Univention Letsencrypt Nextcloud and bitwarden_rs certificate problem

r100gs · February 12, 2021, 9:17am

Hello,

Nextcloud and Bitwarden_rs complains about a certificate failure.
I searched arround a little bit and some people say I should use a fullchain.pem

But in /etc/univention/letsencrypt there is no such file.

Where can I get it from?

Best regards,
Stefan

Mornsgrans · February 13, 2021, 7:02am

What certificate files do you find in /etc/univention/letsencrypt?

r100gs · February 15, 2021, 5:41am

account.key                  intermediate-r3.pem               signed_chain.crt_20190301-051508  signed_chain.crt_20191101-033029  signed_chain.crt_20210128-074219
chained.pem                  post-refresh.d                    signed_chain.crt_20190401-033017  signed_chain.crt_20191201-033025  signed_chain.crt_20210128-074851
chained.pem_20180114-202406  setup.d                           signed_chain.crt_20190508-091814  signed_chain.crt_20200111-190903  signed_chain.crt_20210128-183051
chained.pem_20180114-202650  signed_chain.crt                  signed_chain.crt_20190601-033024  signed_chain.crt_20200111-191127  signed_chain.crt_20210128-185723
chained.pem_20180114-202710  signed_chain.crt_20180602-124740  signed_chain.crt_20190701-033020  signed_chain.crt_20200201-033035  signed_chain.crt_20210201-033057
chained.pem_20180201-033016  signed_chain.crt_20180602-124755  signed_chain.crt_20190701-150328  signed_chain.crt_20200301-033046  signed.crt
chained.pem_20180401-033107  signed_chain.crt_20180619-093153  signed_chain.crt_20190701-150646  signed_chain.crt_20200327-202808  signed.crt_20180114-202406
chained.pem_20180404-160915  signed_chain.crt_20180701-033012  signed_chain.crt_20190701-150707  signed_chain.crt_20200401-033045  signed.crt_20180114-202650
chained.pem_20180501-033020  signed_chain.crt_20180801-033021  signed_chain.crt_20190701-215807  signed_chain.crt_20200501-033027  signed.crt_20180114-202710
chained.pem_20180601-033017  signed_chain.crt_20180901-033018  signed_chain.crt_20190701-223638  signed_chain.crt_20200601-033030  signed.crt_20180201-033016
domain.csr                   signed_chain.crt_20181001-033018  signed_chain.crt_20190701-233013  signed_chain.crt_20200701-033027  signed.crt_20180401-033107
domain.key                   signed_chain.crt_20181101-033015  signed_chain.crt_20190801-033023  signed_chain.crt_20200801-033034  signed.crt_20180404-160915
domains                      signed_chain.crt_20181201-033016  signed_chain.crt_20190901-033022  signed_chain.crt_20200925-063900  signed.crt_20180501-033020
intermediate.pem             signed_chain.crt_20190301-051452  signed_chain.crt_20191001-033050  signed_chain.crt_20201101-033034  signed.crt_20180601-033017

Mornsgrans · February 15, 2021, 6:11am

The fullchain.pem is needed on other systems.

On UCS you need

        SSLCertificateFile /etc/univention/letsencrypt/signed_chain.crt
        SSLCertificateKeyFile /etc/univention/letsencrypt/domain.key
        SSLCACertificateFile /etc/univention/ssl/ucsCA/CAcert.pem
        SSLCertificateChainFile /etc/univention/letsencrypt/signed_chain.crt

I did not update the Letsencrypt app to the lastest version. A few weeks ago I had a different setup:

...
SSLCertificateChainFile /etc/univention/letsencrypt/intermediate.pem

but this lead to a warning message starting this year.

r100gs · February 17, 2021, 5:37am

OK, I get an error using nextcloud all the time. There is some problem with my certificate in nextcloud.
Before everything was working fine

r100gs · February 17, 2021, 1:00pm

Since 2017 everything was working perfect, but now, with this wired certificate issue, its almost useless to me.

Mornsgrans · February 17, 2021, 3:18pm

What does System-dianosis tell about the certificates?
(Univention UI - System - System-diagnosis)
Is the certificate in your Univention ui ok?
Is the certificate in your nextcloud app the same as on your Univention UI?
Are the cerificate in your apps from the same issuer?
Did you check the apache logs for error messages?
Are the univention registry variables set as I wrote above?

r100gs · February 18, 2021, 5:36am

Systemdiagnose:

certificate in browser is ok

For nextcloud I think so, I have installed it via app in univention

	apache2/ssl/certificate	/etc/univention/letsencrypt/signed_chain.crt
apache2/ssl/certificatechain	/etc/univention/letsencrypt/intermediate.pem
apache2/ssl/key	/etc/univention/letsencrypt/domain.key
appcenter/apps/letsencrypt/status	installed
appcenter/apps/letsencrypt/ucs	4.4
appcenter/apps/letsencrypt/version	1.2.2-16
appcenter/prudence/docker/letsencrypt	yes
kopano/cfg/ical/ssl_certificate_file	/etc/univention/letsencrypt/intermediate.pem
kopano/cfg/ical/ssl_private_key_file	/etc/univention/letsencrypt/domain.key
letsencrypt/domains	**********
letsencrypt/services/apache2	true
letsencrypt/services/dovecot	false
letsencrypt/services/postfix	true
letsencrypt/staging	false
letsencrypt/status	Certificate refreshed at Mo 1. Feb 03:30:57 CET 2021
letsencrypt/v2migrated	true
mail/postfix/ssl/cafile	/etc/univention/letsencrypt/signed_chain.crt
mail/postfix/ssl/certificate	/etc/univention/letsencrypt/signed_chain.crt
mail/postfix/ssl/key	/etc/univention/letsencrypt/domain.key
repository/online/component/letsencrypt_20210118111509	enabled
repository/online/component/letsencrypt_20210118111509/description	Let's Encrypt
repository/online/component/letsencrypt_20210118111509/localmirror	false
repository/online/component/letsencrypt_20210118111509/server	https://appcenter.software-univention.de
repository/online/component/letsencrypt_20210118111509/version	current

Mornsgrans · February 18, 2021, 6:04am

Looks good.

But what exactly is the error message in Nextcloud?
Do you get shown the correct certificate after clicking the lock symbol in the browser’s addressbar and “View details”?

r100gs · February 18, 2021, 8:04am

My problem is with nextcloud app on android. It always tells me to check certificate.
Next problem is with my homeassistant installation which checks nextcloud caldev calendar
Phonetrack (android logging app based on nextcloud server) has problem with certificate
bitwarden_rs is not working anymore because of certificate issue (in bitwarden forums I found the solution with fullchain.pem)
Its not working anymore, which was fine since 2019. Now I always get a certificate error
NExtcloud in browser is fine

If I test the certificate with ssllabs.com I get a chain issue:



Additional Certificates (if supplied)
Certificates provided	2 (2828 bytes)
Chain issues	Incomplete, Extra certs

fbartels · March 1, 2021, 10:18am

The problem is that an old intermediate certificate is used if you have the Lets Encrypt app installed for quite a while. After changing apache2/ssl/certificatechain from /etc/univention/letsencrypt/intermediate.pem to /etc/univention/letsencrypt/intermediate-r3.pem curl is happy again and the bitwarden cli works as well.

(In case of my bitwarden_rs project you need to rerun start-bitwarden_rs.sh after correcting the ucr variable)

r100gs · March 1, 2021, 12:00pm

Hello fbartels!

THX, you made my day!
Everything is fine again!