSL certificate if its relevant diagnistics scripts are not seeing the right files at the right locations.

I made the UCS self-diagnostic happy some weeks ago after modifying a few files by hand following this article.

The recent UCS Letā€™s Encrypt app update (v.2.0.0.2) process brought back the subject warning. This time around, I was paying more attention to the file names and extensions while troubleshooting. I used Midnight Commander (MC) for some simple steps and made backup copies of files that I deleted to recover them later without much pain if needed.

Files to delete if still present (some of them could be named a bit differently on your system):

# rm /usr/local/share/ca-certificates/lets-encrypt-r3.crt
# rm /etc/univention/letsencrypt/lets-encrypt-r3.pem
# rm /etc/ssl/certs/ISRG_Root_X1.pem
# rm /usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt
# update-ca-certificates

Download the current Letā€™s Encrypt CA SSL Certificates

# wget -O /usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt https://letsencrypt.org/certs/isrgrootx1.pem
# wget -O /usr/share/ca-certificates/mozilla/ISRG_Root_X2.crt https://letsencrypt.org/certs/isrg-root-x2.pem

Create symlinks

# ln -s /usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt /etc/ssl/certs/ISRG_Root_X1.pem
# ln -s /usr/share/ca-certificates/mozilla/ISRG_Root_X2.crt /etc/ssl/certs/ISRG_Root_X2.pem
# update-ca-certificates

Download the current Letā€™s Encrypt Intermediate SSL Certificate

# wget -O /etc/univention/letsencrypt/lets-encrypt-r3.pem https://letsencrypt.org/certs/lets-encrypt-r3.pem

Create symlink

# ln -s /etc/univention/letsencrypt/lets-encrypt-r3.pem /usr/local/share/ca-certificates/lets-encrypt-r3.crt
# update-ca-certificates

Restart all services using these SSL certificates, run the software, app updates and system diagnostic checks to make sure all are looking good. Hopefully, it is the case as it was on all my UCS machines.

Good luck!

1 Like

There is an update for LE. Unfortunately it does not fix my problem (valid certificate, renew is working, but an error message in the system diagnosis).

1 Like

icke, system diagnostic on all of mine servers with LE installed was failing after the LE v2.0.0.2 update with the below alert.

error /etc/univention/letsencrypt/signed_chain.crt: verification failed

The steps I shared above helped me resolve the issue on every server. I realize that mine and your systems could differ. So, itā€™s hard to guess what could be an issue on your end without more information. Can you PM me outputs from the following commands?

Show broken symlinks

# find /etc/ssl/certs/ -xtype l
# find /usr/local/share/ca-certificates/ -xtype l

Show folder contents

# ls -l /etc/ssl/certs/
# ls -l /etc/univention/letsencrypt/
# ls -l /usr/local/share/ca-certificates/
# ls -l /usr/share/ca-certificates/mozilla/

I wonder if the reason you are seeing the following is because your system still has an invalid LE intermediate certificate per this article.

ValueError: Error getting directory:
Url: https://acme-v02.api.letsencrypt.org/directory

ok, if I install the new LE my webserver does not start anymore.

But the apache service tells you the reason.
Login on console with SSH
Type in

systemctl status apache2.service

Read the output. I guess, the error message will claim a Letsencrypt error.

Post the output in this thread.

Hello @dejavu and @r100gs

Are there any new points to report?

I am also in the same situation. After the tips of @sccmrb and @dejavu and the update of the LE app my system renews the certificates but the system diagnostic puts the same error messages signed_chain.crt: verification failed

A test on ssllabs.com even shows me an old certificate which expired in 17.3.2021.

Mastodon