The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SSL certs are not updating properly.

Discussion in 'General Discussion' started by jols, Jan 26, 2010.

  1. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    cPanel 11.25.0-R42404 - WHM 11.25.0 - X 3.9
    REDHAT Enterprise 5.4 i686 standard

    The following is occurring with multiple cPanel servers:

    I've double-confirmed this. Here's what is going on (using the SSL/TLS links in WHM):

    1 -- A new CSR is made via the link - Generate a SSL Certificate and Signing Request

    2 -- The certificate provider releases the new SSL certificate.

    3 -- The newly updated certificate is installed (the customer already has a cert installed which is about to expire). Here the message we get on the WHM page:
    (I've changed the domain name of the account in the message below)
    ---------------------------------
    Installing SSL Certificate
    Waiting for httpd to restart..............finished. httpd (/usr/local/apache/bin/httpd -k start -DSSL) running as root with PID 18072 httpd started ok Certificate verification passed

    customerdomain.com is already configured for SSL on 174.120.215.122. Updating Certificate Only!

    The Certificate for the domain qualityscheduling.com was installed on the IP 174.120.215.122.
    Finished SSL Install Process for customerdomain.com (www.customerdomain.com).
    ---------------------------------

    4 -- I clear the browser cache, use two different browsers, use a freshly downloaded browser, etc. then I visit a secure page at the effected domain and I get this:

    "Expires Wednesday, February 3, 2010..."

    .. i.e. the certificate is NOT updated.

    5 -- I pico into httpd.conf to get the link to the SSL cert that this specific account is using, i.e. I look at this section:

    SSLCertificateFile /etc/ssl/certs/customerdomain.com.crt
    SSLCertificateKeyFile /etc/ssl/private/customerdomain.com.key
    SSLCACertificateFile /etc/ssl/certs/customerdomain.com.cabundle
    ErrorLog /usr/local/apache/domlogs/customerdomain.com-ssl_data_log
    CustomLog /usr/local/apache/domlogs/customerdomain.com-ssl_log combined
    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
    <Directory "/home/quality/public_html/cgi-bin">
    SSLOptions +StdEnvVars

    6 -- I pico into this file:
    /etc/ssl/certs/customerdomain.com.crt

    ... and visually compare the certificate code with the new certificate code. IT'S DIFFERENT!

    7 -- I go back to the httpd.conf file and look further down the list. BINGO, there is a second entry for this domain/account:

    <IfDefine SSL>

    <VirtualHost 174.120.215.122:443>
    ServerName customerdomain.com
    ...

    ... and this link is different (it contains the "www" version of the domain/address).

    SSLCertificateFile /etc/ssl/certs/www.customerdomain.com.crt

    I pico this cert file - /etc/ssl/certs/www.customerdomain.com.crt

    And indeed THIS certificate is the new one, i.e. it IS the same as the new certificate code.

    ---

    In conclusion: The cPanel system (A), does not update the SSL code for both the "www" and the non "www" versions of the account's URL. AND (B), the cPanel system continues to use the older, non "www" version for both address versions used at the browser, i.e. for both:

    https://customerdomain.com/

    and for

    https://www.customerdomain.com/

    Both addresses show the cert is soon to expire.

    -------

    NOW: Here's what's kind of infuriating about this:

    IF I try to correct this flaw in a logical manner, it will crash the Apache system!

    What I try to do in this case is stuff like this.

    cp /etc/ssl/certs/customerdomain.com.crt /etc/ssl/certs/customerdomain.com.crt-BACKUP

    cp /etc/ssl/certs/www.customerdomain.com.crt /etc/ssl/certs/customerdomain.com.crt

    Then I use:
    /etc/rc.d/init.d/httpd configtest

    ... and get:
    Syntax OK

    Then I restart Apache and run a status and get this:
    --------
    Looking up localhost
    Making HTTP connection to localhost
    Alert!: Unable to connect to remote host.
    --------
    Not until I replace the original out-of-date cert (cp customerdomain.com.crt-BACKUP customerdomain.com.crt), am I able to bring up Apache again.

    SO, THEN I attempt the illogical solution and it works:

    Namely I go into WHM --> SSL Key/Crt Manager. Then find and copy out the customers Key.
    (Note: I find two different keys in this case.)

    Then I EDIT the httpd.conf file, manually editing out both the domain's :443 entries (even though there is the "AUTOMATICALLY GENERATED..." comment to NOT do this). And the I save the file.

    I restart Apache and everything is fine.

    Then I install the new SSL cert, and this time cPanel acts like I am installing a brand new cert, as opposed to an update.

    Apache survives. And the new expiration date is now properly reflected in a browser test. SOLUTION, the cert is now updated properly.

    AVERAGE TIME TO DO ALL OF THIS IS ONE TO TWO HOURS!!!!!!!!!!!

    Is there anyway you guys could please fix this one? This issue has persisted ever since this last (major) update that came down the pike a month or so ago.

    Thank you.
     
    #1 jols, Jan 26, 2010
    Last edited: Jan 26, 2010
  2. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,557
    Likes Received:
    7
    Trophy Points:
    38
    Location:
    Houston, Texas, U.S.A.
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    Thank you for the information. I believe the reported issue will be resolved per corrections within internal case ID #37419 -- the fix is scheduled to be back-merged into 11.25.0 following additional Quality Assurance testing. Beyond this I do not have an ETA available, but it is being given appropriate priority.

    Please be aware that the best avenue to report bugs is via our ticket system using the link in the top-right corner of the forums, labeled Bugs; using this method helps to ensure greater efficiency, accuracy in diagnosis, full and in-depth investigation and faster resolution. Thank you for your understanding.
     
Loading...

Share This Page