The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Updating SSL Certificate

Discussion in 'General Discussion' started by mixx941, Apr 23, 2005.

  1. mixx941

    mixx941 Well-Known Member

    Joined:
    Oct 28, 2003
    Messages:
    63
    Likes Received:
    0
    Trophy Points:
    6
    Hello everyone. I am trying to update a SSL certificate for a client. They had one for a year and it expired. They renewed it and gave me the new certificate. I go to WHM and under the "Install SSL Certificate and Set Up The Domain" area pull up their SSL info. I then replace the crt with the new one and "Do It". It said that it worked fine.

    However, when I go to their "secure.theirdomain.com", it shows expired, which means the new crt did not take effect.

    So I went into the httpd.conf file and searched for what crt it was trying to pull. Its trying to pull from /etc/ssl/certs/secure.theirdomain.com.crt, so I went there. Its showing the old cert. I made a backup of the file and replaced the original with the updated crt and attempted to restart Apache. HTTPD Failed. I put the old cert back on and it started back up again.

    I'm wondering what is the proper way to do this via WHM. Sorry for my inexperience, but I only have one customer that uses SSL, and this is the first time I have needed to update via WHM.

    Thanks in advance for any help.

    -Mark
     
  2. kris1351

    kris1351 Well-Known Member

    Joined:
    Apr 18, 2003
    Messages:
    963
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Lewisville, Tx
    Depending on the certificate there might be a new key along with it. If there is that needs to be installed with the cert. The other option is to delete the SSL through WHM and install it from scratch. While they say renewals the SSLs are generally just a new SSL that has to be treated that way.
     
  3. Trigger

    Trigger Well-Known Member

    Joined:
    May 17, 2003
    Messages:
    87
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Brisbane
    Aways treat rewals for certificates as new installs that will just overwrite the old information. You must ensure that the .crt issued by the certificate company is used with the correct RSA Private key that was generated whith the new CSR.
    Always a good idea to paste both pieces of information in directly rather than letting the server fetch it as you could end up with a mismatched pair.

    If you are renewing a chained certificate like those issued by Comodo (instantssl) then make sure that you are using the correct CA bundle, Comodo are now using a new CA bundle so you will need to use that one rather than the one currently on the server.
     
  4. mixx941

    mixx941 Well-Known Member

    Joined:
    Oct 28, 2003
    Messages:
    63
    Likes Received:
    0
    Trophy Points:
    6
    Thanks for the replies. I asked the customer if he had a new RSA key from the SSL company, but he said the only info that he got back from the SSL company was the new certificate.

    He says his SSL company said to examine the httpd.conf to look for what CRT it was trying to pull, which is what I did do. The certificate that its pulling is the outdated one (at /etc/ssl/certs/secure.theirdomain.com.crt). I tried to update that file, however as I said Apache would not start after that. The only thing it output is that HTTPD failed to start. Any idea why it might not start?

    The other thing I notice is that in the user's home directory (/home/user/ssl/crts/) there is a crt there as well. secure.domain.com.crt and secure.domain.com.csr both exist in /home/usr/ssl/crts/, and that .crt is up to date. Is WHM somehow updating that and thats the wrong one?

    Thanks again.

    -Mark
     
  5. Trigger

    Trigger Well-Known Member

    Joined:
    May 17, 2003
    Messages:
    87
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Brisbane
    The RSA Private key is generated by WHM when you generate the CSR (they are created as a pair and you get two emails), the customer sends the CSR off to the SSL company and they generate the certificate (the .crt) using the info in the CSR.

    If the customer generated the CSR themselves then they should have the RSA private key as well.

    Apache failed to start after you updated the file because the .crt file did not belong to the .key file as the old file was still being referenced.
     
  6. mixx941

    mixx941 Well-Known Member

    Joined:
    Oct 28, 2003
    Messages:
    63
    Likes Received:
    0
    Trophy Points:
    6
    Right, a year ago when they ordered the SSL, I generated the CSR via WHM and had it emailed to them. They then sent me back the CRT and I put it in WHM and it worked.

    Now, its expired and all they sent me is a new CRT. I'm not sure what they gave to the SSL company to generate it, however I'm assuming it's the CSR from before since they did not ask me for any info.

    If they used the same CSR, then wouldn't the key remain the same and all that is updated is the CRT?

    Sorry again about my confusion, and thanks for your replies :).

    -Mark
     
  7. mixx941

    mixx941 Well-Known Member

    Joined:
    Oct 28, 2003
    Messages:
    63
    Likes Received:
    0
    Trophy Points:
    6
    Okay I found the key that goes with the SSL certificate. I updated them both in /etc/ssl/certs and /etc/ssl/private/ ...restarted Apache, and it worked.

    What I'd like to know is why WHM doesn't edit the proper files....or maybe why the httpd.conf points to the ones WHM doesn't update.

    I created everything via WHM on this server, and when I initially created the first one over a year ago, it worked fine. But somehow either WHM is editing /home/user/ssl/ instead of /etc/ssl/, or somehow its referenced wrong.

    How to fix for the future?

    Thanks in advance.

    -Mark
     
  8. danimal

    danimal Well-Known Member

    Joined:
    Jul 14, 2003
    Messages:
    79
    Likes Received:
    0
    Trophy Points:
    6
    Also frustrated

    Mark,

    I'm in the same boat as you. The problem is that I put the renewal cert in via the clients cPanel view (it has SSL management tools)... but the old cert is what is being used. I think it's the same deal as you... their new cert is now in their /home/user/... space, but Apache is using the /etc/ssl/... space for it's configs.

    What a pain.

    I'm gonna try deleting the cert and installing the new one via WHM instead of the user cPanel. Hopefully that will work. It's a bummer, though... it would be nice if these two interfaces (cPanel SSL mgmt and WHM SSL mgmt) worked together nicely.

    :rolleyes:

    -Danimal :cool:
     
  9. danimal

    danimal Well-Known Member

    Joined:
    Jul 14, 2003
    Messages:
    79
    Likes Received:
    0
    Trophy Points:
    6
    Ok, that worked...

    In WHM, I used the "Install a SSL Certificate and Setup the Domain" form.

    I put in the domain, user, and IP address and then used Fetch on the key. I did this because I had renewed the cert, so presumably it used the same CSR and key as the original a year ago.

    (oh, side note, I backed up the old Cert/Key/CSR and the new Cert/Key/CSR beforehand, just in case. :) )

    Then, I cut-n-pasted the new cert into the crt field rather than the "Fetch" button (cause the "Fetch" just loads the old one apparently).

    Interestingly, it auto-loaded a ca bundle, but I left that as-is and hit the submit ("Do it") button.

    Voila! It apparently updated everything correctly! The site now shows the updated cert.

    And the plus was that I didn't have to delete anything first, so there was no "downtime".

    In the future, I'll just use the WHM mechanism and not the cPanel tools.

    But at least things are back working with a new cert. Whee!

    -Danimal :D

    EDIT: a nice side-effect by doing it this way: WHM created a backup of the CRT, so in the SSL/KeyCRT Manager list, it shows the current CRT, the old one that almost expired and the old one before that (a self-generated cert before we bought one). Nice!
     
    #9 danimal, Mar 12, 2006
    Last edited: Mar 12, 2006
  10. Trigger

    Trigger Well-Known Member

    Joined:
    May 17, 2003
    Messages:
    87
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Brisbane
    Just for the record, how you install/ update a certificate. What will work.

    1. SSH - Copy the files and edit the httpd.conf, always works

    2. WHM Root account - Very good almost never have a problem unless the server is under load at the time.

    3. WHM Reseller account - Will work most of the time but you can have problems occasionally if someone else is making a change at the same time.

    4. cPanel tools - Works occasionally, buggy at best, does not always find or insert files in the correct place
     
Loading...

Share This Page