The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SSL Certificate Chain Order Intermediate Certs

Discussion in 'Security' started by lorio, Aug 25, 2014.

  1. lorio

    lorio Well-Known Member

    Joined:
    Feb 25, 2004
    Messages:
    243
    Likes Received:
    3
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I found this hint at a SSL CA Website:

    WHM requires the order of the CA certificates to be in the opposite order
    (Primary at the top and Secondary at the bottom). By default the Secondary is
    on the top, to change the order of the CA bundle simply copying the certificate
    sitting at the top and paste it beneath the remaining CA certificate.

    Is that still the case with the WHM 11.44?
    The services and apache ssl parts are meant.
    Where are the "Certificate Authority Bundle (optional):" parts saved for the WHM services?

    BTW: Is there any online service which checks SSL certs on other ports and services?
    Or still openssl on the commandline the only way to go?

    There are not many tools which check the chain order of certs.
    One who showed problems in the chain was: SSL Certificate Checker - Installation Diagnostic Tool | DigiCert.com
    But no way to check other services and ports.



    Thanks for reading.
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    649
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    You can find SSL data for services in the following directory:

    Code:
    /var/cpanel/ssl
    There is a separate field for the certificate authority bundle when installing a SSL certificate. You can choose to paste the same way that your provider issues it. Could you clarify if you are having trouble installing the certificate with it's CABundle? Or, is this just a general question?

    Thank you.
     
  3. lorio

    lorio Well-Known Member

    Joined:
    Feb 25, 2004
    Messages:
    243
    Likes Received:
    3
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    So the answer to my question would be NO. I asked, if WHM still requires to change the order of CA certificates.
    If you have more than one intermediate certificate the CA that is important for the chain of trust.
    RapidSSL is warning customers to change order when using the CA bundle with WHM.

    Since most the FAQ are old and WHM got an overhaul in the SSL department I wonder if this behaviour was changed to just past the "normal" CA bundle without changing parts.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    649
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    You should not have to change the order of the CAbundle when pasting it into it's field during the SSL certificate installation. Could you reference a link where RapidSSL advises doing this?

    Thank you.
     
  5. lorio

    lorio Well-Known Member

    Joined:
    Feb 25, 2004
    Messages:
    243
    Likes Received:
    3
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    649
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Based on their guide there, the assumption is the SSL installation would fail if you did not use the alternate order. Thus, the fact that it installs correctly would confirm that reversing the order is not required.

    Thank you.
     
  7. lorio

    lorio Well-Known Member

    Joined:
    Feb 25, 2004
    Messages:
    243
    Likes Received:
    3
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    It won't fail while installing via WHM. You can install the cert without any CA Bundle. You can install the cert with a wrong order.
    You can install only one part of the bundle.

    I only investigated the order issue since I had an installation with no CA bundle installed via the WHM SSL form (at least if wasn't displayed in the section). Thunderbird was showing a warning that the identity of the cert couldn't be verified. The wildcard cert was fine. The domain name matched.
    Turned out that the chain of intermediate certs was in the wrong order for exim/dovecot. Since it depends on what the client CA repository is offering this kind of problems can stay undetected for a long time. Not sure why the chain order was wrong. Could be a mistake made by me when installing the cert in the first place. Or CentOS 6.

    Some insight about what happens when no CA or a certain order is installed in the optional field would be interesting.
     
    #7 lorio, Aug 26, 2014
    Last edited: Aug 26, 2014
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    649
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    I've not seen any other reports of problems based on the order used when inserting the CAbundle during the SSL certificate installation. Could you open a support ticket so we can attempt to reproduce this issue? You can post the ticket number here so we can update this thread with the outcome.

    Thank you.
     
  9. lorio

    lorio Well-Known Member

    Joined:
    Feb 25, 2004
    Messages:
    243
    Likes Received:
    3
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I was able reproduce the problem.
    CentOS 6.5 WHM 11.44.1 (build 18)

    Tool to check order of chain in trust
    https://www.digicert.com/help/
    E.g,. with hostname.domain.tld:993 you can check for the Cert of Dovecot.

    I found a wrong order in the CA bundle.

    I tried to reinstall the cert with correct CA bundle via "Manage Service SSL Certificates".
    No change. Still wrong order.

    Then I fixed the order by hand via /var/cpanel/ssl/dovecot/mydovecot.crt .
    After restarting dovecot the chain was correct.

    In the "Manage Service SSL Certificates" section I then tried to apply the dovecot cert to all other services.
    In the other services the CA bundle order stayed in the wrong oder.

    When deleting the CA part the CA part was erased from the cert file unter /var/cpanel/ssl/servicename.
    When trying to reinstall the cert via "Manage Service SSL Certificates" again the wrong CA order was added again.



    https://knowledge.rapidssl.com/supp.../index?page=content&actp=CROSSLINK&id=SO26462

    Secondary Intermediate CA Hq3tw==
    Issued to: RapidSSL CA
    Issued by: GeoTrust Global CA
    Validity: 2/19/2010 to 2/18/2020
    Serial Number: 02 36 d1

    Primary Intermediate CA 7mHyhD8S
    Issued to: GeoTrust Global CA
    Issued by: Equifax Secure Certificate Authority
    Validity: 05/20/2002 to 08/20/2018
    Serial Number: 12 bb e6

    The Certificate Authority Bundle would be these two:
    Secondary Intermediate CA
    Primary Intermediate CA

    When pasting that into the Certificate Authority Bundle it is installed the other way around.
    Primary Intermediate CA
    Secondary Intermediate CA

    So the question is which CA bundle file is used when the CA bundle field is empty (since it is optional)? The cert files still get the wrong CA order installed in the .crt file.

    Perhaps only the RapidSSL CA are wrong.
     
  10. lorio

    lorio Well-Known Member

    Joined:
    Feb 25, 2004
    Messages:
    243
    Likes Received:
    3
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    The ticket number is 5481971 .
     
  11. lorio

    lorio Well-Known Member

    Joined:
    Feb 25, 2004
    Messages:
    243
    Likes Received:
    3
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Note for search function: Old Android (at least 2.3.5) HTC Mail applications are not able to create an account with wrong order SSL chain. There comes no real error message. It just cannot complete the SSL connection test.
     
  12. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    649
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Internal case number 87489 is open to address an issue where the order of the CA bundle is not preserved when installing SSL certificates. You will find this case number in our change logs when a resolution has been published:

    cPanel - Change Logs

    Thank you.
     
  13. eva2000

    eva2000 Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    322
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    Brisbane, Australia
    cPanel Access Level:
    Root Administrator
    Twitter:
Loading...

Share This Page