Ucs join fails at 92univention-management-console-web-server.inst


I will substantially rewrite this question in the hope of getting some help.
Also, I have reinstalled many times so some of the original post is no longer relevant.

I have a slave server installed on Amazon ec2 using the 4.3 Amazon univention image.
It is connected to the office domain by VPN.
I installed it without join or update as it was necessary to get the DNS sorted out before join and update could work. Now the univention DC Master is the primary DNS and the Amazon DNS is secondary.

I can run successful run every join script except 92univention-management-console-web-server.inst.
I also can not upgrade as the apt-sources entries are missing.

The error from the log is:

Could not download IDP metadata for https://ucs-sso.enviro.intranet/simplesamlphp/saml2/idp/metadata.php
‘NoneType’ object has no attribute ‘find’
Unsetting umc/saml/idp-server
Module: setup_saml_sp

The results of curl seem to be a good clue:

On a GOOD machine I get.

> root@ESS8:/home/talcom# curl http://ucs-sso.enviro.intranet/simplesamlphp/saml2/idp/metadata.php
> <?xml version="1.0"?>
> <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://ucs-sso.enviro.intranet/simplesamlphp/saml2/idp/metadata.php">
>   <md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
>     <md:KeyDescriptor use="signing">
>       <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>         <ds:X509Data>
>           <ds:X509Certificate>XIIFcD.... etc.

Whereas on the broken server:

root@essn:~# curl http://ucs-sso.enviro.intranet/simplesamlphp/saml2/idp/metadata.php
<title>404 Not Found</title>
<h1>Not Found</h1>
<p>The requested URL /simplesamlphp/saml2/idp/metadata.php was not found on this server.</p>
<address>Apache/2.4.25 (Univention) Server at ucs-sso.enviro.intranet Port 80</address>

Both good and bad servers give the same output for the DNS query ‘dig ucs-sso.enviro.intranet’

The System Diagnostics show a bad SSL certificate error

Found invalid certificate '/tmp/tmp6lktDH':
error /tmp/tmp6lktDH: verification failed

However I can not find the tmp6lktDH file on the system.
The Diagnostics reccomended replaceing all the certificates so I did this:
Renewing the SSL certificates

The server is the current Amazon 4.3 image and the DC master is 4.3-1 errata157


The output of various commands on the problem server.

root@essn:~# dig ucs-sso.enviro.intranet                                             

; <<>> DiG 9.10.3-P4-Univention <<>> ucs-sso.enviro.intranet
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2530
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 8, ADDITIONAL: 9

; EDNS: version: 0, flags:; udp: 4096
;ucs-sso.enviro.intranet.       IN      A

ucs-sso.enviro.intranet. 900    IN      A
ucs-sso.enviro.intranet. 900    IN      A
ucs-sso.enviro.intranet. 900    IN      A

enviro.intranet.        900     IN      NS      essn.enviro.intranet.
enviro.intranet.        900     IN      NS      ESS2.enviro.intranet.
enviro.intranet.        900     IN      NS      ESS5.enviro.intranet.
enviro.intranet.        900     IN      NS      Deimos.enviro.intranet.
enviro.intranet.        900     IN      NS      ESS8.enviro.intranet.
enviro.intranet.        900     IN      NS      phobos.enviro.intranet.
enviro.intranet.        900     IN      NS      ESS3.enviro.intranet.
enviro.intranet.        900     IN      NS      ESS4.enviro.intranet.

phobos.enviro.intranet. 900     IN      A
Deimos.enviro.intranet. 900     IN      A
ESS2.enviro.intranet.   900     IN      A
ESS3.enviro.intranet.   900     IN      A
ESS4.enviro.intranet.   900     IN      A
ESS5.enviro.intranet.   900     IN      A
ESS8.enviro.intranet.   900     IN      A
essn.enviro.intranet.   900     IN      A

;; Query time: 24 msec
;; WHEN: Fri Aug 03 11:40:32 AEST 2018
;; MSG SIZE  rcvd: 384

root@essn:~# cat /etc/resolv.conf
# Warning: This file is auto-generated and might be overwritten by
#          univention-config-registry.
#          Please edit the following file(s) instead:
# Warnung: Diese Datei wurde automatisch generiert und kann durch
#          univention-config-registry ueberschrieben werden.
#          Bitte bearbeiten Sie an Stelle dessen die folgende(n) Datei(en):
#       /etc/univention/templates/files/etc/resolv.conf

domain  enviro.intranet
nameserver  #THIS IS THE DC MASTER
options timeout:2

root@essn:~# univention-ldapsearch relativeDomainName=ucs-sso
# extended LDIF
# LDAPv3
# base <dc=enviro,dc=intranet> (default) with scope subtree
# filter: relativeDomainName=ucs-sso
# requesting: ALL

# ucs-sso, enviro.intranet, dns, enviro.intranet
dn: relativeDomainName=ucs-sso,zoneName=enviro.intranet,cn=dns,dc=enviro,dc=in
objectClass: dNSZone
objectClass: top
objectClass: univentionObject
univentionObjectType: dns/host_record
dNSTTL: 80600
relativeDomainName: ucs-sso
zoneName: enviro.intranet

# search result
search: 3
result: 0 Success

# numResponses: 2
# numEntries: 1