In my opinion, the suggestion to replace LE intermediate certificate with LE root certificate in /etc/univention/letsencrypt/ is not a good one. Implementing it with steps I suggested at the same time is not good either. If you are comfortable with CLI, have root or sudo access to your system and OK to share some info about your system with me, so that I could try to help you, send me a personal message.
My UCS server had no lets-encrypt-r3.pem (see #75).
I downloaded it using the wget command and did the two following steps (symlink and update ca).
Now the error message is gone.
@dejavu Thank you very much for your help and your patience!
I’m glad! Take care 
Hello, if I try to download the letsencrypt certificate I get following error:
--2021-10-26 06:32:40-- https://letsencrypt.org/certs/lets-encrypt-r3.pem
Auflösen des Hostnamens »letsencrypt.org (letsencrypt.org)« … 3.125.252.47, 159.65.118.56, 2a05:d014:275:cb00:c26c:5b6d:e2c8:e5a, ...
Verbindungsaufbau zu letsencrypt.org (letsencrypt.org)|3.125.252.47|:443 … verbunden.
GnuTLS: Resource temporarily unavailable, try again.
GnuTLS: Resource temporarily unavailable, try again.
GnuTLS: Resource temporarily unavailable, try again.
FEHLER: Dem Zertifikat von »letsencrypt.org« wird nicht vertraut.
FEHLER: Das Zertifikat von »»letsencrypt.org«« wurde von einem unbekannten Austeller herausgegeben.
Hi,
I have downloaded (wget) the certificate lets-encrypt-r3.pem to /etc/univention/letsencrypt/
wget -O /etc/univention/letsencrypt/lets-encrypt-r3.pem https://letsencrypt.org/certs/lets-encrypt-r3.pem
Next I have created the symlink:
ln -s /etc/univention/letsencrypt/lets-encrypt-r3.pem /usr/local/share/ca-certificates/lets-encrypt-r3.crt
Running “update-ca-certificates” gives me (nothing was added or removed):
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
System diagnostic still complains about invalid certificate. Did I missed something here?
This was exactly the way that worked for my UCS installation.
When wget is used to download a file over secure http, its relying on the available relevant SSL certificate on the server wget is running on to validate the SSL certificate offered by the LE website on the HTTPS port. I think, the download fails because ISRG_Root_X1.crt may be invalid on your server. You can check ISRG_Root_X1.crt validity with this command:
# openssl verify /usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt
Try to run this command to freshen up local SSL certificates and run wget again.
# update-ca-certificates --fresh
If after the above step wget download still does not behave, you could force wget not to check for the server certificate while requesting a download. This is not a secure method and should be used with due caution. The downloaded certificate can later be verified to make sure it is genuine if in doubt.
# wget --no-check-certificate -O /etc/univention/letsencrypt/lets-encrypt-r3.pem https://letsencrypt.org/certs/lets-encrypt-r3.pem
If ISRG_Root_X1.crt validity check fails, you would also need to update it on your server manually.
You can download the lets-encrypt-r3.pem file on a client computer and upload to your UCS server.
Or you download it with “no-check-certifcate” option on the UCS server and on a client computer and compare both files.
icke, dejavu thank you both for your support!
Finally “update-ca-certificates –fresh” did the trick for me
System diagnostic is back to normal now and shows no more errors.
In my case these are the 3 steps in order to get rid of the system diagnostic error:
1. wget -O /etc/univention/letsencrypt/lets-encrypt-r3.pem https://letsencrypt.org/certs/lets-encrypt-r3.pem
2. ln -s /etc/univention/letsencrypt/lets-encrypt-r3.pem /usr/local/share/ca-certificates/lets-encrypt-r3.crt
3. update-ca-certificates --fresh
7 Likes
If I try this I get this error:
openssl verify /usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt
unable to load certificate
140288394727488:error:0906D06C:PEM routines:PEM_read_bio:no start line:../crypto/pem/pem_lib.c:686:Expecting: TRUSTED CERTIFICATE
r100gs, update ISRG_Root_X1 on your system with these steps.
# wget -O /usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt https://letsencrypt.org/certs/isrgrootx1.pem
# ln -s /usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt /etc/ssl/certs/ISRG_Root_X1.pem
# update-ca-certificates
If wget returns a download error, download the LE root certificate to a trusted computer and then transfer the file to the server or use --no-check-certificate like so (with caution as discussed above).
# wget --no-check-certificate -O /usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt https://letsencrypt.org/certs/isrgrootx1.pem
finaly
update-ca-certificates --fresh
did the trick for my system too!
So everything is fine atm.
THX @dejavu for your patience!
Best regards,
Stefan
Glad it worked for you!
B)
ok, now the error in univention system diagnostic is gone, but on my android phone and iphone I still can´t access my nextcloud without certificate error.
On android its possible to accept the certificate, but on iphone its not
You just solved my problem. Thanks a lot.
This SSL issue is rather pesky, isn’t it? And many folks have their own flavor of it. What does https://www.ssllabs.com/ssltest/ have to say about your server FQDN?
r100gs, are the UCR variables you posted earlier still the same? I’m assuming that letsencrypt/domains is not blank, but your FQDN.
apache2/ssl/certificate /etc/univention/letsencrypt/signed_chain.crt
apache2/ssl/certificatechain /etc/univention/letsencrypt/intermediate.pem
apache2/ssl/key /etc/univention/letsencrypt/domain.key
appcenter/apps/letsencrypt/status installed
appcenter/apps/letsencrypt/ucs 4.4
appcenter/apps/letsencrypt/version 1.2.2-16
kopano/cfg/ical/ssl_certificate_file /etc/univention/letsencrypt/intermediate.pem
kopano/cfg/ical/ssl_private_key_file /etc/univention/letsencrypt/domain.key
letsencrypt/domains ......................................
letsencrypt/services/apache2 true
letsencrypt/services/dovecot false
letsencrypt/services/postfix true
letsencrypt/staging false
letsencrypt/status Certificate refreshed at Do 28. Jan 18:57:23 CET 2021
letsencrypt/v2migrated true
mail/postfix/ssl/cafile
Is /etc/univention/letsencrypt/intermediate.pem valid?
# openssl verify /etc/univention/letsencrypt/intermediate.pem
# openssl x509 -noout -in /etc/univention/letsencrypt/intermediate.pem -issuer -dates -fingerprint -subject
No, its not valid
openssl verify /etc/univention/letsencrypt/intermediate.pem
C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
error 20 at 0 depth lookup: unable to get local issuer certificate
error /etc/univention/letsencrypt/intermediate.pem: verification failed
openssl x509 -noout -in /etc/univention/letsencrypt/intermediate.pem -issuer -dates -fingerprint -subject
issuer=O = Digital Signature Trust Co., CN = DST Root CA X3
notBefore=Mar 17 16:40:46 2016 GMT
notAfter=Mar 17 16:40:46 2021 GMT
SHA1 Fingerprint=E6:A3:B4:5B:06:2D:50:9B:33:82:28:2D:19:6E:FE:97:D5:95:6C:CB
subject=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
Outdated since last March