The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How do I delete all traces of an expired ssl cert.

Discussion in 'Security' started by BillMc, Sep 7, 2012.

  1. BillMc

    BillMc Registered

    Joined:
    Oct 28, 2011
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I had a openssl cert on my (apache) vps that expired. I went to WHM and deleted the keys/cert/ and then rebooted the server.

    When I open whm in chrome (on a mac) I get the red x on the lock and a line through https://serveraddress. The error is "server certificate not trusted". I can't figure out why whm is still trying to open on https (instead of http) since the cert has been deleted or why it is reporting a cert problem when I thought it was gone. Obviously there is a trace somewhere that I don't know about.

    I went to /etc/ssl/certs and there is nothing there on the server.

    I'm sure this is an easy one but my knowledge is pretty limited on where to look for the solution. Any help would be greatly appreciated.

    Bill
     
  2. John Edel

    John Edel Registered

    Joined:
    Sep 7, 2012
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Portland, Oregon, United States
    cPanel Access Level:
    Root Administrator
    Hi.

    Was just working with a client yesterday on this very situation, only it was a migration.
    A couple of things come to mind first. Depending on how the cert was used it may still being called from "Manage Service SSL Certificates" if you were running your cPanel services through that cert, it would explain the Chrome error (and I've noticed that Chrome can be temperamental in this area). Before you dig much deeper, try calling the site from Chrome without the http:// and simply trying www.yourdomain.com - odds are the site will load fine.

    Check to make sure that there aren't any lingering redirects or forced-SSL in your .htaccess if applicable to your situation. If all that checks out, reply and we can move forward.

    There is also a /var/cpanel/ssl/ for the service SSLs if it was used for that.

    You went all the way into [/etc/ssl/private], you said? Look for any unneeded .key or .old.123456 - if there are no other CA-signed certificates on your VPS, the only thing you should see are symlinks to /var/cpanel/ssl/ftp which you can leave in place.

    Good luck!
     
  3. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    I'm confused and need clarification. You removed the SSL on the https for WHM and cPanel services even the self-signed one? Why would that have been done?

    You likely have WHM > Tweak Settings > Redirection set to redirect to SSL. You aren't talking about Apache here when you mention this:

    WHM is a service called whostmgrd and runs on ports 2086 (non-secure) and 2087 (secure) and not tied to Apache other than when using proxy subdomains (whm.servername.domain.com). If you remove the SSL for Apache, you don't remove the SSL for WHM. If you remove the SSL in WHM > Manage Service SSL Certificates and have WHM > Tweak Settings set to redirect to secure, you'lll have it try to redirect.

    I really don't understand why, though, the SSL would be removed for the services. If you want to change it, sure, you could change in in WHM > Manage Service SSL Certificates, but unless you want people to be able to possibly exploit the machine by getting plain text passwords to a highly confidential area, I do not suggest removing the WHM/Cpanel/Webmail SSL. You can use a self-signed one, but removing it entirely would be very risky.

    Of note, the service SSLs are in /var/cpanel/ssl not in /etc/ssl location. It is the Apache SSLs in /etc/ssl instead. Removing an Apache SSL doesn't remove the /var/cpanel/ssl certificates for the non-Apache services.
     
  4. Smaily

    Smaily Well-Known Member

    Joined:
    Sep 19, 2011
    Messages:
    46
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    login putty and type locate .crt
    then you will know where that smarty has hidden : ))
     
  5. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Let's wait for the user to respond on this one, because the WHM certificate should not be removed and my post details why. If this is indeed the WHM certificate being mentioned, those don't appear as .crt files (they are .pem files in /var/cpanel/ssl/cpanel folder) and shouldn't be removed anyway!

    Also, putty is only used on Windows systems. Many users have Mac and/or another OS. Rather than stating to log into putty, it is more applicable to say SSH.
     
Loading...

Share This Page