Warning letsencrypt/signed_chain.crt will expire in 49 days

tpfann · February 10, 2020, 8:43am

Hi all,

since today im getting this warning when I run UCS System diagnostic:

letsencrypt-signed_chain

Im not sure how to get it fixed, the embedded link to the support database was not really helpful for me.
Does it make sense to rerun " /etc/univention/letsencrypt/post-refresh.d"?

Schwardt · February 11, 2020, 9:25am

Please open the let’s encrypt app in Univention App Center and select the app settings. There should be a Status section that shown the timestamp of the last certificate refresh and if there were errors.

tpfann · February 11, 2020, 10:06am

Hi,
thank you for having a look and your reply!

There is no such status section under app settings, but based on your hint I have checked the letsencrypt log file and indeed there where some errors:

Getting directory...
Traceback (most recent call last):
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 197, in <module>
    main(sys.argv[1:])
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 193, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact)
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 105, in get_crt
    directory, _, _ = _do_request(directory_url, err_msg="Error getting directory")
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 45, in _do_request
    raise ValueError("{0}:\nUrl: {1}\nData: {2}\nResponse Code: {3}\nResponse: {4}".format(err_msg, url, data, code, resp_data))
ValueError: Error getting directory:
Url: https://acme-v02.api.letsencrypt.org/directory
Data: None

Reruning this script “./refresh-cert-cron in /usr/share/univention-letsencrypt” fixed it and everything is back to normal.

Schwardt · February 11, 2020, 10:33am

The section i meant, is this one:
Peek%202020-02-11%2011-29-Appcenter-letsencrypt-appsettings-status

But great, that the problem is fixed now.

tpfann · February 11, 2020, 11:04am

Still … there is no such section

letsencrypt

Guess you are on a higher UCS version already (mine is 4.4-3 errata438).

Schwardt · February 11, 2020, 11:25am

The Domainsfield is empty → your app is not configured. Please add the fully qualified domain names and press the button Änderungen anwenden.

All neccessary steps are listed on the screen before (before opening the app settings). In your case, at least step 2 is not done yet:

Öffnen Sie die App-Einstellungen. Konfigurieren Sie die gewünschte(n) Domäne(n) und Dienste und klicken Sie auf “Änderungen anwenden”. Mit dem “Status”-Feld in den App-Einstellungen können Sie ca. 10 Sekunden später überprüfen, ob das Zertifikat erfolgreich konfiguriert wurde.

Please keep in mind, that let’s encrypt itself (not the app!) only allows a small amount of certificate requests per week! Do not change the values too often or press Änderungen anwenden too often, otherwise you have to wait up to 7 days for your next attempt.

tpfann · February 11, 2020, 11:40am

Domainsfield is of course not empty, I just removed the data (without saving the changes) before the screenshot was taken - in order to keep my Domain informations secret
But as stated before … everything is back to normal. Thx for your support!

pixel · July 1, 2023, 1:07pm

I’ve been getting the exact same message in the system diagnostics since yesterday.

However, I do not use the UCS app for LE but acme on the pfSense. This automatically renews the certificates and distributes them to all UCS hosts.

Of course it does not renew the certificates 49 days before they expire.

It would be nice if you can set the time period for the warning in UCS.