Bug 52546 - LetsEncrypt signing chain broken - UCS System Diagnostic reports errors now
LetsEncrypt signing chain broken - UCS System Diagnostic reports errors now
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Let's Encrypt
UCS 4.4
Other Linux
: P5 normal (vote)
: ---
Assigned To: Julia Bremer
Erik Damrose
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-01-06 09:00 CET by Thomas
Modified: 2021-01-25 12:45 CET (History)
5 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.069
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments
System diagnostic error message (18.92 KB, image/jpeg)
2021-01-06 09:00 CET, Thomas
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas 2021-01-06 09:00:36 CET
Created attachment 10586 [details]
System diagnostic error message

System diagnostic suddenly gives me: Found invalid certificate ‘/etc/univention/letsencrypt/signed_chain.crt’ (see attachment).

Regarding to the UCS forum it seems that also other costumers are affected by this: 

https://help.univention.com/t/system-diagnostic-suddenly-gives-me-found-invalid-certificate-etc-univention-letsencrypt-signed-chain-crt/16797

when I check the last valid certificate (from Dec. 1st) on my system I get:
openssl verify signed_chain.crt_20201201-033135
signed_chain.crt_20201201-033135: OK

When I do the same check on the new created certificate (from Jan. 1st) I get:
openssl verify signed_chain.crt
CN = remote.xxxxx.de
error 20 at 0 depth lookup: unable to get local issuer certificate
error signed_chain.crt: verification failed

Running “update-ca-certificates” doesnt fix the issue.

My current workarround is to use the last valid certificate from Dec. 1st.
But this workarround wont last very long...
Comment 1 Erik Damrose univentionstaff 2021-01-06 09:49:15 CET
There already is a bug report for this issue, bug 52517. A more stable workaround is also described there.

*** This bug has been marked as a duplicate of bug 52517 ***
Comment 2 Thomas 2021-01-06 10:49:35 CET
The workaround described in ticket 52517 doesn't solve the issue with UCS System diagnostics. It still reports an error.
Comment 3 Thomas 2021-01-06 10:49:58 CET
The workaround described in ticket 52517 doesn't solve the issue with UCS System diagnostics. It still reports an error.
Comment 4 Erik Damrose univentionstaff 2021-01-21 17:20:24 CET
The system diagnostic check is problematic when checking certs not signed by our rootCA.

If Letsencrypt works fine on the system this is a false positive.
On my system with a working LE setup the openssl verify call on the CLI also fails with the error mentioned in comment0

The diagnostic module uses openssl verify to check for cert issues, which can be tricky, see e.g. https://mail.python.org/pipermail/cryptography-dev/2016-August/000676.html
Comment 7 Julia Bremer univentionstaff 2021-01-22 13:14:47 CET
Successful build
Package: univention-letsencrypt
Version: 1.2.2-15A~4.4.0.202101221238
Branch: ucs_4.4-0
Scope: letsencrypt

8d759e2 Bug #52546: download new certificate, run update-ca-certificates afterwards

The new certificate is downloaded now, and namend intermediate-r3.pem. 
On update, this new certificate is downloaded and update-ca-certificates is run.
Comment 8 Julia Bremer univentionstaff 2021-01-22 14:31:16 CET
univention-letsencrypt (1.2.2-16)
2184d63cc1f7 | Bug #52546: create symlink for new intermediate certificate

sorry forgot to create the new symlink in the postinst
Comment 9 Erik Damrose univentionstaff 2021-01-25 11:02:20 CET
OK: u-letsencrypt downloads and registers new r3 intermediate cert during installation and update
OK: after the app update, system diagnostic reports no cert errors regarding letsencrypt anymore.
OK: letsencrypt app 1.2.2-16
Verified
Comment 10 Erik Damrose univentionstaff 2021-01-25 12:45:49 CET
Released with letsencrypt app version 1.2.2-16