The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SSL Setup, Certs, and IP Address: HELP

Discussion in 'General Discussion' started by mkw, Apr 24, 2004.

  1. mkw

    mkw Registered

    Joined:
    Aug 26, 2003
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Trying to setup SSL for my domain, let's say for example, www.domain.com.

    Have checked all of the forums, conducted an extensive Google search, but still haven't found any distinct answers to my questions. Maybe I'm missing something simple here, maybe I'm dumber than I thought, or both.

    I have a 2nd IP adress, ok ... but am not sure of what to do with it, can find no information in any of the forums, just that a 2nd IP address is required to setup SSL. That's great. What do you do with the 2nd IP address?

    Do I have to create a new nameserver with this IP address, such as www.secure.fruitloops.com? If not, how do you setup SSL so secure connections go to https://www.secure.domain.com? Or, is that even necessary? Will https://www.domain.com work? Where and how does the 2nd IP address come into play? How is it related, linked, connected, or associated with SSL on a server?

    And, exactly where and how does the hostname come into play? If the registered hostname for a site is domain.domain.com, should the SSL cert be requested for domain.domain.com, www.domain.com, or domain.com?

    I'm sure the answers to these questions are quite simple, but if anyone could lend some insights into the realm of SSL and exactly how to set it up on a server, the information would be greatly appreciated ...
     
  2. beekeeper

    beekeeper Active Member

    Joined:
    Apr 28, 2003
    Messages:
    44
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Melbourne, Australia
    it depends on your system

    Hi mkw,

    You have an IP for your domain so the next step is to generate a certificate signing request (CSR) and private key pair. You can do this from your WHM or directly from a SSH command line.

    You can choose the hostname you prefer such as secure.domain.com or domain.com but remember the cert will only work seamlessly with the nominated hostname and specifically www.domain.com is not the same as domain.com

    During the certificate ordering process you will need to provide the CSR. Once your organisation is verified the cert issuer will send you the cert.

    Finally you install the cert and key pair using WHM or SSH.

    If you dont have WHM or SSH then you will need to ask your provider to do these steps. The SSH commands you would need to use will depend on your system but you have not provided any details about this. The cert issuers usually have detailed instructions for each of the popular Operating systems and software combinations.
     
  3. mkw

    mkw Registered

    Joined:
    Aug 26, 2003
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    No Geotrust Cabundle File with QuickSSL?

    beekeeper,

    Thanks for the info. Using your information along with a few other posts, I finally got a handle on what had to be done to install the Cert. I realized that I already had an IP based site ... I misunderstood the 2nd IP part ... that this is only necessary if you have other virtual sites, etc.

    To make a long story short, I obtained a Geotrust QuickSSl cert and installed it successfully via cpanel. I confirmed that the two files match, as specified by http://en.tldp.org/HOWTO/SSL-RedHat-HOWTO-5.html.

    Https connections are now working, but I am getting "untrusted certifying authority" browser messages. I combed the forums and discovered that something is not quite right with my ca-bundle file or intermediate authority file. Geotrust did not send a cabundle file.

    Apache documentation at http://en.tldp.org/HOWTO/SSL-RedHat-HOWTO-4.html addresses the installation of a SSLCACertificateFile, stating that "The solution is to install the intermediate certificate on the server using the SSLCACertificateFile directive. Usually, a "trusted" CA issues the intermediate certificate. If it is not, then you may need to use the SSLCertificateChainFile directive, although this is unlikely." Exactly what does this mean and how is it implemented?

    I also read a post stating that Geotrust DOES send a cabundle with a "chained SSL" cert. Why not with a QuickSSL cert? How do i fix my ca-bundle file? Where do I get the Geotrust CA bundle data? And, should I update my httpd.conf file to show the location of the domain.key and .crt? It's all very frustrating, snippets of info here and no real answers to questions on the Geotrust FAQ site. As a matter of fact, a search of cabundle, bundle, or ca-bundle in their knowledgebase brings back no results at all.

    I think I'm getting close to a solution, but have sent emails to Geotrust and ev1 support in the hope that they can shed some light on the subject. Any suggestions in the meantime?
     
  4. bamasbest

    bamasbest Well-Known Member

    Joined:
    Jan 10, 2004
    Messages:
    531
    Likes Received:
    0
    Trophy Points:
    16
    You should be able to download the entire geotrust cabundle and install.

    You may need to tweak httpd.conf to reflect cabundle location.

    I knw that with the instantssl certs, you can search their site and that they have their cabundles available for download. If geotrust didn't attach, you can always ask for them to resend it.
     
  5. Stephanie_R

    Stephanie_R Active Member

    Joined:
    Mar 1, 2004
    Messages:
    36
    Likes Received:
    0
    Trophy Points:
    6
    You will need to create file named ca.txt wherever your server keeps the certificates and paste the .CA cert into it.
    Then add a line to httpd.conf which would look something like this:
    SSLCACertificateFile /usr/share/certs/ca.txt
    Using whichever path you have to your ca.txt
    Then restart Apache (After checking the .conf syntax is ok )

    An easier way of doing this (If you have WHM) is to paste the CA cert into WHM in the cabundle section.
     
Loading...

Share This Page