The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Comodo PositiveSSL CA bundle problems

Discussion in 'Security' started by Bdzzld, Oct 12, 2014.

  1. Bdzzld

    Bdzzld Well-Known Member

    Joined:
    Apr 3, 2004
    Messages:
    356
    Likes Received:
    1
    Trophy Points:
    18
    Hi,

    There appears to be a problem with the "Manage Service SSL Certificates" feature in WHM.

    If I install a (renewed) Comodo PositiveSSL SSL certificate (this may be the same for other multiple chained SSL certificates as well) for all services (cPanel/WHM/Webmal, DoveCot, Exim, FTP) the CA bundle is not added automatically by WHM. And when the CA bundle is added manually as provided by Comodo, e-mail programs connecting to DoveCot using SSL, are reporting chain errors and will not download any e-mails, so I had to remove the CA bundle again.

    Other servers running a (free) StartSSL certificate do not have these problems.

    Does anyone have the same problems?

    Using: CentOS 6.5 x86_64 with WHM 11.44.1 (build 18).

    Thanking you in advance.
     
  2. eva2000

    eva2000 Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    322
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    Brisbane, Australia
    cPanel Access Level:
    Root Administrator
    Twitter:
    yeah I experienced same problem I use Comodo/GoGetSSL Wildcard certificate

    same as in

    1. CA bundle is not automatically added by WHM
    2. If you try to add CA Bundle after previous WHM install of SSL certificate seems some kind of caching is in effect and still ssllab tests report CA bundle issues. Only when you uninstall previous SSL certificate and re-install but this time manually add the CA Bundle will it work and ssllab won't report errors
    3. You can use test at https://ssltools.geotrust.com/checker/views/certCheck.jsp to verify correct chain certificate ordering

    I only used for domain SSL not the cpanel services so can't confirm your email and other service issues
     
  3. Datcrack

    Datcrack Well-Known Member

    Joined:
    Dec 31, 2006
    Messages:
    47
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Istanbul / TURKEY
    cPanel Access Level:
    Root Administrator
    I'm also suffering from this.

    Using Comodo's PositiveSSL. WHM does not autofill root bundle anymore. Hence it accepts but an ssl check gives an error that CA is not to be trusted. I've contacted Comodo and they've sent me a CA for the SSL. But it doesn't seem to work.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  5. Datcrack

    Datcrack Well-Known Member

    Joined:
    Dec 31, 2006
    Messages:
    47
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Istanbul / TURKEY
    cPanel Access Level:
    Root Administrator
    WHM 11.46.0 (build 12)
     
  6. Bdzzld

    Bdzzld Well-Known Member

    Joined:
    Apr 3, 2004
    Messages:
    356
    Likes Received:
    1
    Trophy Points:
    18
    FYI: I still haven't solved this problem either. The CA bundle is not loaded properly when renewing the main SSL certificate.
    Code:
    CENTOS 6.6 x86_64 standard
    WHM 11.44.1 (build 19)
    
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Please feel free to open a support ticket using the link in my signature so we can take a closer look. You can post the ticket number here so we can update this thread with the outcome.

    Thank you.
     
  8. psfrog

    psfrog Member

    Joined:
    Jul 13, 2004
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Sweden
    cPanel Access Level:
    Root Administrator
    Instead of contacting Comodo Support and gain a CA bundle file You can do the following:

    When You get your new SSL cert from Comodo (by mail) they have a zip file attached.
    You need to unzip the zip-file and open the following files in a text editor like notepad:

    AddTrustExternalCARoot.crt
    COMODORSAAddTrustCA.crt
    COMODORSADomainValidationSecureServerCA.crt


    Then copy the text of each ".crt" file and paste the texts above eachother in the "Certificate Authority Bundle (optional)" field.

    After that just add the SSL cert as usual in the "Certificate" field and click at "Autofil by Certificate" button and hit "Install".

    That will solve the issue. :)
     
  9. Datcrack

    Datcrack Well-Known Member

    Joined:
    Dec 31, 2006
    Messages:
    47
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Istanbul / TURKEY
    cPanel Access Level:
    Root Administrator
    psfrog,

    It just doesn't work. I'm contacting cPanel right now.
     
  10. psfrog

    psfrog Member

    Joined:
    Jul 13, 2004
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Sweden
    cPanel Access Level:
    Root Administrator
    Weird - I have solved this at 8 servers so far by doing this. I hope Cpanel will help You solve it.
     
  11. eva2000

    eva2000 Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    322
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    Brisbane, Australia
    cPanel Access Level:
    Root Administrator
    Twitter:
  12. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Please ensure you post the ticket number here so we can update this thread with the outcome.

    Thank you.
     
  13. chris4beta

    chris4beta Registered

    Joined:
    Dec 21, 2014
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Just chiming in... I too was having untrusted chain issues with a PositiveSSL from cheapsslsecurity, and tried several different orderings that various blogs said would fix the problem and construct a trusted CA bundle, but none of them worked. psfrog's solution worked for me and now no longer get untrusted cert warning on Android - thanks!
     
  14. rene123

    rene123 Active Member

    Joined:
    Feb 20, 2009
    Messages:
    26
    Likes Received:
    0
    Trophy Points:
    1
    Yea psfrog's solutions works. Thanks for that. The annoying thing about this problem is that it's like 1 out of 5 computers that returns "invalid ca", took us 3 months to actually notice the problem.
     
Loading...

Share This Page