May 18, 2006
6
0
151
I am trying to install an SSL certificate for accessing WHM and cPanel (not for a client domain). I believe I followed all the correct steps, but when I try to access the site the browser displays a warning about the issuer not being trusted. (The issuer and expiry date are correct, i.e. it's not just using the old self-signed cert or anything). This is a chained certifcate (GoDaddy), and I did paste the CA bundle into the appropriate box in the "Change Server Certificates" screen.

So I guess my first question is: how can I verify that the installer installed everything correctly? Where do the .crt files for the server certificates live? They don't seem to be in /etc/ssl or /usr/share/ssl.

I read in some old forum posts that there was a bug years ago that prevented CA bundles from being properly installed for WHM/cPanel certs... surely this has been fixed by now?? (no sign of it in bugzilla)

Thanks!
 
May 18, 2006
6
0
151
We never did get this sorted out, I'm beginning to wonder if perhaps that bug was never fixed after all? Here's the forum post discussing it (from 3 years ago!). It kinda fizzles out without reaching a resolution.

If anybody has any insight into this, it'd be much apreciated!
 
May 18, 2006
6
0
151
We actually ended up just buying a new cert that didn't require a CA bundle. Bigger fish to fry, you know?

Stephen, if you do decide to submit a ticket on this, let us know how how it works out won't you?
 

stephenbrown

Active Member
Apr 1, 2004
31
0
156
smoresandjiffyp said:
We actually ended up just buying a new cert that didn't require a CA bundle. Bigger fish to fry, you know?

Stephen, if you do decide to submit a ticket on this, let us know how how it works out won't you?
I have submitted a ticket, and i believe its all sorted, but my browser still couldn't find the chained cert's but its probably me :)

This is what i got from cPanel,

Stephen Bee said:
I simply downloaded https://certificates.godaddy.com/repository/sf_issuing.crt to /usr/local/cpanel/etc/mycpanel.cabundle, killed off all stunnel processes, and restarted the stunnel service. Note that if you do not have the issuer certificate installed in your browser, it will not consider it a legitimately signed certificate, and you will need to install the certificate by visiting the aforemention URL.
that's your answer :)

by the way, where did you get your cert from with no CABundle?
 
May 18, 2006
6
0
151
Ah, that was the secret file location I was looking for! Thanks, good to know for next time :).

I believe we got our new cert from GeoTrust (QuickSSL). Worked like a charm, no more browser warnings.
 

PeteC

Well-Known Member
May 8, 2003
106
0
166
Texas
My experience with this (today, WHM 10.8.0, cPanel 10.9.0-S51) is that the install works fine as far as copying files to their correct locations, but I had to manually restart cPanel (login via SSH as root and issue "service cpanel restart") before the newly-installed cert takes effect. I wasn't using a Starfield cert like the original poster, but I it does contain an intermediate SSL cert in the CABundle (http://www.positivessl.com).

Interestingly, after installation, WHM/cPanel are fine over IE7, but not Netscape 8. Yet, the same cert is fine with Netscape 8 when installed on a client account. So I assume there must be some problem with the way WHM presents the CABundle to the browser if there is an intermediate cert involved... But regular Apache presents the CABundle properly.
 
Last edited:

IdleServ

Well-Known Member
Oct 27, 2003
52
2
158
I'm having the same issues.

Using an Instant SSL certificate from http://www.securebusinessservices.com.

I've installed the CA Bundle correctly, its in the mycpanel.cabundle file, it just seems that cPanel isn't loading it.

I've used the same type of certificates on users domains and they work fine.

Any solutions?
 

cPanelKenneth

cPanel Development
Staff member
Apr 7, 2006
4,578
52
308
cPanel Access Level
Root Administrator
The mycpanel.cabundle file is no longer used by cPanel when using NativeSSL access (the default for several months). The following only applies to NativeSSL, not stunnel.

When installing a cert for WHM/cPanel access (not a client domain) that require intermediary certificates, it is best to use the commandline as the WHM for this is currently deficient for this scenario.

Copy the Certs into the file /usr/local/cpanel/etc/mycpanel.pem in the following order:

1. The Server Certificate (the cert you bought for accessing WHM/cPanel)
2. The Intermediary certificates
3. The Server Key (this matches cert #1)

Usually the Intermediary certificates are provided in a file by the CA. Simply copy them into the mycpanel.pem file after the Cert you bought.

You can verify this steup with the following command:

Code:
openssl verify -CAfile mycpanel.pem mycpanel.pem
If you get errors, the certificates could be in the incorrect order, the key is missing or a whole host of other issues.
 

PeteC

Well-Known Member
May 8, 2003
106
0
166
Texas
Thanks for the helpful info, but when I do this, I get the following error:

error 2 at 2 depth lookup:unable to get issuer certificate

Any thoughts?
 

PeteC

Well-Known Member
May 8, 2003
106
0
166
Texas
Actually, even though openssl's verification isn't giving me an "OK", both IE and Netscape browsers like the certificate and find the full CA hierarchy when I put all these certs into /usr/local/cpanel/etc/mycpanel.pem as kenneth recommended, so I guess I'm all set. Thanks for the info...
 

cPanelKenneth

cPanel Development
Staff member
Apr 7, 2006
4,578
52
308
cPanel Access Level
Root Administrator
Thanks for the helpful info, but when I do this, I get the following error:

error 2 at 2 depth lookup:unable to get issuer certificate

Any thoughts?
OpenSSL error messages are soooooo helpful.

That can mean the certs are in the wrong order in the file. The depth portion tells you which certificate (the numbering is 0 based) it had problems with. More than a few times I've reversed the order of a couple certificates and been quite frustrated byt those "helpful" messages.

The verify test essentailly is only useful for determining whether you have all the certs need to build the "chain of trust" and that they are in the correct order. Thats it.