The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Renewed SSL Cert Problem

Discussion in 'General Discussion' started by danej, Apr 3, 2005.

  1. danej

    danej Active Member

    Joined:
    Dec 5, 2003
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    I renewed my secure cert and now I get a website certified by an unknown authority. It says that its unable to verify the identity of secure.site.com as a trusted site.

    Possible reasons for error:
    - browser does not recognize the CA that issued it
    - the sites cert is incompllete due to server misconfig

    It worked fine until I renewed it. I have looked under the whm ssl manager and all of the info is exactly the same.

    Any ideas?

    Thanks!
     
  2. Trigger

    Trigger Well-Known Member

    Joined:
    May 17, 2003
    Messages:
    87
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Brisbane
    When you renewed the SSL certificate did you paste in the new .crt file and paste the new .key file over the old one before you clicked on "Do It"

    The .key file used must match the certificate issued by the new CSR, the server can sometimes retrieve the old .key file so you end up with a mismatch.

    Are you using a chained certificate?
    Did you reinstall the CA bundle file as well?
     
    #2 Trigger, Apr 3, 2005
    Last edited: Apr 3, 2005
  3. danej

    danej Active Member

    Joined:
    Dec 5, 2003
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    When I go into SSL Manager, it shows 7 keys, but only one says secure.site.com.key. All the others say key.test or key.old.XXXXXXXX. Is there a way to delete keys/crts/csrs ? There is 2 .csr files and 2 .com.crt files also.

    I am not using a chained cert and I think I did reinstall the CA bundle file as well.
     
  4. Trigger

    Trigger Well-Known Member

    Joined:
    May 17, 2003
    Messages:
    87
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Brisbane
    Ok sound like the install was corrupted and the system thinks that the certificate is a self signed certificate. The key file is using the CRT that was generated when you made the new CSR.

    You can remove the existing certificate details by removing the SSL host records in WHM.

    When you renewed the certificate and generated the new CSR you should have also received and second email with the RSA Private Key (this is the .key info that you need) you should have received your new certificate from the company you renewed your certificate with and if it is not chained then you should not need the CA bundle.

    Best bet would be to reinstall the certificate. this should overwrite the existing data and fix things

    Make sure you have the new certifcate and the RSA private key that matches it before you start.

    Install the certificate
    Paste in the Certifcate in the top box
    enter the domain name username and IP address
    paste in the RSA Private key in the second box
    If it is not chained leave the bottom box empty

    Make sure that the domain name and IP address have not chnaged and then click on "do it"
     
  5. danej

    danej Active Member

    Joined:
    Dec 5, 2003
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    Thank you

    I appreciate the help and I tried what you suggested. I deleted the ssl host, and installed a new one with the cert they sent me and the key. I still get the same problem.

    Is it because they are not a trusted source? It was issued by: Comodo Class 3 Security Services CA. Should I just go get a thawte cert?


    Also, in looking at the confirmation email they sent me, they also include 2 other .crt files:
    ComodoSecurityServicesCA.crt
    GTECyberTrustRoot.crt

    Is there somewhere I also need to install these at to make it work?

    When I go to install the cert, it puts those 2 crts in the CA bundle field.

    I manually deleted all the "test" keys and crts, so now there is only one key/crt
     
    #5 danej, Apr 17, 2005
    Last edited: Apr 17, 2005
  6. Trigger

    Trigger Well-Known Member

    Joined:
    May 17, 2003
    Messages:
    87
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Brisbane
  7. danej

    danej Active Member

    Joined:
    Dec 5, 2003
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    Thank you

    I am really grateful for everyones help, but alas, I must be too dumb to figure it out.

    Looking at comodos site, it also shows that in the httd.conf file there is SSLCACertificateFile line that is not in my httpd file. When I manually add it as follows

    SSLCertificateFile /usr/share/ssl/certs/secure.site.com.crt
    SSLCertificateKeyFile /usr/share/ssl/private/secure.site.com.key
    SSLCACertificateFile /usr/share/ssl/certs/secure.site.com.cabundle

    it doesn't even work. When I comment SSLCACertificateFile line it works, but gives the same error.


    Here is my var log after restarting apache and trying to visit the site:

    [20/Apr/2005 12:44:26 22009] [info] Init: Loading certificate & private key of SSL-aware server secure.site.com:443
    [20/Apr/2005 12:44:26 22010] [info] Init: Configuring server secure.site.com:443 for SSL protocol
    [20/Apr/2005 12:44:53 22019] [info] Connection to child 3 established (server secure.site.com:443, client xxx.xxx.236.234)
    [20/Apr/2005 12:44:53 22019] [info] Seeding PRNG with 1160 bytes of entropy
    [20/Apr/2005 12:45:00 22020] [info] Connection to child 4 established (server secure.site.com:443, client xxx.xxx.236.234)
    [20/Apr/2005 12:45:00 22020] [info] Seeding PRNG with 1160 bytes of entropy
    [20/Apr/2005 12:45:00 22020] [info] Connection: Client IP: xxx.xxx.236.234, Protocol: SSLv3, Cipher: DHE-RSA-AES256-SHA (256/256 bits)
    [20/Apr/2005 12:45:00 22020] [info] Initial (No.1) HTTPS request received for child 4 (server secure.site.com:443)
    [20/Apr/2005 12:45:01 22020] [info] Subsequent (No.2) HTTPS request received for child 4 (server secure.site.com:443)
    [20/Apr/2005 12:45:08 22019] [error] SSL handshake failed (server secure.site.com:443, client xxx.xxx.236.234) (OpenSSL library error follows)
    [20/Apr/2005 12:45:08 22019] [error] OpenSSL: error:14094418:lib(20):func(148):reason(1048)
    [20/Apr/2005 12:45:17 22020] [info] Connection to child 4 closed with standard shutdown (server secure.site.com:443, client xxx.xxx.236.234)
     
  8. danej

    danej Active Member

    Joined:
    Dec 5, 2003
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
Loading...

Share This Page