SSL trouble installing intermediate certificate

thepossum

Member
Jun 19, 2014
12
1
53
cPanel Access Level
Root Administrator
We have a customer with a dedicated ip and a certificate installed from GeoTrust. All was apparently working well, until somebody with an old version of Firefox tried to access their ssl site.

I did some experimenting, downloaded Firefox 4.0.1 from ftp.mozilla.org. By default, I got the same Site Untrusted error. But when I manually install the intermediate "GeoTrust Extended Validation SSL CA G2" certificate from here - Removed - into the browser, then everything works as it should.

Now my problem is to install that same intermediate certificate via WHM. At Security->SSL/TLS Manager->Manage SSL sites I have three fields to enter (CRT, KEY, CABUNDLE). However no matter how many times I try the "Install Certificate" button, the intermediate cert is not being saved.

Do I need to manually install that intermediate certificate into the httpd conf? Something to do with the SSLCertificateChainFile doesn't seem to be working via WHM. Another guess I've got is that since the certificate is already installed and working, I can't install that same certificate over top without first deleting it?

I need a bit of assistance here...
 
Last edited by a moderator:

thepossum

Member
Jun 19, 2014
12
1
53
cPanel Access Level
Root Administrator
Nope, they were totally not helpful. Already read them.

My very specific question was, paraphrased, where can I go to somehow manually attach that intermediate certificate into the config, because none of the web gui interface is doing it for me?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,254
463
Hello :)

Please feel free to open a support ticket so we can take a closer look to determine why the CABundle is not updating successfully. You can post the ticket number here so we can update this thread with the outcome.

Thanks.
 

Infopro

Well-Known Member
May 20, 2003
17,076
524
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
Nope, they were totally not helpful. Already read them.

My very specific question was, paraphrased, where can I go to somehow manually attach that intermediate certificate into the config, because none of the web gui interface is doing it for me?
When you attempted to add it there, there's an option to Autofill by Certificate. Did that give you any error message when you used it?

The area I mentioned is not the same area. At the top of the area you mention, it says this:
Use this interface to manage SSL certificates for services other than Apache.
Above the area I did it says:
Use this interface to install a certificate on a domain. To install a certificate, you can type the desired domain, and the interface will automatically fill the empty fields. You can also paste a certificate to automatically fill the domain and related information. To browse your certificates, click the “Browse Certificates” button.
I guess I'm wrong here, but I thought this was for the website, not the server services.
 

thepossum

Member
Jun 19, 2014
12
1
53
cPanel Access Level
Root Administrator
Rather than leave all of you Google'ers hanging, I have now solved the problem with the help of cpanel's tech support, and this was what was necessary:

I downloaded the official GeoTrust .pem bundle for Apache knowledge.geotrust.com/library/VERISIGN/ALL_OTHER/geotrust%20ca/GeoTrust_EV_CA_G2_bundle.pem

Depending on which certificate you purchased it may be a different .pem bundle -- others are here knowledge.geotrust.com/support/knowledge-base/index?page=content&actp=CROSSLINK&id=AR1421

Once downloaded to a location readable by the Apache daemon, I edited the /etc/httpd/conf/httpd.conf and located the VirtualHost section for the site in question's ssl and added one more line:

/etc/httpd/conf/httpd.conf
<VirtualHost ...:443>
...
SSLCACertificateFile /path/to/filename.pem
...
</VirtualHost>

and once that change was made I restarted Apache with /scripts/restartsrv_httpd
 

JaredR.

Well-Known Member
Feb 25, 2010
1,834
27
143
Houston, TX
cPanel Access Level
Root Administrator
Note that on a cPanel server, the httpd.conf file is in /usr/local/apache/conf, not /etc/httpd/conf. /etc/httpd may exist, but it is only a symlink to /usr/local/apache. /usr/local/apache is the actual location of Apache httpd on a cPanel server.

Similarly, /scripts is only a symlink to /usr/local/cpanel/scripts. On recent versions of cPanel, the actual location of the scripts is /usr/local/cpanel/scripts, with /scripts as a symlink only for compatibility and legacy purposes.

Finally, your manual edit to httpd.conf will not survive a cPanel update. It will be overwritten. Please see the following documentation that explains how to make manual edits to httpd.conf and preserve them across updates:

EasyApache: Changes Contained Outside a VirtualHost Directive
EasyApache: Changes Contained Within a VirtualHost Directive
 

vkimura

Member
Oct 2, 2004
7
0
151
Burnaby, British Columbia, Canada
Just fyi, for others who come across this page. The links should be updated to:
https://documentation.cpanel.net/display/EA/Apache+Configuration+File+and+Building+Apache
https://documentation.cpanel.net/display/EA/Modify+Virtualhost+Containers+With+Include+Files

Geotrust has some documentation on updating your httpd.conf to include the CA bundle:
https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=SO15170

But you'll have to use the link
https://documentation.cpanel.net/display/EA/Modify+Virtualhost+Containers+With+Include+Files

so EasyApache doesn't overwrite it on the next update.

God bless<><
 

websnail.net

Well-Known Member
Mar 24, 2002
45
4
308
Just thought I'd toss some hard won intel here as I've been struggling with this now for the last couple of days.

CAbundle inclusion within the virtualhost directive is still not happening despite the SSL certificate installation process so as folks have found their sites won't pass all SSL tests properly.

This is what I've discovered on how to do it for RapidSSL along with RTFM moments that perhaps could be excused.

1. Make sure you have the correct Intermediate CA bundle.
RapidSSL have two of these in circulation and their documentation is poorly maintained with the older version still active but failing to verify the chain properly. The correct one at time of writing is this one:
https://knowledge.rapidssl.com/supp.../index?page=content&actp=CROSSLINK&id=SO26459

2. As noted earlier direct editing of the httpd.conf file will result in the edits loss when you update apache or rebuild it so you need to follow the "includes" guide to make sure your edits are added.

BUT critically you also need to remember to run the following command lines to get them included
/scripts/verify_vhost_includes
/scripts/rebuildhttpdconf

This last is missed out in the linked docs presumably based on the assum(e)ption that people read a manual in a linear fashion. That could do with a little rethink (ie: inclusion on the tail of "includes" guide).



Took a looong time to get this sorted out but not entirely sure why Cpanel/WHM is not including the SSLCACertificateFile information by default... Bug?


Hope that saves someone an equally frustrating 5 hours head-desk abuse.
 

Marcllino

Member
Aug 3, 2015
5
2
3
Netherlands
cPanel Access Level
Root Administrator
Hi,

I also had this problem when installing the certificate. The CAbundle didn't 'register' correctly and a SSL check gave the warning that intermediate certs were not present.

I added the intermediate certs into the virtualhost manually and that worked, but is not how it should work.

Last week i installed a certificate and the same problem occured. Everytime i re-installed and added the CAbundle (through cpanel for the account) nothing happened and the intermediate certs didn't get 'registered'.

When i used WHM: Home »SSL/TLS »Install an SSL Certificate on a Domain

-> Browse certificates
-> Browse account (select the account where the cert is already installed)
-> Select (or is already selected) and click 'use certificate'
-> Scroll down to the 'Certificate Authority Bundle' section and add the intermediate certs

I use COMODO and the order for this is:
- AddTrustExternalCARoot
- COMODORSAAddTrustCA
- COMODORSAExtendedValidationSecureServerCA

Using this method the intermediate certs got 'registered' correctly. This assumes that you already installed the certificate through cpanel for the account (which apparently don't register the intermediate certs initially).

WHM version: 11.50.0 (build29) / CentOS 6.6

Hope this helps.

Regards,

Marcellino
 
  • Like
Reactions: tweaker

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,254
463
Hello :)

Could you let us know if this issue continues on cPanel version 11.50.1.1 (Currently only available in the "Current" build tier), and if so, let us know who your certificate issuer is?

Thank you.
 

Khoi Nguyen

Registered
Nov 29, 2015
1
0
1
Hostname.club
cPanel Access Level
Root Administrator
Last edited by a moderator:

joako

Well-Known Member
Aug 7, 2003
112
2
168
cPanel Access Level
DataCenter Provider
You can't just replace the CA, since in PKI the CA is the certificate (or parent certificate of the intermediate CA) that signed your certificate. You must contact the seller of the certificate (which is not necessarily Geotrust) and have them reissue it. You should generate a new CSR with SHA-256 and 4096 bit key.