The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SSL trouble installing intermediate certificate

Discussion in 'Security' started by thepossum, Jun 19, 2014.

  1. thepossum

    thepossum Registered

    Joined:
    Jun 19, 2014
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    We have a customer with a dedicated ip and a certificate installed from GeoTrust. All was apparently working well, until somebody with an old version of Firefox tried to access their ssl site.

    I did some experimenting, downloaded Firefox 4.0.1 from ftp.mozilla.org. By default, I got the same Site Untrusted error. But when I manually install the intermediate "GeoTrust Extended Validation SSL CA G2" certificate from here - Removed - into the browser, then everything works as it should.

    Now my problem is to install that same intermediate certificate via WHM. At Security->SSL/TLS Manager->Manage SSL sites I have three fields to enter (CRT, KEY, CABUNDLE). However no matter how many times I try the "Install Certificate" button, the intermediate cert is not being saved.

    Do I need to manually install that intermediate certificate into the httpd conf? Something to do with the SSLCertificateChainFile doesn't seem to be working via WHM. Another guess I've got is that since the certificate is already installed and working, I can't install that same certificate over top without first deleting it?

    I need a bit of assistance here...
     
    #1 thepossum, Jun 19, 2014
    Last edited by a moderator: Jun 20, 2014
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,482
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
  3. thepossum

    thepossum Registered

    Joined:
    Jun 19, 2014
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Nope, they were totally not helpful. Already read them.

    My very specific question was, paraphrased, where can I go to somehow manually attach that intermediate certificate into the config, because none of the web gui interface is doing it for me?
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Please feel free to open a support ticket so we can take a closer look to determine why the CABundle is not updating successfully. You can post the ticket number here so we can update this thread with the outcome.

    Thanks.
     
  5. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,482
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    When you attempted to add it there, there's an option to Autofill by Certificate. Did that give you any error message when you used it?

    The area I mentioned is not the same area. At the top of the area you mention, it says this:
    Above the area I did it says:
    I guess I'm wrong here, but I thought this was for the website, not the server services.
     
  6. thepossum

    thepossum Registered

    Joined:
    Jun 19, 2014
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Rather than leave all of you Google'ers hanging, I have now solved the problem with the help of cpanel's tech support, and this was what was necessary:

    I downloaded the official GeoTrust .pem bundle for Apache knowledge.geotrust.com/library/VERISIGN/ALL_OTHER/geotrust%20ca/GeoTrust_EV_CA_G2_bundle.pem

    Depending on which certificate you purchased it may be a different .pem bundle -- others are here knowledge.geotrust.com/support/knowledge-base/index?page=content&actp=CROSSLINK&id=AR1421

    Once downloaded to a location readable by the Apache daemon, I edited the /etc/httpd/conf/httpd.conf and located the VirtualHost section for the site in question's ssl and added one more line:

    /etc/httpd/conf/httpd.conf
    <VirtualHost ...:443>
    ...
    SSLCACertificateFile /path/to/filename.pem
    ...
    </VirtualHost>

    and once that change was made I restarted Apache with /scripts/restartsrv_httpd
     
  7. cPanelJared

    cPanelJared Technical Analyst
    Staff Member

    Joined:
    Feb 25, 2010
    Messages:
    1,842
    Likes Received:
    18
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Note that on a cPanel server, the httpd.conf file is in /usr/local/apache/conf, not /etc/httpd/conf. /etc/httpd may exist, but it is only a symlink to /usr/local/apache. /usr/local/apache is the actual location of Apache httpd on a cPanel server.

    Similarly, /scripts is only a symlink to /usr/local/cpanel/scripts. On recent versions of cPanel, the actual location of the scripts is /usr/local/cpanel/scripts, with /scripts as a symlink only for compatibility and legacy purposes.

    Finally, your manual edit to httpd.conf will not survive a cPanel update. It will be overwritten. Please see the following documentation that explains how to make manual edits to httpd.conf and preserve them across updates:

    EasyApache: Changes Contained Outside a VirtualHost Directive
    EasyApache: Changes Contained Within a VirtualHost Directive
     
  8. vkimura

    vkimura Member

    Joined:
    Oct 2, 2004
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Burnaby, British Columbia, Canada
    Just fyi, for others who come across this page. The links should be updated to:
    https://documentation.cpanel.net/display/EA/Apache+Configuration+File+and+Building+Apache
    https://documentation.cpanel.net/display/EA/Modify+Virtualhost+Containers+With+Include+Files

    Geotrust has some documentation on updating your httpd.conf to include the CA bundle:
    https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=SO15170

    But you'll have to use the link
    https://documentation.cpanel.net/display/EA/Modify+Virtualhost+Containers+With+Include+Files

    so EasyApache doesn't overwrite it on the next update.

    God bless<><
     
  9. joako

    joako Well-Known Member

    Joined:
    Aug 7, 2003
    Messages:
    97
    Likes Received:
    2
    Trophy Points:
    8
    The best option is to copy and paste the two certificates into one file and use that as your SSL certificate in WHM.

    If you run the test here: https://www.ssllabs.com/ssltest/analyze.html You can see if the certificate is properly installed by looking at "Chain issues"
     
  10. websnail.net

    websnail.net Active Member

    Joined:
    Mar 24, 2002
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    Just thought I'd toss some hard won intel here as I've been struggling with this now for the last couple of days.

    CAbundle inclusion within the virtualhost directive is still not happening despite the SSL certificate installation process so as folks have found their sites won't pass all SSL tests properly.

    This is what I've discovered on how to do it for RapidSSL along with RTFM moments that perhaps could be excused.

    1. Make sure you have the correct Intermediate CA bundle.
    RapidSSL have two of these in circulation and their documentation is poorly maintained with the older version still active but failing to verify the chain properly. The correct one at time of writing is this one:
    https://knowledge.rapidssl.com/supp.../index?page=content&actp=CROSSLINK&id=SO26459

    2. As noted earlier direct editing of the httpd.conf file will result in the edits loss when you update apache or rebuild it so you need to follow the "includes" guide to make sure your edits are added.

    BUT critically you also need to remember to run the following command lines to get them included
    /scripts/verify_vhost_includes
    /scripts/rebuildhttpdconf

    This last is missed out in the linked docs presumably based on the assum(e)ption that people read a manual in a linear fashion. That could do with a little rethink (ie: inclusion on the tail of "includes" guide).



    Took a looong time to get this sorted out but not entirely sure why Cpanel/WHM is not including the SSLCACertificateFile information by default... Bug?


    Hope that saves someone an equally frustrating 5 hours head-desk abuse.
     
  11. Marcllino

    Marcllino Member

    Joined:
    Aug 3, 2015
    Messages:
    5
    Likes Received:
    2
    Trophy Points:
    1
    Location:
    Netherlands
    cPanel Access Level:
    Root Administrator
    Hi,

    I also had this problem when installing the certificate. The CAbundle didn't 'register' correctly and a SSL check gave the warning that intermediate certs were not present.

    I added the intermediate certs into the virtualhost manually and that worked, but is not how it should work.

    Last week i installed a certificate and the same problem occured. Everytime i re-installed and added the CAbundle (through cpanel for the account) nothing happened and the intermediate certs didn't get 'registered'.

    When i used WHM: Home »SSL/TLS »Install an SSL Certificate on a Domain

    -> Browse certificates
    -> Browse account (select the account where the cert is already installed)
    -> Select (or is already selected) and click 'use certificate'
    -> Scroll down to the 'Certificate Authority Bundle' section and add the intermediate certs

    I use COMODO and the order for this is:
    - AddTrustExternalCARoot
    - COMODORSAAddTrustCA
    - COMODORSAExtendedValidationSecureServerCA

    Using this method the intermediate certs got 'registered' correctly. This assumes that you already installed the certificate through cpanel for the account (which apparently don't register the intermediate certs initially).

    WHM version: 11.50.0 (build29) / CentOS 6.6

    Hope this helps.

    Regards,

    Marcellino
     
    tweaker likes this.
  12. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Could you let us know if this issue continues on cPanel version 11.50.1.1 (Currently only available in the "Current" build tier), and if so, let us know who your certificate issuer is?

    Thank you.
     
  13. Khoi Nguyen

    Khoi Nguyen Registered

    Joined:
    Nov 29, 2015
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Hostname.club
    cPanel Access Level:
    Root Administrator
    #13 Khoi Nguyen, Nov 29, 2015
    Last edited by a moderator: Nov 29, 2015
  14. joako

    joako Well-Known Member

    Joined:
    Aug 7, 2003
    Messages:
    97
    Likes Received:
    2
    Trophy Points:
    8
    You can't just replace the CA, since in PKI the CA is the certificate (or parent certificate of the intermediate CA) that signed your certificate. You must contact the seller of the certificate (which is not necessarily Geotrust) and have them reissue it. You should generate a new CSR with SHA-256 and 4096 bit key.
     
Loading...

Share This Page