Update issues: https://appcenter.software-univention.de. ([SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1066))

Pepe · December 15, 2024, 11:24am

Hi - I updated today my last UCS-System (UCS4) to the latest version (5.0-9 errata1188).

Setup is as follow:

UCS 1 (Primary Domain Node)
UCS 2 (Backup Domain Node)
UCS 3 (UCS Mail Server)
UCS 4 (EGroupware)

Systemcheck locks good:
grafik

One update for EGroupware is available:
grafik

So I started the update as normal:
grafik

The following error comes up:
grafik

Reboot didn’t fixed it.

I searched in the forum - but could just find very old information - but not direct related to my issue.

In one post it was asked to provide the outcome of the following message:

curl -v https://appcenter.software-univention.de/meta-inf/categories.ini > /dev/null

Result is as follow:

root@vmucs506-rd4:~# curl -v https://appcenter.software-univention.de/meta-inf/categories.ini > /dev/null
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:–:-- --:–:-- --:–:-- 0* Trying 95.216.19.45…

TCP_NODELAY set

Connected to appcenter.software-univention.de (95.216.19.45) port 443 (#0)

ALPN, offering h2

ALPN, offering http/1.1

successfully set certificate verify locations:

CAfile: none
CApath: /etc/ssl/certs
} [5 bytes data]

TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]

TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]

TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [10 bytes data]

TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [1248 bytes data]

TLSv1.3 (OUT), TLS alert, unknown CA (560):
} [2 bytes data]

SSL certificate problem: unable to get local issuer certificate
0 0 0 0 0 0 0 0 --:–:-- --:–:-- --:–:-- 0

Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: curl - SSL CA Certificates

The installation is basic/standard - no additional software is installed on the server.

Any help is more than welcome

Pepe

RalfEGroupware · December 15, 2024, 3:30pm

Hi Pepe,

you choose the wrong category: EGroupware can’t help fixing Univention’s Appcenter server und Univention is probably not looking at the EGroupware category …

Ralf

Pepe · December 15, 2024, 3:42pm

THX - from my point of view I can not see if this is EGroupware issue or UCS related. All UCS updates worked fine - just this one. But I changed the headline a bit - so it is more open

Pepe · December 22, 2024, 10:10am

Hi - anyone any idea - maybe someone from UCS team?
@UniventionBlog

TimoDenissen · December 23, 2024, 3:11pm

Hello @Pepe,

thanks for bringing this issue to our intention

Looking at the infrastructure, I unfortunately cannot recreate your issue and the wildcard certificate (also) installed at appcenter.software-univention.de is valid until November 2025:

Certificate chain
 0 s:CN=*.software-univention.de
   i:C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Oct  8 00:00:00 2024 GMT; NotAfter: Nov  8 23:59:59 2025 GMT
 1 s:C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1
   i:C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G2
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Nov  2 12:24:25 2017 GMT; NotAfter: Nov  2 12:24:25 2027 GMT
 2 s:C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G2
   i:C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G2
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Aug  1 12:00:00 2013 GMT; NotAfter: Jan 15 12:00:00 2038 GMT

Running your curl command shows no problem on my side as well:

~ 20s ❯ curl -v https://appcenter.software-univention.de/meta-inf/categories.ini > /dev/null
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Host appcenter.software-univention.de:443 was resolved.
* IPv6: 2a01:4f9:2a:1367::2
* IPv4: 95.216.19.45
*   Trying [2a01:4f9:2a:1367::2]:443...
* Immediate connect fail for 2a01:4f9:2a:1367::2: Network is unreachable
*   Trying 95.216.19.45:443...
* ALPN: curl offers h2,http/1.1
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS change cipher, Change cipher spec (1):
{ [1 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [25 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [3960 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [520 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [52 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [52 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / x25519 / RSASSA-PSS
* ALPN: server accepted http/1.1
* Server certificate:
*  subject: CN=*.software-univention.de
*  start date: Oct  8 00:00:00 2024 GMT
*  expire date: Nov  8 23:59:59 2025 GMT
*  subjectAltName: host "appcenter.software-univention.de" matched cert's "*.software-univention.de"
*  issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=Thawte TLS RSA CA G1
*  SSL certificate verify ok.
*   Certificate level 0: Public key type RSA (4096/152 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 2: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
* Connected to appcenter.software-univention.de (95.216.19.45) port 443
* using HTTP/1.x
} [5 bytes data]
> GET /meta-inf/categories.ini HTTP/1.1
> Host: appcenter.software-univention.de
> User-Agent: curl/8.11.1
> Accept: */*
> 
* Request completely sent off
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [297 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [297 bytes data]
< HTTP/1.1 200 OK
< Date: Mon, 23 Dec 2024 15:06:24 GMT
< Server: Apache/2.4.62 (Debian)
< Last-Modified: Thu, 31 May 2018 09:04:45 GMT
< ETag: "181-56d7cc235338a"
< Accept-Ranges: bytes
< Content-Length: 385
< 
{ [385 bytes data]
100   385  100   385    0     0   3757      0 --:--:-- --:--:-- --:--:--  377

On the webserver we installed and provide a bundle-certificate, containing the chain *.software-univention.de → DigiCert intermediate certificate → DigiCert root certificate.

Can you reach the download server itself with the following command?

curl -v https://download.software-univention.de/ucs-releases.json

Cheers
Timo

Pepe · December 24, 2024, 11:45am

Thank you Timo - now it is working

" download.software-univention.de" was not allowed on the firewall. And I noticed that “docker.software-univention.de” should be open as well.

Are there any other mandatory URLs that should stay open on the firewall?

Merry Chrismas
Pepe