System diagnostic suddenly gives me: Found invalid certificate '/etc/univention/letsencrypt/signed_chain.crt'

As Problem: Connection to let's encryted domains from UCS not trusted did not solve it for mee too your solution worked


I can confirm that the recently released updates (errata 1059 an 1060) are NOT fixing our issue:

Replacing the content of the intermediate certificate (intermediate-r3.pem) as proposed by sccmrb allowed me to succesfully refresh my letsencrypt certificates. Thanks to sccmrb for finding out and share with us.

Anyway … my initial issue remains. System diagnostic still says “found invalid certificate”.

1 Like

I tried it, but still no luck.
My iphone and my homeassistant server still complain about the certificate!

Best regards,

Search in the certificate store of your devices the certificate “DST Root CA X3” expired on Sep, 30th 2012 and remove them.
Apps seem to pull them even, if the successor certificate exists. I had this problem with the Nextcloud desktop-app.

Certificate store is /etc/ca-certificates.conf and comment out with an ! in front like this:


Then save and then run update_ca_certificates

And then restart affected services (apache, dovecot, whatever) using the cert.

1 Like

In my Apple devices and m homeassistant Installation ist still Shows Error with certificate. I did all steps above and Made a restart of my Server, but the Problem still exists.

I confirm this.

Three weeks ago i bought an iPad and this doesn‘t have any problems before and after the steps above. But my iPhone and another iPad show the known errors before and after. I made backups of both devices, reset the devices, download the right .ipsw-file of iOS 15 and restored the devices via iTunes with these files. Finally i restored with the backups. Now they are working with my server.

My UCS installation updated the certificate correctly. The certificate in browser seems valid, no error. All services seem to work correctly. But the system diagnosis still reports a critical error (invalid certificate chain).

Hello together,

I tried all the steps, but still my univention shows ssl error.
I do not know what to do further more.
Can somebody please give me a hint?
I have seen this,

but I do not know how to get it into univention

Best regards,

Have you guys updated to the latest errata updates in UCS? 4.4-x and 5.0.x have all updated their errata to include a fix for this now according to the UCS bug report I filed.

I tried this

Certificate store is /etc/ca-certificates.conf and comment out with an ! in front like this:
Then save and then run update_ca_certificates
And then restart affected services (apache, dovecot, whatever) using the cert.

but without success: Still valid certificate with the message “invalid certificate chain”.

Same problem here (on multiple up-to-date systems): I can successfully create new and valid certificates, but the system diagnostics complains about /etc/univention/letsencrypt/signed_chain.crt. Is it really correct to just replace /etc/univention/letsencrypt/intermediate-r3.pem like suggested by @sccmrb in this earlier post? Shouldn’t we keep an Intermediate Certificate there? Could it lead to other problems with UCS LE in the future? Maybe I’m not completely understanding it yet.

yes, system is at latest 4.4.8 1067

This does not solve my problem. I get a valid certificate. LE app renews the certificate, I restarted all necessary services and re-run the system diagnosis - again with the critical error

Ungültiges Zertifikat ‘/etc/univention/letsencrypt/signed_chain.crt’ gefunden:
error /etc/univention/letsencrypt/signed_chain.crt: verification failed

File /var/log/univention/letsencrypt.log shows some errors relating to file /usr/share/univention-letsencrypt/

ValueError: Error getting directory:

Hi all,

I’ll share my recent experience. Maybe it will be useful for some who is still dealing with the “Critical: Check validity of SSL certificates” warning.

Basically, UCS is reporting issues with Let’s Encrypt SSL certificate if its relevant diagnistics scripts are not seeing the right files at the right locations.

I made the UCS self-diagnostic happy some weeks ago after modifying a few files by hand following this article.

The recent UCS Let’s Encrypt app update (v. process brought back the subject warning. This time around, I was paying more attention to the file names and extensions while troubleshooting. I used Midnight Commander (MC) for some simple steps and made backup copies of files that I deleted to recover them later without much pain if needed.

Files to delete if still present (some of them could be named a bit differently on your system):

# rm /usr/local/share/ca-certificates/lets-encrypt-r3.crt
# rm /etc/univention/letsencrypt/lets-encrypt-r3.pem
# rm /etc/ssl/certs/ISRG_Root_X1.pem
# rm /usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt
# update-ca-certificates

Download the current Let’s Encrypt CA SSL Certificates

# wget -O /usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt
# wget -O /usr/share/ca-certificates/mozilla/ISRG_Root_X2.crt

Create symlinks

# ln -s /usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt /etc/ssl/certs/ISRG_Root_X1.pem
# ln -s /usr/share/ca-certificates/mozilla/ISRG_Root_X2.crt /etc/ssl/certs/ISRG_Root_X2.pem
# update-ca-certificates

Download the current Let’s Encrypt Intermediate SSL Certificate

# wget -O /etc/univention/letsencrypt/lets-encrypt-r3.pem

Create symlink

# ln -s /etc/univention/letsencrypt/lets-encrypt-r3.pem /usr/local/share/ca-certificates/lets-encrypt-r3.crt
# update-ca-certificates

Restart all services using these SSL certificates, run the software, app updates and system diagnostic checks to make sure all are looking good. Hopefully, it is the case as it was on all my UCS machines.

Good luck!

1 Like

There is an update for LE. Unfortunately it does not fix my problem (valid certificate, renew is working, but an error message in the system diagnosis).

icke, system diagnostic on all of mine servers with LE installed was failing after the LE v2.0.0.2 update with the below alert.

error /etc/univention/letsencrypt/signed_chain.crt: verification failed

The steps I shared above helped me resolve the issue on every server. I realize that mine and your systems could differ. So, it’s hard to guess what could be an issue on your end without more information. Can you PM me outputs from the following commands?

Show broken symlinks

# find /etc/ssl/certs/ -xtype l
# find /usr/local/share/ca-certificates/ -xtype l

Show folder contents

# ls -l /etc/ssl/certs/
# ls -l /etc/univention/letsencrypt/
# ls -l /usr/local/share/ca-certificates/
# ls -l /usr/share/ca-certificates/mozilla/

I wonder if the reason you are seeing the following is because your system still has an invalid LE intermediate certificate per this article.

ValueError: Error getting directory: