SSL trouble installing intermediate certificate
We have a customer with a dedicated ip and a certificate installed from GeoTrust. All was apparently working well, until somebody with an old version of Firefox tried to access their ssl site.
I did some experimenting, downloaded Firefox 4.0.1 from ftp.mozilla.org. By default, I got the same Site Untrusted error. But when I manually install the intermediate "GeoTrust Extended Validation SSL CA G2" certificate from here - Removed - into the browser, then everything works as it should.
Now my problem is to install that same intermediate certificate via WHM. At Security->SSL/TLS Manager->Manage SSL sites I have three fields to enter (CRT, KEY, CABUNDLE). However no matter how many times I try the "Install Certificate" button, the intermediate cert is not being saved.
Do I need to manually install that intermediate certificate into the httpd conf? Something to do with the SSLCertificateChainFile doesn't seem to be working via WHM. Another guess I've got is that since the certificate is already installed and working, I can't install that same certificate over top without first deleting it?
I need a bit of assistance here...
-
The docs might be helpful: Install an SSL Certificate on a Domain - cPanel Documentation WHM " SSL/TLS " Install an SSL Certificate on a Domain 0 -
Nope, they were totally not helpful. Already read them. My very specific question was, paraphrased, where can I go to somehow manually attach that intermediate certificate into the config, because none of the web gui interface is doing it for me? 0 -
Hello :) Please feel free to open a support ticket so we can take a closer look to determine why the CABundle is not updating successfully. You can post the ticket number here so we can update this thread with the outcome. Thanks. 0 -
[quote="thepossum, post: 1669571">Nope, they were totally not helpful. Already read them. My very specific question was, paraphrased, where can I go to somehow manually attach that intermediate certificate into the config, because none of the web gui interface is doing it for me?
When you attempted to add it there, there's an option to Autofill by Certificate. Did that give you any error message when you used it? The area I mentioned is not the same area. At the top of the area you mention, it says this: [QUOTE]Use this interface to manage SSL certificates for services other than Apache.
Above the area I did it says: [QUOTE]Use this interface to install a certificate on a domain. To install a certificate, you can type the desired domain, and the interface will automatically fill the empty fields. You can also paste a certificate to automatically fill the domain and related information. To browse your certificates, click the "Browse Certificates" button.
I guess I'm wrong here, but I thought this was for the website, not the server services.0 -
Rather than leave all of you Google'ers hanging, I have now solved the problem with the help of cpanel's tech support, and this was what was necessary: I downloaded the official GeoTrust .pem bundle for Apache knowledge.geotrust.com/library/VERISIGN/ALL_OTHER/geotrust%20ca/GeoTrust_EV_CA_G2_bundle.pem Depending on which certificate you purchased it may be a different .pem bundle -- others are here knowledge.geotrust.com/support/knowledge-base/index?page=content&actp=CROSSLINK&id=AR1421 Once downloaded to a location readable by the Apache daemon, I edited the /etc/httpd/conf/httpd.conf and located the VirtualHost section for the site in question's ssl and added one more line: /etc/httpd/conf/httpd.conf ... SSLCACertificateFile /path/to/filename.pem ... and once that change was made I restarted Apache with /scripts/restartsrv_httpd 0 -
Note that on a cPanel server, the httpd.conf file is in /usr/local/apache/conf, not /etc/httpd/conf. /etc/httpd may exist, but it is only a symlink to /usr/local/apache. /usr/local/apache is the actual location of Apache httpd on a cPanel server. Similarly, /scripts is only a symlink to /usr/local/cpanel/scripts. On recent versions of cPanel, the actual location of the scripts is /usr/local/cpanel/scripts, with /scripts as a symlink only for compatibility and legacy purposes. Finally, your manual edit to httpd.conf will not survive a cPanel update. It will be overwritten. Please see the following documentation that explains how to make manual edits to httpd.conf and preserve them across updates: [url=http://docs.cpanel.net/twiki/bin/view/EasyApache/EasyApacheCustomDirectivesOutsideVirtualHost]EasyApache: Changes Contained Outside a VirtualHost Directive [url=http://docs.cpanel.net/twiki/bin/view/EasyApache/EasyApacheChangesWithinVirtualHost]EasyApache: Changes Contained Within a VirtualHost Directive 0 -
Just fyi, for others who come across this page. The links should be updated to: Geotrust has some documentation on updating your httpd.conf to include the CA bundle: so EasyApache doesn't overwrite it on the next update. God bless<>< 0 -
Just thought I'd toss some hard won intel here as I've been struggling with this now for the last couple of days. CAbundle inclusion within the virtualhost directive is still not happening despite the SSL certificate installation process so as folks have found their sites won't pass all SSL tests properly. This is what I've discovered on how to do it for RapidSSL along with RTFM moments that perhaps could be excused. 1. Make sure you have the correct Intermediate CA bundle. RapidSSL have two of these in circulation and their documentation is poorly maintained with the older version still active but failing to verify the chain properly. The correct one at time of writing is this one: to make sure your edits are added. BUT critically you also need to remember to run the following command lines to get them included /scripts/verify_vhost_includes /scripts/rebuildhttpdconf This last is missed out in the linked docs presumably based on the assum(e)ption that people read a manual in a linear fashion. That could do with a little rethink (ie: inclusion on the tail of ). Took a looong time to get this sorted out but not entirely sure why Cpanel/WHM is not including the SSLCACertificateFile information by default... Bug? Hope that saves someone an equally frustrating 5 hours head-desk abuse. 0 -
Hi, I also had this problem when installing the certificate. The CAbundle didn't 'register' correctly and a SSL check gave the warning that intermediate certs were not present. I added the intermediate certs into the virtualhost manually and that worked, but is not how it should work. Last week i installed a certificate and the same problem occured. Everytime i re-installed and added the CAbundle (through cpanel for the account) nothing happened and the intermediate certs didn't get 'registered'. When i used WHM: Home "SSL/TLS "Install an SSL Certificate on a Domain -> Browse certificates -> Browse account (select the account where the cert is already installed) -> Select (or is already selected) and click 'use certificate' -> Scroll down to the 'Certificate Authority Bundle' section and add the intermediate certs I use COMODO and the order for this is: - AddTrustExternalCARoot - COMODORSAAddTrustCA - COMODORSAExtendedValidationSecureServerCA Using this method the intermediate certs got 'registered' correctly. This assumes that you already installed the certificate through cpanel for the account (which apparently don't register the intermediate certs initially). WHM version: 11.50.0 (build29) / CentOS 6.6 Hope this helps. Regards, Marcellino 0 -
Hello :) Could you let us know if this issue continues on cPanel version 11.50.1.1 (Currently only available in the "Current" build tier), and if so, let us know who your certificate issuer is? Thank you. 0 -
You can't just replace the CA, since in PKI the CA is the certificate (or parent certificate of the intermediate CA) that signed your certificate. You must contact the seller of the certificate (which is not necessarily Geotrust) and have them reissue it. You should generate a new CSR with SHA-256 and 4096 bit key. 0
Please sign in to leave a comment.
Comments
13 comments