SSL certificate renewal problem in WHM

Bdzzld

Well-Known Member
Apr 3, 2004
410
5
168
Hi,

I'm unable to renew a web site's SSL certificate through WHM. This is what I normally do :

1)SSL/TLS->Install a SSL Certificate and Setup the Domain
2)Domain Browse->Select domain name to be updated
3)The .csr, .key and .ca fields are being filled
3)Paste the new certificate in the .ca field
5)Press submit
6)WHM now shows the message :

"Installing SSL Certificate
Certificate verification passed

www.xxxxxxx.xxx is already configured for SSL on xxx.xxx.xxx.xx. Updating Certificate Only!

Finished Install Process.. "

Now when I restart from step 1 through 3 the old SSL certificate is still shown and not the one I supposedly succesfully renewed. Any ideas?

Thanks.
 

Bdzzld

Well-Known Member
Apr 3, 2004
410
5
168
First deleting the certificate and then recreating it will - although temporarily - leave the web site without a SSL connection. I'm looking for another option if possible. Thanks though for your suggestion.
 

Bdzzld

Well-Known Member
Apr 3, 2004
410
5
168
Can someone from cPanel please verify if this is a(n) (un)known bug in the latest Stable release ?

Thanks.
 

mambovince

Well-Known Member
Jan 15, 2005
193
0
166
London, UK
I can confirm the same issue as yourself only 1 week ago and also using stable release.

Even tried deleting current certificate using WHM but the old cert details kept coming up.

The only way we managed to install the renewal was:

1. Renamed ssl directory to ssl_BAK under home directory.
2. Removed SSL from WHM and made sure that httpd.conf do not have any entry for ssl.
3. Moved key, cabundle, crt files to /usr/share/ssl/userdomain_ssl folder from /usr/share/ssl/private and /usr/share/ssl/certs.
4. Restarted http and cpanel service.

- Vince
 

cPanelKenneth

cPanel Development
Staff member
Apr 7, 2006
4,608
77
308
cPanel Access Level
Root Administrator
Hi,

I'm unable to renew a web site's SSL certificate through WHM. This is what I normally do :

1)SSL/TLS->Install a SSL Certificate and Setup the Domain
2)Domain Browse->Select domain name to be updated
3)The .csr, .key and .ca fields are being filled
3)Paste the new certificate in the .ca field
5)Press submit
6)WHM now shows the message :

"Installing SSL Certificate
Certificate verification passed

www.xxxxxxx.xxx is already configured for SSL on xxx.xxx.xxx.xx. Updating Certificate Only!

Finished Install Process.. "

Now when I restart from step 1 through 3 the old SSL certificate is still shown and not the one I supposedly succesfully renewed. Any ideas?

Thanks.
What was the process in cPanel/WHM for obtaining the new certificate?
 

Bdzzld

Well-Known Member
Apr 3, 2004
410
5
168
Hi Kenneth,

It's not a server-generated SSL certificate but a commercial one.
Added it to Bugzilla : #7669

Regards.
 
Last edited:

cPanelKenneth

cPanel Development
Staff member
Apr 7, 2006
4,608
77
308
cPanel Access Level
Root Administrator
Hi Kenneth,

It's not a server-generated SSL certificate but a commercial one.
Added it to Bugzilla : #7669

Regards.
If the key and csr are generated in cPanel, those are stored in ~/ssl and always have priority when fetching the SSL information.

If the key and csr are generated in WHM, those are stored in /usr/share/ssl and will be used during the install if /home/user/ssl does not exist, or the files are missing in /home/user/ssl

The SSL Installer in WHM will fetch the Certificate and Key in the following order:

1. /home/user/ssl (where user is the account that owns the domain receiving the SSL Certificate)
2. /usr/share/ssl (only if /home/user/ssl does not exist, or does not contain the files for the domain receiving the SSL Certificate).
3. No where, in the case of a domain that never had a SSL Certificate

Hence, the SSL Installer in WHM will always show the files stored on the file system from either /home/user/ssl or /usr/share/ssl.


When obtaining the updated SSL Certificate, did you generate a new CSR and Key, or are you re-using the CSR and Key from the older Certificate?

Which parts of the entire process were done in cPanel and which in WHM?


Please note in your original post you make the following statements:

3)The .csr, .key and .ca fields are being filled
There is no .csr field in the SSL Installer in WHM. The fields are CRT, Key and CA Bundle

3)Paste the new certificate in the .ca field
The Certificate should be pasted in the top-most field, the CRT field. Only the CA Bundle, containing all the intermediary Certificates, should be pasted in the CA Bundle field.
 
Last edited:

ThinIce

Well-Known Member
Apr 27, 2006
352
9
168
Disillusioned in England
cPanel Access Level
Root Administrator
Having a similar problem on release with SSL renewals.

- Generate new CSR within WHM
- Purchase cert at comodo.
- Install via WHM
- Old cert is still shown on website.
- When httpd is restarted cert comes up as self signed in browsers :s
- Manually replacing /usr/share/ssl/certs/www.domainhere.co.uk.crt and restarting httpd corrects this.
 

cPanelKenneth

cPanel Development
Staff member
Apr 7, 2006
4,608
77
308
cPanel Access Level
Root Administrator
The old CSR was submitted to RapidSSL. The new key was received after payment by e-mail.



All were done in WHM.
The auto-fetching will only retrieve what is on the file system. Since the older data (Key, Cert, CSR) are on the file system that is what will be fetched for display.

Once you add the new data via the form and submit it, it will over write (after making a backup) what is there.
 

cPanelKenneth

cPanel Development
Staff member
Apr 7, 2006
4,608
77
308
cPanel Access Level
Root Administrator
Having a similar problem on release with SSL renewals.

- Generate new CSR within WHM
- Purchase cert at comodo.
- Install via WHM
- Old cert is still shown on website.
- When httpd is restarted cert comes up as self signed in browsers :s
- Manually replacing /usr/share/ssl/certs/www.domainhere.co.uk.crt and restarting httpd corrects this.
Full cPanel version number, please.
 

Bdzzld

Well-Known Member
Apr 3, 2004
410
5
168
Once you add the new data via the form and submit it, it will over write (after making a backup) what is there.
Nope. It does not overwrite the old one. WHM claims it has updated the certificate, but still shows the old one after checking it regardless.
Using the latest stable release : WHM 11.23.2 cPanel 11.23.6-S27225.
 

cPanelKenneth

cPanel Development
Staff member
Apr 7, 2006
4,608
77
308
cPanel Access Level
Root Administrator
Nope. It does not overwrite the old one. WHM claims it has updated the certificate, but still shows the old one after checking it regardless.
Using the latest stable release : WHM 11.23.2 cPanel 11.23.6-S27225.
Please open a support ticket at https://tickets.cpanel.net/submit/

We are not able to replicate this in our testing environment.
 

Sash

Well-Known Member
Feb 18, 2003
252
0
166
We experienced the same issue under the latest stable version. Updating to release fixed the problem.

Mike
 

Angel78

Well-Known Member
May 9, 2002
413
1
318
I also had this problem, WHM says that certificate is just being updated and it displays:

instalation process finished (no apache restart...etc)


workaround = I just removed the old .crt file and added new one.

Using Latest Current. (it worked without issues few weeks ago when I was updating another cert)
 

Bdzzld

Well-Known Member
Apr 3, 2004
410
5
168
Well hopefully the problem is corrected then in the *next* stable release, as it's not yet now. Still had to manually look up the files and alter them in the current stable release.
 

rsaylor

Well-Known Member
Mar 27, 2003
160
1
168
I was getting a blank page on SSL sites that were recently changed to a new IP address. Removing the crt, key, etc did nothing to resolve the issue. Rebooted the server, changed the IP again, still same issue. I finally upgraded to whatever is the latest.

/scripts/upcp --force

Restarted apache after that and all fixed. Odd that this did not affect working SSL sites, just those that were modified.
 

ThinIce

Well-Known Member
Apr 27, 2006
352
9
168
Disillusioned in England
cPanel Access Level
Root Administrator
Full cPanel version number, please.
Currently WHM 11.23.2 cPanel 11.23.6-R27698. Just renewed another cert. In this instance the following was the case.

  • Generate new CSR in WHM for domain with existing SSL cert (renewal).
  • Order cert from Comodo
  • Install new cert using WHM (paste cert into top box, other boxes are auto filled with correct values i.e with www.) correct IP and correct ca bundle - this is accepted and reported installed.
  • The correct value is not however written into the "www.userdomain.com.crt" file, what is written is the value from the "Certificate" section of the result of running the "Generate a SSL Certificate and Signing Request".
  • Looking in /usr/share/ssl/certs two new files for the userdomain.crt / cabundle have been created, but without the www. Visiting the domain leads to browser complaint that the cert is self signed.
  • Pop the correct new cert into www.userdomain.com.crt and all is again fine.

Which is... rather odd :p I'm happy to open a ticket next time we're due to renew one unless you see something braindead about the above process...
 

shortfork

Well-Known Member
Sep 4, 2006
63
0
156
Similar problems...

I could not for the life of me get a cert installed/renewed via the CP... what I wound up doing was getting a new cert, going to /etc/ssl/certs/www.domainname.ext.crt and simply overwrote the old cert with the new one..

Restart httpd... worked.

Someting is borked with the WHM and user panels though.. I've had this problem before..

Shortz