Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Cannot install self-signed certificates?

Discussion in 'Security' started by sparek-3, Jan 13, 2018.

Tags:
  1. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,583
    Likes Received:
    56
    Trophy Points:
    328
    cPanel Access Level:
    Root Administrator
    So... installssl no longer allows you to install a self-signed certificate because no CA Bundle is used?

    WHM API 1 Functions - installssl - Software Development Kit - cPanel Documentation

    That's... dumb?

    Got a client that wants to install their own self-signed certificate. I'm not really up for a debate on the merits to this or a free DCV certificate, that's not the point.

    How is one suppose to install a certificate when a CA Bundle is not required?

    Keep getting the error

    Certificate verification failed! The system did not find the Certificate Authority Bundle that matches this certificate.

    When I don't list a CA Bundle. Is there and override some where?
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    42,693
    Likes Received:
    1,703
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    The SSL installation process should detect that it's a self-signed certificate and allow the installation to succeed. Can you open a support ticket so we can take a closer look at why that's not working on your system?

    Thank you.
     
  3. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,583
    Likes Received:
    56
    Trophy Points:
    328
    cPanel Access Level:
    Root Administrator
    I got it to work by manually replacing the contents in the files that the cPanel installed self-signed certificate were using in the Apache configuration.

    The client has since received a valid DCV certificate, so I don't guess this is any issue right now.

    But I suppose the question should remain, why is the cab field necessary? Why does the installation process poop out when no CA Bundle is given when the installation process thinks there should be CA bundle? If I don't want to install the CA Bundle that should be my decision regardless of how the certificate is going to be presented to web site visitors.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    42,693
    Likes Received:
    1,703
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    As I understand, previously the SSL certificate installation process did not use OpenSSL to verify that a CA bundle was complete. This allowed users to install invalid CA bundles (leading to potential warnings when accessing the secure URL in web browsers). We've since added verification of CA bundles via OpenSSL before we accept the CA bundle for installation. Additionally, the system automatically checks to determine the best CA Bundle to use for a certificate and installs it (even if you manually enter a different one).

    I believe internal case CPANEL-14447 would address your concerns. It's open to report the confusion that can occur when users are unaware that their manually entered CA Bundle may not be honored when installing a SSL certificate. I'll monitor this case and update this thread with new information as it becomes available.

    Thank you.
     
Loading...

Share This Page