Univention Bugzilla – Bug 52546
LetsEncrypt signing chain broken - UCS System Diagnostic reports errors now
Last modified: 2021-01-25 12:45:49 CET
Created attachment 10586 [details] System diagnostic error message System diagnostic suddenly gives me: Found invalid certificate ‘/etc/univention/letsencrypt/signed_chain.crt’ (see attachment). Regarding to the UCS forum it seems that also other costumers are affected by this: https://help.univention.com/t/system-diagnostic-suddenly-gives-me-found-invalid-certificate-etc-univention-letsencrypt-signed-chain-crt/16797 when I check the last valid certificate (from Dec. 1st) on my system I get: openssl verify signed_chain.crt_20201201-033135 signed_chain.crt_20201201-033135: OK When I do the same check on the new created certificate (from Jan. 1st) I get: openssl verify signed_chain.crt CN = remote.xxxxx.de error 20 at 0 depth lookup: unable to get local issuer certificate error signed_chain.crt: verification failed Running “update-ca-certificates” doesnt fix the issue. My current workarround is to use the last valid certificate from Dec. 1st. But this workarround wont last very long...
There already is a bug report for this issue, bug 52517. A more stable workaround is also described there. *** This bug has been marked as a duplicate of bug 52517 ***
The workaround described in ticket 52517 doesn't solve the issue with UCS System diagnostics. It still reports an error.
The system diagnostic check is problematic when checking certs not signed by our rootCA. If Letsencrypt works fine on the system this is a false positive. On my system with a working LE setup the openssl verify call on the CLI also fails with the error mentioned in comment0 The diagnostic module uses openssl verify to check for cert issues, which can be tricky, see e.g. https://mail.python.org/pipermail/cryptography-dev/2016-August/000676.html
Successful build Package: univention-letsencrypt Version: 1.2.2-15A~4.4.0.202101221238 Branch: ucs_4.4-0 Scope: letsencrypt 8d759e2 Bug #52546: download new certificate, run update-ca-certificates afterwards The new certificate is downloaded now, and namend intermediate-r3.pem. On update, this new certificate is downloaded and update-ca-certificates is run.
univention-letsencrypt (1.2.2-16) 2184d63cc1f7 | Bug #52546: create symlink for new intermediate certificate sorry forgot to create the new symlink in the postinst
OK: u-letsencrypt downloads and registers new r3 intermediate cert during installation and update OK: after the app update, system diagnostic reports no cert errors regarding letsencrypt anymore. OK: letsencrypt app 1.2.2-16 Verified
Released with letsencrypt app version 1.2.2-16