The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Getting very frustrated with chained SSL

Discussion in 'General Discussion' started by jez9999, Feb 7, 2008.

  1. jez9999

    jez9999 Well-Known Member

    Joined:
    Jun 10, 2005
    Messages:
    87
    Likes Received:
    0
    Trophy Points:
    6
    Hello,

    I've obtained a free SSL certificate from Startcom for one of my domains. I know that Startcom aren't trusted in IE and Opera, but I'm using Firefox to test it and they are trusted in there.

    Now, I had to muck around with httpd.conf to get my regular domain to work with HTTPS despite trying to set it up in WHM; I basically added these lines:
    Code:
        SSLEngine on
        SSLCertificateFile /usr/share/ssl/certs/www.mortonsolicitors.com.crt
        SSLCertificateKeyFile /usr/share/ssl/private/www.mortonsolicitors.com.key
        SSLCertificateChainFile /usr/share/ssl/certs/sub.class1.server.ca.crt
        SSLCACertificateFile /usr/share/ssl/certs/ca.crt
    
    Now Firefox accepts an HTTPS connection to my domain (https://mortonsolicitors.com) just fine. The problem is that when I try to install this certificate for WHM/cPanel services in the service SSL manager, it doesn't work. It doesn't appear to be giving the correct certificate chain to Firefox and so Firefox can't verify the cert (ie. for https://mortonsolicitors.com:2083/).

    I've tried to figure out why this is for hours now and I can't. Could somebody please help me? Do I need to somehow install a CA bundle? I'm not even sure what the appropriate CA bundle is for Startcom; I tried downloading the one from http://cert.startcom.org/ca-bundle.crt and putting it in /usr/local/cpanel/etc/mycpanel.pem then restarting cpanel but it changes nothing. Please help. :-(
     
  2. jez9999

    jez9999 Well-Known Member

    Joined:
    Jun 10, 2005
    Messages:
    87
    Likes Received:
    0
    Trophy Points:
    6
    Bump.......
     
  3. jayh38

    jayh38 Well-Known Member

    Joined:
    Mar 3, 2006
    Messages:
    1,215
    Likes Received:
    0
    Trophy Points:
    36
    Yes, this sounds like a CA issue indeed. I would contact the issuing company and ask for the proper ca for your cert. They might have changed so the web version may not be current.
     
  4. jez9999

    jez9999 Well-Known Member

    Joined:
    Jun 10, 2005
    Messages:
    87
    Likes Received:
    0
    Trophy Points:
    6
    I don't think it does... if the HTTPS works OK for the regular website, surely it's a configuration problem with my web server that it doesn't send the correct certificate chain for cPanel/WHM/webmail services?
     
  5. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    SSLCertificateChainFile /usr/share/ssl/certs/sub.class1.server.ca.crt

    That is incorrect. The line should be removed/changed from within your httpd.conf and the file, if created, removed/renamed.

    WHM and most Browsers are looking for a file called: *.cabundle


    You should get the correct bundle and first try to install it through WHM >> SSL - forget the exact path. Paste the code into the 3rd field on the SSL page. If that doesn't work you can try manually creating this file:

    /usr/share/ssl/certs/domain.com.cabundle

    Leave it blank and try installing again through WHM.


    Or, enter/paste the CA bundle code you got from your SSL Supplier, directly into the 'domain.com.cabundle' file then edit the httpd.conf file and and add the line:

    SSLCertificateChainFile /usr/share/ssl/certs/domain.com.cabundle

    Restart Apache. If Apache will not restart then delete the ChainFile line from your httpd.conf file


    Post back here, letting us know what you did and what happened.
     
    #5 Website Rob, Feb 15, 2008
    Last edited: Feb 15, 2008
  6. jez9999

    jez9999 Well-Known Member

    Joined:
    Jun 10, 2005
    Messages:
    87
    Likes Received:
    0
    Trophy Points:
    6

    I tried deleting the old www.mortonsolicitors.com cert and re-adding it, pasting the cabundle as you suggested; it installed OK, my httpd.conf was updated, and the regular website's https works once again (https://www.mortonsolicitors.com/), but again, when I try to visit a cPanel or WHM service (https://www.mortonsolicitors.com:2087/), it doesn't present the browser with a complete cert chain. :-(

    Where is the cPanel Apache config file? I get the feeling the cabundle isn't being added there and it's just presenting the site's cert, and not the complete chain, to the browser. Without editing that config file I can't see how I can fix this.
     
  7. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Installing a SSL cert for a website searched by Apache is a different procedure than installing a SSL cert for a service like cpsrvd (the service that serves pages on port 2082, 2083, 2086, 2087, 2095 and 2096). To install a cert for these services, simply go to WHM -> Service Configuration -> Manage Service SSL Certificates.
     
  8. jez9999

    jez9999 Well-Known Member

    Joined:
    Jun 10, 2005
    Messages:
    87
    Likes Received:
    0
    Trophy Points:
    6
    Ah - just did exactly the same procedure after clicking 'install cert' on that service, and it worked this time.

    I do think the WHM SSL interface could be improved one hundredfold, though. It's pretty disperate and confusing at the moment; there should be one place where all certs are managed, and how about having some popup help on each page (I don't know why cPanel doesn't do that for everything, actually).

    Also, out of interest, where has cPanel now stored that information for the cPanel service's HTTPS cert?
     
  9. gorilla

    gorilla Well-Known Member

    Joined:
    Feb 3, 2004
    Messages:
    699
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Sydney / Australia
    So now ALL your cPanel logins are redirecting to the www.mortonsolicitors.com SSL :D
    Is that what you really wanted ? You only have this one client on that server ? :p
     
  10. jez9999

    jez9999 Well-Known Member

    Joined:
    Jun 10, 2005
    Messages:
    87
    Likes Received:
    0
    Trophy Points:
    6
    Oh, I'd love (as part of the improvements I listed above) for services to be able to have multiple certs too, but as far as I can tell, it's only 1 cert per service. :-( As they're the biggest client on the server, I'm putting their cert on the services. If it's possible to have more than 1 cert on a service, please tell how.
     
Loading...

Share This Page