Comodo PositiveSSL CA bundle problems

Bdzzld

Well-Known Member
Apr 3, 2004
412
5
168
Hi,

There appears to be a problem with the "Manage Service SSL Certificates" feature in WHM.

If I install a (renewed) Comodo PositiveSSL SSL certificate (this may be the same for other multiple chained SSL certificates as well) for all services (cPanel/WHM/Webmal, DoveCot, Exim, FTP) the CA bundle is not added automatically by WHM. And when the CA bundle is added manually as provided by Comodo, e-mail programs connecting to DoveCot using SSL, are reporting chain errors and will not download any e-mails, so I had to remove the CA bundle again.

Other servers running a (free) StartSSL certificate do not have these problems.

Does anyone have the same problems?

Using: CentOS 6.5 x86_64 with WHM 11.44.1 (build 18).

Thanking you in advance.
 

eva2000

Well-Known Member
Aug 14, 2001
346
19
318
Brisbane, Australia
cPanel Access Level
Root Administrator
Twitter
yeah I experienced same problem I use Comodo/GoGetSSL Wildcard certificate

same as in

  1. CA bundle is not automatically added by WHM
  2. If you try to add CA Bundle after previous WHM install of SSL certificate seems some kind of caching is in effect and still ssllab tests report CA bundle issues. Only when you uninstall previous SSL certificate and re-install but this time manually add the CA Bundle will it work and ssllab won't report errors
  3. You can use test at https://ssltools.geotrust.com/checker/views/certCheck.jsp to verify correct chain certificate ordering

I only used for domain SSL not the cpanel services so can't confirm your email and other service issues
 

Datcrack

Well-Known Member
Dec 31, 2006
47
0
156
Istanbul / TURKEY
cPanel Access Level
Root Administrator
I'm also suffering from this.

Using Comodo's PositiveSSL. WHM does not autofill root bundle anymore. Hence it accepts but an ssl check gives an error that CA is not to be trusted. I've contacted Comodo and they've sent me a CA for the SSL. But it doesn't seem to work.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
Hello :)

Could you let us know which version of cPanel is installed on your system?

Thank you.
 

Bdzzld

Well-Known Member
Apr 3, 2004
412
5
168
FYI: I still haven't solved this problem either. The CA bundle is not loaded properly when renewing the main SSL certificate.
Code:
CENTOS 6.6 x86_64 standard
WHM 11.44.1 (build 19)
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
Please feel free to open a support ticket using the link in my signature so we can take a closer look. You can post the ticket number here so we can update this thread with the outcome.

Thank you.
 

psfrog

Member
Jul 13, 2004
20
0
151
Sweden
cPanel Access Level
Root Administrator
Instead of contacting Comodo Support and gain a CA bundle file You can do the following:

When You get your new SSL cert from Comodo (by mail) they have a zip file attached.
You need to unzip the zip-file and open the following files in a text editor like notepad:

AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSADomainValidationSecureServerCA.crt


Then copy the text of each ".crt" file and paste the texts above eachother in the "Certificate Authority Bundle (optional)" field.

After that just add the SSL cert as usual in the "Certificate" field and click at "Autofil by Certificate" button and hit "Install".

That will solve the issue. :)
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
It just doesn't work. I'm contacting cPanel right now.
Please ensure you post the ticket number here so we can update this thread with the outcome.

Thank you.
 

chris4beta

Registered
Dec 21, 2014
1
0
1
cPanel Access Level
Root Administrator
Just chiming in... I too was having untrusted chain issues with a PositiveSSL from cheapsslsecurity, and tried several different orderings that various blogs said would fix the problem and construct a trusted CA bundle, but none of them worked. psfrog's solution worked for me and now no longer get untrusted cert warning on Android - thanks!
 

rene123

Active Member
Feb 20, 2009
28
0
51
Yea psfrog's solutions works. Thanks for that. The annoying thing about this problem is that it's like 1 out of 5 computers that returns "invalid ca", took us 3 months to actually notice the problem.