Certificate verification failed

[difepape]

Hi, I´ve this error trying to install a SSl Certificate, using the WHM tool, any suggestion please?

Certificate verification failed! Certificate verified: stdin: C = US, ST = Illinois, L = Chicago, O = "Trustwave Holdings, Inc.", CN = "Trustwave Organization Validation SHA256 CA, Level 1", emailAddress = [EMAIL][email protected][/EMAIL] error 20 at 1 depth lookup:unable to get local issuer certificate

• CENTOS 6.7 x86_64 xenhvm –

• [WHM 56.0 (build 14)

• Trustwave Certificate

• With Chain (CA bundle)

Thanks

Fernando

 

[cPanelMichael]

Hello,

I've seen this happen due to multiple installations of the OpenSSL package. Please post the output from the following commands:

openssl version
rpm -qa | grep openssl

Thank you.

 

[difepape]

Hello,

I've seen this happen due to multiple installations of the OpenSSL package. Please post the output from the following commands:

openssl version
rpm -qa | grep openssl

Thank you.

Hi this is the output:

# openssl version
OpenSSL 1.0.2g  1 Mar 2016

# rpm -qa | grep openssl
openssl-devel-1.0.1e-42.el6_7.4.x86_64
openssl-1.0.1e-42.el6_7.4.i686
openssl-1.0.1e-42.el6_7.4.x86_64

Thanks for your help

 

[cPanelMichael]

The output you have provided suggests a manually compiled version of OpenSSL on your system. Have you manually installed or modified OpenSSL outside of running "yum update" on this system?

Thank you.

 

[difepape]

The output you have provided suggests a manually compiled version of OpenSSL on your system. Have you manually installed or modified OpenSSL outside of running "yum update" on this system?

Thank you.

Hi Michael, thanks for your support, now I´ve the Certificates installed, however continue with a subdomain problem, you can help me with this last issue please?

Thanks

Fernando

This SSL certificate was already installed.

The SSL website is now active and accessible via HTTPS on this domain:

• mydomain.com

The SSL certificate also supports these domains, but these domains do not refer to the SSL website mentioned above:

• subdomain.mydomain.com

 

[cPanelMichael]

however continue with a subdomain problem, you can help me with this last issue please?

Could you elaborate on the specific subdomain problem you are facing?

Thank you.

 

[Olof]

I'm having the same problem when AutoSSL is trying to install a certificate, also likely due to manually installed openSSL:

# openssl version
OpenSSL 1.0.2j 26 Sep 2016

# rpm -qa | grep openssl

openssl-1.0.1e-48.el6_8.3.x86_64
openssl-devel-1.0.1e-48.el6_8.3.x86_64


We however, MUST, use 1.0.2j or later. So what can I do to make AutoSSL be able to install certificates again?

 

[cPanelMichael]

Hello @Olof,

Feel free to open a support ticket using the link in my signature so we can take a closer look. You can post the ticket number here so we can update this thread with the outcome.

Thank you.

 

[Olof]

Hello @Olof,

Feel free to open a support ticket using the link in my signature so we can take a closer look. You can post the ticket number here so we can update this thread with the outcome.

Thank you.

Thanks Michael!

I have verified my suspicions by removing OpenSSL 1.0.2j (2016), and then WHM can install certs again. However, the problem is that I very much need that version to be use all throughout the system. So how do I get WHM to behave while having this installed? OR have the old version in a separate location and make WHM use that only when installing certs?

The old version is 4 years old (OpenSSL 1.0.1e-fips 11 Feb 2013) - that is a long time.

Support Request ID is: 8151305

 

[Olof]

I got back word from cpanel-support (not Michael), saying it is impossible for WHM to work correctly with newer versions of openSSL.

If anyone else is having similar problems, there are only two solutions:

1, Roll back openSSL to the archaic version and move the newer one to /opt/openssl then rebuild everything that need a modern openSSL to look there instead.
2, Start using something else than CPanel/WHM

 

[cPanelMichael]

Hello,

Thank you for updating us with the outcome from the support ticket. I also encourage you to vote and add feedback to the existing feature request for this at:

Ability to Override CurlSSL and OpenSSL Libraries

Thank you.