The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Chained cert for WHM/cPanel

Discussion in 'General Discussion' started by smoresandjiffyp, Jun 28, 2006.

  1. smoresandjiffyp

    Joined:
    May 18, 2006
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    I am trying to install an SSL certificate for accessing WHM and cPanel (not for a client domain). I believe I followed all the correct steps, but when I try to access the site the browser displays a warning about the issuer not being trusted. (The issuer and expiry date are correct, i.e. it's not just using the old self-signed cert or anything). This is a chained certifcate (GoDaddy), and I did paste the CA bundle into the appropriate box in the "Change Server Certificates" screen.

    So I guess my first question is: how can I verify that the installer installed everything correctly? Where do the .crt files for the server certificates live? They don't seem to be in /etc/ssl or /usr/share/ssl.

    I read in some old forum posts that there was a bug years ago that prevented CA bundles from being properly installed for WHM/cPanel certs... surely this has been fixed by now?? (no sign of it in bugzilla)

    Thanks!
     
  2. stephenbrown

    stephenbrown Active Member

    Joined:
    Apr 1, 2004
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    6
    i am also having this problem
     
  3. stephenbrown

    stephenbrown Active Member

    Joined:
    Apr 1, 2004
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    6
    *bump*

    sorry but its starting to get desperate ;)
     
  4. smoresandjiffyp

    Joined:
    May 18, 2006
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    We never did get this sorted out, I'm beginning to wonder if perhaps that bug was never fixed after all? Here's the forum post discussing it (from 3 years ago!). It kinda fizzles out without reaching a resolution.

    If anybody has any insight into this, it'd be much apreciated!
     
  5. forlinuxsupport

    forlinuxsupport Well-Known Member
    PartnerNOC

    Joined:
    Dec 22, 2004
    Messages:
    386
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    open a bugzilla or open a support request with cpanel..
     
  6. smoresandjiffyp

    Joined:
    May 18, 2006
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    We actually ended up just buying a new cert that didn't require a CA bundle. Bigger fish to fry, you know?

    Stephen, if you do decide to submit a ticket on this, let us know how how it works out won't you?
     
  7. stephenbrown

    stephenbrown Active Member

    Joined:
    Apr 1, 2004
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    6
    I have submitted a ticket, and i believe its all sorted, but my browser still couldn't find the chained cert's but its probably me :)

    This is what i got from cPanel,

    that's your answer :)

    by the way, where did you get your cert from with no CABundle?
     
  8. smoresandjiffyp

    Joined:
    May 18, 2006
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Ah, that was the secret file location I was looking for! Thanks, good to know for next time :).

    I believe we got our new cert from GeoTrust (QuickSSL). Worked like a charm, no more browser warnings.
     
  9. PeteC

    PeteC Well-Known Member

    Joined:
    May 8, 2003
    Messages:
    106
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Texas
    My experience with this (today, WHM 10.8.0, cPanel 10.9.0-S51) is that the install works fine as far as copying files to their correct locations, but I had to manually restart cPanel (login via SSH as root and issue "service cpanel restart") before the newly-installed cert takes effect. I wasn't using a Starfield cert like the original poster, but I it does contain an intermediate SSL cert in the CABundle (http://www.positivessl.com).

    Interestingly, after installation, WHM/cPanel are fine over IE7, but not Netscape 8. Yet, the same cert is fine with Netscape 8 when installed on a client account. So I assume there must be some problem with the way WHM presents the CABundle to the browser if there is an intermediate cert involved... But regular Apache presents the CABundle properly.
     
    #9 PeteC, Nov 10, 2006
    Last edited: Nov 10, 2006
  10. IdleServ

    IdleServ Active Member

    Joined:
    Oct 27, 2003
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    I'm having the same issues.

    Using an Instant SSL certificate from http://www.securebusinessservices.com.

    I've installed the CA Bundle correctly, its in the mycpanel.cabundle file, it just seems that cPanel isn't loading it.

    I've used the same type of certificates on users domains and they work fine.

    Any solutions?
     
  11. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,461
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    The mycpanel.cabundle file is no longer used by cPanel when using NativeSSL access (the default for several months). The following only applies to NativeSSL, not stunnel.

    When installing a cert for WHM/cPanel access (not a client domain) that require intermediary certificates, it is best to use the commandline as the WHM for this is currently deficient for this scenario.

    Copy the Certs into the file /usr/local/cpanel/etc/mycpanel.pem in the following order:

    1. The Server Certificate (the cert you bought for accessing WHM/cPanel)
    2. The Intermediary certificates
    3. The Server Key (this matches cert #1)

    Usually the Intermediary certificates are provided in a file by the CA. Simply copy them into the mycpanel.pem file after the Cert you bought.

    You can verify this steup with the following command:

    Code:
    openssl verify -CAfile mycpanel.pem mycpanel.pem
    
    If you get errors, the certificates could be in the incorrect order, the key is missing or a whole host of other issues.
     
  12. IdleServ

    IdleServ Active Member

    Joined:
    Oct 27, 2003
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    Thanks, all sorted now :cool:
     
  13. PeteC

    PeteC Well-Known Member

    Joined:
    May 8, 2003
    Messages:
    106
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Texas
    Thanks for the helpful info, but when I do this, I get the following error:

    error 2 at 2 depth lookup:unable to get issuer certificate

    Any thoughts?
     
  14. PeteC

    PeteC Well-Known Member

    Joined:
    May 8, 2003
    Messages:
    106
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Texas
    Actually, even though openssl's verification isn't giving me an "OK", both IE and Netscape browsers like the certificate and find the full CA hierarchy when I put all these certs into /usr/local/cpanel/etc/mycpanel.pem as kenneth recommended, so I guess I'm all set. Thanks for the info...
     
  15. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,461
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    OpenSSL error messages are soooooo helpful.

    That can mean the certs are in the wrong order in the file. The depth portion tells you which certificate (the numbering is 0 based) it had problems with. More than a few times I've reversed the order of a couple certificates and been quite frustrated byt those "helpful" messages.

    The verify test essentailly is only useful for determining whether you have all the certs need to build the "chain of trust" and that they are in the correct order. Thats it.
     
Loading...

Share This Page