Univention Bugzilla – Bug 46818
Check if Certificates are Properly Copied
Last modified: 2020-07-29 16:28:02 CEST
During the renewal process for certificates the official SDB#37 states: --------------------------------- The following command can be used to make the newly created certificate available to all users via the UCS master’s central administration website cp ucsCA/CAcert.pem /var/www/ucs-root-ca.crt --------------------------------- To copy the certificate to /var/www is a very important steps and not just optional. If the old certificate remain in /var/www it is not possible to install UCS@school on a newly installed and joined UCS-Server. The ucs@school install script will produce an ssl-error if tried. Reason is the install script assumes it is not joined yet and downloads the above certificate through apache to verify further communication. But if the certificate under /var/www is not valid any furthe communication stops.
The system diagnostic should check if the certificate in /var/www is identical to the ones at /etc
This issue has been filed against UCS 4.2. UCS 4.2 is out of maintenance and many UCS components have changed in later releases. Thus, this issue is now being closed. If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen it and update the UCS version. In this case please provide detailed information on how this issue is affecting you.
Reopen because happens again for a customer and took a lot of time until I cam to the root cause. This time the CA certificates on the backup where different. Master was fine. But due to DNS-Round-Robin the backup was asked which caused an issue.