The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Security Certificate Warning in Android

Discussion in 'Security' started by PCZero, Oct 3, 2015.

  1. PCZero

    PCZero Well-Known Member

    Joined:
    Dec 13, 2003
    Messages:
    526
    Likes Received:
    34
    Trophy Points:
    28
    Location:
    Earth
    I have a GroTrust certificate on my server's main hostname. Wen I surf to https://hostname:2087 in my desktop browser I proceed with no issue. However when I surf to that address with my android device I get "The site's security certificate is not trusted" warning.

    Is this the expected behavior? Why would an android device think that a GeoTrust certificate should not be trusted?

    (Full Disclosure: I am near the end of a 14 hour coding session so I may be in stupid mode right now.)
     
  2. Jcats

    Jcats Well-Known Member

    Joined:
    May 25, 2011
    Messages:
    275
    Likes Received:
    31
    Trophy Points:
    28
    Location:
    New Jersey
    cPanel Access Level:
    DataCenter Provider
  3. PCZero

    PCZero Well-Known Member

    Joined:
    Dec 13, 2003
    Messages:
    526
    Likes Received:
    34
    Trophy Points:
    28
    Location:
    Earth
    EDITED - OK I found the instructions but they are for how to set up SSL when you initially do the installation. Somehow I missed this whole concept of an intermediate CA a year ago when I initially set this all up. Now I need to go back re-do things but use the Intermediate CA. I am bit leery of what to do at this point. Do I simply go into WHM and delete the current SSL info and reinstall? Truth be told I am not exactly what the exact steps would be to do this. Do I need to go into "SSL Storage Manager" and delete anything? Do I just (or at all) have to go into "Manage SSL Hosts" and delete the certificate there? Would I need to go into "Service Configuration" and do anything under "Manage Service SSL Certificates"? Any help you can provide would be greatly appreciated

    Thanks!
     
    #3 PCZero, Oct 3, 2015
    Last edited by a moderator: Oct 3, 2015
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    You can simply reinstall the certificate via "WHM >> Manage Service SSL Certificates", including the CABundle this time. You should not have to delete the certificate before doing this.

    Thank you.
     
  5. PCZero

    PCZero Well-Known Member

    Joined:
    Dec 13, 2003
    Messages:
    526
    Likes Received:
    34
    Trophy Points:
    28
    Location:
    Earth
    I am about to run the reinstall, however when I go into the install SSL section of WHM and pull up the existing certificate under Apache all goes well UNTIL I paste in the CA Bundle form the site mentioned above. When i do that I get this error "The CA bundle does not match the certificate." Is that to be expected?
     
  6. PCZero

    PCZero Well-Known Member

    Joined:
    Dec 13, 2003
    Messages:
    526
    Likes Received:
    34
    Trophy Points:
    28
    Location:
    Earth
    OK I was trying to use the RSA SHA-1 SSL Certificates CA bundle
    and got that error. When I use the RSA SHA-2 (Under SHA-1 Root) SSL Certificates CCA Bundle I get to error when it is pasted. I went ahead and reinstalled with that CS Bundle and the certificate warning situation still exists.
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Could you send me the URL in a private message so I can verify the specific warning message that appears?

    Thank you.
     
  8. PCZero

    PCZero Well-Known Member

    Joined:
    Dec 13, 2003
    Messages:
    526
    Likes Received:
    34
    Trophy Points:
    28
    Location:
    Earth
    Um yeah but I'm not sure how to do that. is that what the 'start a conversation' feature is?
     
  9. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  10. PCZero

    PCZero Well-Known Member

    Joined:
    Dec 13, 2003
    Messages:
    526
    Likes Received:
    34
    Trophy Points:
    28
    Location:
    Earth
    Thank you for that link. I may have missed something but it looks like that eventually only lops back to the info that jcats provided in his initial reply. I under (kind of anyway) the cause, I have no idea at all how to resolve he issue based on what I was able to read. The page you sent me to was a bit confusing (my dyslexia is pretty bad right now) so i was not able to see if it offered an actual fix. Did that page say that I need to install a second certificate of some sort and arrange them in a specific order? I THINK I read a reply to that effect but it was not clear and the instructions on how to accomplish that wee not present. Can you offer additional advice please?

    BTW did you get the private message I sent with the requested info?
     
  11. PCZero

    PCZero Well-Known Member

    Joined:
    Dec 13, 2003
    Messages:
    526
    Likes Received:
    34
    Trophy Points:
    28
    Location:
    Earth
    I am using the correct CA off of the RapidSSL site. The checker listed in the initial response and the one at the Geo site show no errors in the certificate.
     
    #11 PCZero, Oct 10, 2015
    Last edited: Oct 10, 2015
  12. PCZero

    PCZero Well-Known Member

    Joined:
    Dec 13, 2003
    Messages:
    526
    Likes Received:
    34
    Trophy Points:
    28
    Location:
    Earth
    I just ran the SSL checker on the server in question and got the following warning. Is this a current issue that I need to address?


    Warnings
    BEAST
    The BEAST attack is not mitigated on this server.
    RC4
    This server uses the RC4 cipher algorithm which is not secure. Disable the RC4 cipher suite and update the server software to support the Advanced Encryption Standard (AES) cipher algorithm. Contact your web server vendor for assistance.
     
  13. PCZero

    PCZero Well-Known Member

    Joined:
    Dec 13, 2003
    Messages:
    526
    Likes Received:
    34
    Trophy Points:
    28
    Location:
    Earth
    OK I just noticed something.

    Using the SSL Checker - SSL Certificate Verify page for testing returns the following...

    https://blah.mydomain.com -> no errors or warnings...
    https://blah.mydomain.com:2087 -> the warning message

    "
    is displayed.

    Do I need to do something to specifically add the certificate to the WHM, cPanel, and WebMail ports?
     
    #13 PCZero, Oct 10, 2015
    Last edited by a moderator: Oct 10, 2015
  14. PCZero

    PCZero Well-Known Member

    Joined:
    Dec 13, 2003
    Messages:
    526
    Likes Received:
    34
    Trophy Points:
    28
    Location:
    Earth
    Thank you to everyone here who chimed in. I have this resolved. After thinking over the issue a bit and typing in my last question, I went into WHM -> Service Configuration -> Manage Service SSL Certificates and reinstalled the certificate with the new CA bundle. All works fine now.
     
  15. PCZero

    PCZero Well-Known Member

    Joined:
    Dec 13, 2003
    Messages:
    526
    Likes Received:
    34
    Trophy Points:
    28
    Location:
    Earth
    I came back to post a tad bit more info. While I have resolved the initial warning issue, I do still have some concern over the BEAST problem. I have little knowledge at all of this situation and I have no idea at all if it is still relevant and/or something that a server owner should be concerned with to any degree. Any input on this topic would be greatly appreciated.
     
  16. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,478
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    There's multiple threads found on the forums searching for the term: Beast TLS Vulnerability

    HTH!
     
  17. PCZero

    PCZero Well-Known Member

    Joined:
    Dec 13, 2003
    Messages:
    526
    Likes Received:
    34
    Trophy Points:
    28
    Location:
    Earth
    My search only found two and neither gave a definitive answer as to what the level of concern should be and how to resolve the issue if need be. Perhaps my search parameters were too strict. I'll try again.
     
  18. PCZero

    PCZero Well-Known Member

    Joined:
    Dec 13, 2003
    Messages:
    526
    Likes Received:
    34
    Trophy Points:
    28
    Location:
    Earth
    OK I found a few more instances of this discussion but the one that seems to have a fix is several years old. It states the following...


    "I believe the following should work properly but have not had specific confirmation back from clients who had it flagged on their PCI scans:

    In WHM >> Apache Configuration >> Global Configuration:
    Change "SSL Cipher Suite" to the custom field and enter:
    "ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH"

    In WHM >> Apache Configuration >> Include Editor:
    Add "SSLHonorCipherOrder On" to Pre VirtualHost Include - All Versions

    Tony Kammerer - Senior Admin, United Communications Ltd.

    Beast TLS Vulnerability


    When I looked at the settings for the server in question, the first parameter is currently set to:
    "ALL:!ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP"

    The second is empty.

    Are the suggested settings still valid and suggest as the fix for this issue?
     
    #18 PCZero, Oct 10, 2015
    Last edited by a moderator: Oct 10, 2015
  19. PCZero

    PCZero Well-Known Member

    Joined:
    Dec 13, 2003
    Messages:
    526
    Likes Received:
    34
    Trophy Points:
    28
    Location:
    Earth
    Last post for now... I went ahead and made the changes suggest in the above referenced post. That got rid of the BEAST warning bu the RC4 warning remains. Questions are as follows...

    1) To get rid of the RC4 warning do I simply need to remove change the first setting to this (removed RC4)...
    "ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:HIGH:!MD5:!aNULL:!EDH"

    2) Is there anything I should be ware of with making these changes, IOW are there consequences of making thee changes other than eliminating the warnings that I am getting when running the tests?

    Thanks...
     
Loading...

Share This Page