Warning letsencrypt/signed_chain.crt will expire in 49 days

Hi all,

since today im getting this warning when I run UCS System diagnostic:


Im not sure how to get it fixed, the embedded link to the support database was not really helpful for me.
Does it make sense to rerun " /etc/univention/letsencrypt/post-refresh.d"?

Please open the let’s encrypt app in Univention App Center and select the app settings. There should be a Status section that shown the timestamp of the last certificate refresh and if there were errors.

thank you for having a look and your reply!

There is no such status section under app settings, but based on your hint I have checked the letsencrypt log file and indeed there where some errors:

Getting directory...
Traceback (most recent call last):
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 197, in <module>
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 193, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact)
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 105, in get_crt
    directory, _, _ = _do_request(directory_url, err_msg="Error getting directory")
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 45, in _do_request
    raise ValueError("{0}:\nUrl: {1}\nData: {2}\nResponse Code: {3}\nResponse: {4}".format(err_msg, url, data, code, resp_data))
ValueError: Error getting directory:
Url: https://acme-v02.api.letsencrypt.org/directory
Data: None

Reruning this script “./refresh-cert-cron in /usr/share/univention-letsencrypt” fixed it and everything is back to normal.

The section i meant, is this one:

But great, that the problem is fixed now.

Still … there is no such section :slight_smile:


Guess you are on a higher UCS version already (mine is 4.4-3 errata438).

The Domainsfield is empty → your app is not configured. Please add the fully qualified domain names and press the button Änderungen anwenden.

All neccessary steps are listed on the screen before (before opening the app settings). In your case, at least step 2 is not done yet:

  1. Öffnen Sie die App-Einstellungen. Konfigurieren Sie die gewünschte(n) Domäne(n) und Dienste und klicken Sie auf “Änderungen anwenden”. Mit dem “Status”-Feld in den App-Einstellungen können Sie ca. 10 Sekunden später überprüfen, ob das Zertifikat erfolgreich konfiguriert wurde.

Please keep in mind, that let’s encrypt itself (not the app!) only allows a small amount of certificate requests per week! Do not change the values too often or press Änderungen anwenden too often, otherwise you have to wait up to 7 days for your next attempt.

Domainsfield is of course not empty, I just removed the data (without saving the changes) before the screenshot was taken - in order to keep my Domain informations secret :wink:
But as stated before … everything is back to normal. Thx for your support!

I’ve been getting the exact same message in the system diagnostics since yesterday.

However, I do not use the UCS app for LE but acme on the pfSense. This automatically renews the certificates and distributes them to all UCS hosts.

Of course it does not renew the certificates 49 days before they expire.

It would be nice if you can set the time period for the warning in UCS.