The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

WHM makes a real mess out of installation Certs

Discussion in 'General Discussion' started by ozzi4648, Jan 19, 2003.

  1. ozzi4648

    ozzi4648 Guest

    I struggled with cleaning up the absolute mess that SSL manager makes out of installing something that should be a no brainer, SSL CERTS. Have you looked at your SSL Manager in WHM listing lately? Do you know which certs are current and which are not? Are you seeing certs with the extension TEST and OLD? Not only that, my FREESSL didn't install thru the SSL Manager GUI. It just gave me one problem after another for about 3 days and still it would't install properly from the GUI.

    The only way to clean up the mess is to clean up SSL Manager. Every cert should only have 3 certs and possibily a cabundle and it should appear on ONE LINE, not speard out across zillions of lines displaying OLD and unused certs. I cleaned mine up. Now I have 3 certs displayed on one line and 3 cabundle files and thats iit . You dont need to see anything more.

    The only way to install certs is manually! Ahmen!

    HOW TO CLEAN UP THE MESS!

    su to your box

    Open up WHM & SSL MANAGER on the box your going to clean up.

    Your certs are stored in a directory called

    /usr/share/ssl/certs

    Go into that directory:

    cd /usr/share/ssl/certs

    The only files you need in this directory are

    ftpd-dsa.pem -& /etc/ftpd-dsa.pem
    ftpd-rsa.pem -& /etc/ftpd-rsa.pem
    imapd.pem
    ipop3d.pem
    dummy-cert
    Makefile
    srv08.primenet.cc.cabundle &-- My state of authority cert
    srv08.primenet.cc.crt &-- My signed certificate
    srv08.primenet.cc.csr &-- My CSR

    Nothing else!

    Everthing else should be REMOVED WITH CARE.

    Go into your private key directory

    cd /usr/share/ssl/private

    Again, the only files you need in this directory are:

    ftpd-dhparam.pem -& /etc/ftpd-dhparam.pem
    ftpd-dsa-key.pem -& /etc/ftpd-dsa-key.pem
    ftpd-rsa-key.pem -& /etc/ftpd-rsa-key.pem
    srv08.primenet.cc.key &-- My private key.

    Nothing else.

    Everthing else should be removed with care.

    In WHM simply REFRESH your screen. Clean as a whistle.

    [u:3ce41cf877]HOWTO INSTALL A FREESSL CERT:[/u:3ce41cf877]

    This procedure work flawlessly and is the only way i could install this cert without problems. No mess, very little fuss and keeps your SSL Manager display free of clutter.

    My example here uses a hostname called: my.securesite.com. You will replace my.securesite.com with the name of your cert

    Go into the cert directory:

    cd /usr/share/ssl/certs

    You should already see a .csr file in this directory mine is called:

    my.securesite.com.csr

    You want to create a .cabundle and a .crt file to manually copy the certs from your e-mail into these files.

    Create the .cabundle file

    pico my.securesite.com.cabundle

    copy and paste the certificate of authority cert from your email into this file. It should be called something like The ChainedSSL Baltimore Intermediate Certificate.

    Cntrl-x and save after pasting.

    Create the .crt file

    pico my.securesite.com.crt

    copy and paste the cert that says, Your Web Server Certificate into this file.

    Cntrl-x and save after pasting.

    Your done in this directory.

    Cd into the private key directory:

    cd /usr/share/ssl/private

    You should already see a match file called my.securesite.com.key in here. Dont touch it, your done!

    Before reloading SSL manager you need to make the necessary adjustments to httpd.conf

    cd /etc/httpd/conf/

    pico httpd.conf

    Scroll to the bottom of the file and add this entry for your FREESSL cert!

    &IfDefine SSL&
    &VirtualHost 111.11.111.111:443&
    ServerAdmin webmaster@my.securesite.com
    [b:3ce41cf877]DocumentRoot /usr/local/apache/htdocs[/b:3ce41cf877]
    BytesLog domlogs/my.securesite.com-bytes_log
    ServerName my.securesite.com
    CustomLog /usr/local/apache/domlogs/my.securesite.com-ssl_log &%t %{version}c %{cipher}c %{clientcert}c&
    SSLEnable
    SSLCertificateFile /usr/share/ssl/certs/my.securesite.com.crt
    SSLCertificateKeyFile /usr/share/ssl/private/my.securesite.com.key
    SSLCACertificateFile /usr/share/ssl/certs/mysecuresite.com.cabundle
    SSLLogFile /var/log/my.securesite.com
    SetEnvIf User-Agent &.*MSIE.*& nokeepalive ssl-unclean-shutdown
    &/VirtualHost&
    &/IfDefine&

    NOTE: Replace 111.11.111.111 ip above with your server ip
    Replace my.securesite.com with the proper name of your certificate.

    IMPORTANT: If this cert is being installed on an ip that you have given a client, say you gave him an ip based site, then you need to change 111.11.111.111 above to the ip you assigned him and also you need to change line four, above, thats bolded out from:

    DocumentRoot /usr/local/apache/htdocs

    to

    DocumentRoot /home/{username}/public_html

    Otherwise, 111.11.111.111 should be replaced with the shared ip thats assigned to your server and DocumentRoot /usr/local/apache/htdocs is the correct setting.

    Save, cntrl-x and restart apache /etc/rc.d/init.d/httpd stop then start. SSL is much happy being stopped first then started.

    Now go back into WHM and reload WHM. In SSL Manager you should see your FREESSL cert! No clutter no mess.

    Test

    -Me

    :)
     
  2. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    Now that is a nice precise write up on how to do this.

    Thanks Ozzi.
     
  3. PWSowner

    PWSowner Well-Known Member

    Joined:
    Nov 10, 2001
    Messages:
    2,948
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    ON, Canada
    Thanks Ozzi.
    I've just recently started studying the SSL actions on my server and your post just made the studying much easier. :p
     
  4. pingo

    pingo Well-Known Member

    Joined:
    Nov 16, 2002
    Messages:
    430
    Likes Received:
    0
    Trophy Points:
    16
    Thanks alot for that how - I have waited for weeks on sys. admins to install it but they couldn't figure it out. Something strange happened when they tried to do it though WHM.

    John
     
  5. shaun

    shaun Well-Known Member

    Joined:
    Nov 9, 2001
    Messages:
    698
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    San Clemente, Ca
    i installed a freessl cert just fine thru the gui...

    twice.
     
  6. ozzi4648

    ozzi4648 Guest

    [quote:9e4f60d5c8][i:9e4f60d5c8]Originally posted by shaun[/i:9e4f60d5c8]

    i installed a freessl cert just fine thru the gui...

    twice.
    [/quote:9e4f60d5c8]

    Well good for you! Im glad somebody could!:p
     
  7. shaun

    shaun Well-Known Member

    Joined:
    Nov 9, 2001
    Messages:
    698
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    San Clemente, Ca
    ozzie: are you trying to install the freessl or the chainssl?
     
  8. ozzi4648

    ozzi4648 Guest

    Im not trying to install anything, everthing is done. Read above.
     
  9. AusJeff

    AusJeff Active Member

    Joined:
    Jan 10, 2003
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    6
    What did I miss

    Mmm just followed that to a tea, and quadripled checked. but HTTPD fails to start. Comment out all the lines between IfDefine and httpd starts OK.

    What am I missing ???
     
  10. AusJeff

    AusJeff Active Member

    Joined:
    Jan 10, 2003
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    6
    What did I miss

    Mmm just followed that to a tea, and quadripled checked. but HTTPD fails to start. Comment out all the lines between IfDefine and httpd starts OK.

    What am I missing ???
     
  11. ozzi4648

    ozzi4648 Guest

    [quote:427f220a3e][i:427f220a3e]Originally posted by AusJeff[/i:427f220a3e]

    Mmm just followed that to a tea, and quadripled checked. but HTTPD fails to start. Comment out all the lines between IfDefine and httpd starts OK.

    What am I missing ???[/quote:427f220a3e]

    Dont know, can you post your IfDefines?
     
  12. elor

    elor Active Member

    Joined:
    Apr 20, 2003
    Messages:
    32
    Likes Received:
    0
    Trophy Points:
    6
    I had the same problem. Did you get through this??

    But I noticed something else.

    The CRT that was gernerated with the KEY does not match the CRT that came with the cabundle ?? If I use the ChainedSSL CRT, then that crt gets put in the noKey bin.

    Any thoughts on this one?
     
  13. elor

    elor Active Member

    Joined:
    Apr 20, 2003
    Messages:
    32
    Likes Received:
    0
    Trophy Points:
    6
    I got to a point where I can get httpd to start, but only using the existing ca-bundle found within usr/share/ssl/certs, httpd does not start with the chained ssl baltimore ca crt.

    But.... even though the details look correct in the certificate, it comes up as an unknown ( not trusted) site.

    Anyone have this and get through it?
     
  14. Gliebster

    Gliebster Active Member

    Joined:
    Jul 17, 2002
    Messages:
    25
    Likes Received:
    0
    Trophy Points:
    1
    Thank you, ozzi!

    I just followed your guide to get my new GeoTrust cert installed

    whew!

    cPanel.net Support Ticket Number:
     
Loading...

Share This Page