Getting very frustrated with chained SSL

[jez9999]

Hello,

I've obtained a free SSL certificate from Startcom for one of my domains. I know that Startcom aren't trusted in IE and Opera, but I'm using Firefox to test it and they are trusted in there.

Now, I had to muck around with httpd.conf to get my regular domain to work with HTTPS despite trying to set it up in WHM; I basically added these lines:

    SSLEngine on
    SSLCertificateFile /usr/share/ssl/certs/www.mortonsolicitors.com.crt
    SSLCertificateKeyFile /usr/share/ssl/private/www.mortonsolicitors.com.key
    SSLCertificateChainFile /usr/share/ssl/certs/sub.class1.server.ca.crt
    SSLCACertificateFile /usr/share/ssl/certs/ca.crt

Now Firefox accepts an HTTPS connection to my domain (https://mortonsolicitors.com) just fine. The problem is that when I try to install this certificate for WHM/cPanel services in the service SSL manager, it doesn't work. It doesn't appear to be giving the correct certificate chain to Firefox and so Firefox can't verify the cert (ie. for https://mortonsolicitors.com:2083/).

I've tried to figure out why this is for hours now and I can't. Could somebody please help me? Do I need to somehow install a CA bundle? I'm not even sure what the appropriate CA bundle is for Startcom; I tried downloading the one from http://cert.startcom.org/ca-bundle.crt and putting it in /usr/local/cpanel/etc/mycpanel.pem then restarting cpanel but it changes nothing. Please help. :-(

 

[jez9999]

Bump.......

 

[jayh38]

Yes, this sounds like a CA issue indeed. I would contact the issuing company and ask for the proper ca for your cert. They might have changed so the web version may not be current.

 

[jez9999]

I don't think it does... if the HTTPS works OK for the regular website, surely it's a configuration problem with my web server that it doesn't send the correct certificate chain for cPanel/WHM/webmail services?

 

[Website Rob]

SSLCertificateChainFile /usr/share/ssl/certs/sub.class1.server.ca.crt

That is incorrect. The line should be removed/changed from within your httpd.conf and the file, if created, removed/renamed.

WHM and most Browsers are looking for a file called: *.cabundle


You should get the correct bundle and first try to install it through WHM >> SSL - forget the exact path. Paste the code into the 3rd field on the SSL page. If that doesn't work you can try manually creating this file:

/usr/share/ssl/certs/domain.com.cabundle

Leave it blank and try installing again through WHM.


Or, enter/paste the CA bundle code you got from your SSL Supplier, directly into the 'domain.com.cabundle' file then edit the httpd.conf file and and add the line:

SSLCertificateChainFile /usr/share/ssl/certs/domain.com.cabundle

Restart Apache. If Apache will not restart then delete the ChainFile line from your httpd.conf file


Post back here, letting us know what you did and what happened.

 

[jez9999]

SSLCertificateChainFile /usr/share/ssl/certs/sub.class1.server.ca.crt

That is incorrect. The line should be removed/changed from within your httpd.conf and the file, if created, removed/renamed.

WHM and most Browsers are looking for a file called: *.cabundle


You should get the correct bundle and first try to install it through WHM >> SSL - forget the exact path. Paste the code into the 3rd field on the SSL page. If that doesn't work you can try manually creating this file:

/usr/share/ssl/certs/domain.com.cabundle

Leave it blank and try installing again through WHM.


Or, enter/paste the CA bundle code you got from your SSL Supplier, directly into the 'domain.com.cabundle' file then edit the httpd.conf file and and add the line:

SSLCertificateChainFile /usr/share/ssl/certs/domain.com.cabundle

Restart Apache. If Apache will not restart then delete the ChainFile line from your httpd.conf file


Post back here, letting us know what you did and what happened.

I tried deleting the old www.mortonsolicitors.com cert and re-adding it, pasting the cabundle as you suggested; it installed OK, my httpd.conf was updated, and the regular website's https works once again (https://www.mortonsolicitors.com/), but again, when I try to visit a cPanel or WHM service (https://www.mortonsolicitors.com:2087/), it doesn't present the browser with a complete cert chain. :-(

Where is the cPanel Apache config file? I get the feeling the cabundle isn't being added there and it's just presenting the site's cert, and not the complete chain, to the browser. Without editing that config file I can't see how I can fix this.

 

[cPanelDavidG]

I tried deleting the old www.mortonsolicitors.com cert and re-adding it, pasting the cabundle as you suggested; it installed OK, my httpd.conf was updated, and the regular website's https works once again (https://www.mortonsolicitors.com/), but again, when I try to visit a cPanel or WHM service (https://www.mortonsolicitors.com:2087/), it doesn't present the browser with a complete cert chain. :-(

Where is the cPanel Apache config file? I get the feeling the cabundle isn't being added there and it's just presenting the site's cert, and not the complete chain, to the browser. Without editing that config file I can't see how I can fix this.

Installing a SSL cert for a website searched by Apache is a different procedure than installing a SSL cert for a service like cpsrvd (the service that serves pages on port 2082, 2083, 2086, 2087, 2095 and 2096). To install a cert for these services, simply go to WHM -> Service Configuration -> Manage Service SSL Certificates.

 

[jez9999]

Installing a SSL cert for a website searched by Apache is a different procedure than installing a SSL cert for a service like cpsrvd (the service that serves pages on port 2082, 2083, 2086, 2087, 2095 and 2096). To install a cert for these services, simply go to WHM -> Service Configuration -> Manage Service SSL Certificates.

Ah - just did exactly the same procedure after clicking 'install cert' on that service, and it worked this time.

I do think the WHM SSL interface could be improved one hundredfold, though. It's pretty disperate and confusing at the moment; there should be one place where all certs are managed, and how about having some popup help on each page (I don't know why cPanel doesn't do that for everything, actually).

Also, out of interest, where has cPanel now stored that information for the cPanel service's HTTPS cert?

 

[gorilla]

So now ALL your cPanel logins are redirecting to the www.mortonsolicitors.com SSL :D
Is that what you really wanted ? You only have this one client on that server ? :p

 

[jez9999]

Oh, I'd love (as part of the improvements I listed above) for services to be able to have multiple certs too, but as far as I can tell, it's only 1 cert per service. :-( As they're the biggest client on the server, I'm putting their cert on the services. If it's possible to have more than 1 cert on a service, please tell how.