Univention Bugzilla – Bug 47375
diagnostic test for SSL certificates fails with Lets Encrypt certs (signed_chain.crt: verification failed)
Last modified: 2018-07-19 16:22:03 CEST
as reported in https://help.univention.com/t/problems-in-systemdiagnose/7106/10 there is a new error in system diagnostics when using Lets Encrypt: Found invalid certificate '/etc/univention/letsencrypt/signed_chain.crt': error /etc/univention/letsencrypt/signed_chain.crt: verification failed verified using UCS 4.3-1 errata151 + Lets Encrypt 1.2.2-3 Note: the error message is different to #45702
The error happens, because the Let's Encrypt CA isn't in the global CA store of UCS by default. The app adds it's CA to the store, but it has to be updated manually afterwards using the following command: update-ca-certificates The app used to do this by itself, but it turned out that that doesn't succeed reliably with the App Center open (which is usually the case when installing and configuring the app). Therefore the app's README, which is shown on the app page after the installation, gives a hint to this command. It's planned to modify the app in such a way that modifying the CA store isn't necessary anymore.
Ok, if there would be a status "WORKSFORME" in this bugtracker I would choose it now. I am unsure if "RESOLVED" is the way to go. However I would suggest to enhance the README app in a way that it is more clear that omitting the "update-ca-certificates" would cause the error message. I guess that the relation between curl and system diags is not evident for most users.
(In reply to Dirk Ahrnke from comment #2) > Ok, if there would be a status "WORKSFORME" in this bugtracker I would > choose it now. I am unsure if "RESOLVED" is the way to go. nevermind