UCS 4.2 Letsencrypt App Bug(s)

ssl
ucs-4-2

#1

Hi,

I switched from Zentyal to UCS 4.2 on my server (DC Master, Webserver, Mailserver) a few months ago. I use the UCS Letsencrypt App from App Center. It sets up Apache, Postfix and Dovecot with the Letsencrypt certificate.

However, it happened two times now during update of Letsencrypt app, that it resets the registry values which configure the key and certificate files for Apache to the UCS defaults. Then I need to run the following commands to reset Apache configuration to use the Letsencrypt certificate:

ucr set apache2/ssl/certificatechain="/etc/univention/letsencrypt/intermediate.pem" apache2/ssl/certificate="/etc/univention/letsencrypt/signed.crt" apache2/ssl/key="/etc/univention/letsencrypt/domain.key"
service apache2 restart

The Update was executed via Univention Management Console.

Another issue, related to Letsencrypt is the message under System Diagnostics in Univention Management Console:

Kritisch: Überprüfe Gültigkeit der SSL Zertifikate
Ungültiges Zertifikat '/etc/univention/letsencrypt/signed.crt' gefunden:
/etc/univention/letsencrypt/signed.crt: CN = <mydomain>
error 20 at 0 depth lookup:unable to get local issuer certificate

Ungültiges Zertifikat '/etc/univention/letsencrypt/signed.crt' gefunden:
/etc/univention/letsencrypt/signed.crt: CN = <mydomain>
error 20 at 0 depth lookup:unable to get local issuer certificate

However the SSL certificate is up to date and has been properly updated by Letsencrypt app.

Thanks for any help.

cu,
Daniel


#2

The issues with System Diagnostics in Univention Management Console have been resolved some month ago. If you update Letsencrypt from the Appcenter the stated problem will disappear.

The cause is, that the intermediate letsencrypt certificate is missing at the trusted certificates on your system. So if you can’t update the App, you could resolve the issue manually:

ln -s /etc/univention/letsencrypt/intermediate.pem /usr/local/share/ca-certificates/lets-encrypt.crt
update-ca-certificates