WHM makes a real mess out of installation Certs

O

ozzi4648

Guest
I struggled with cleaning up the absolute mess that SSL manager makes out of installing something that should be a no brainer, SSL CERTS. Have you looked at your SSL Manager in WHM listing lately? Do you know which certs are current and which are not? Are you seeing certs with the extension TEST and OLD? Not only that, my FREESSL didn't install thru the SSL Manager GUI. It just gave me one problem after another for about 3 days and still it would't install properly from the GUI.

The only way to clean up the mess is to clean up SSL Manager. Every cert should only have 3 certs and possibily a cabundle and it should appear on ONE LINE, not speard out across zillions of lines displaying OLD and unused certs. I cleaned mine up. Now I have 3 certs displayed on one line and 3 cabundle files and thats iit . You dont need to see anything more.

The only way to install certs is manually! Ahmen!

HOW TO CLEAN UP THE MESS!

su to your box

Open up WHM & SSL MANAGER on the box your going to clean up.

Your certs are stored in a directory called

/usr/share/ssl/certs

Go into that directory:

cd /usr/share/ssl/certs

The only files you need in this directory are

ftpd-dsa.pem -& /etc/ftpd-dsa.pem
ftpd-rsa.pem -& /etc/ftpd-rsa.pem
imapd.pem
ipop3d.pem
dummy-cert
Makefile
srv08.primenet.cc.cabundle &-- My state of authority cert
srv08.primenet.cc.crt &-- My signed certificate
srv08.primenet.cc.csr &-- My CSR

Nothing else!

Everthing else should be REMOVED WITH CARE.

Go into your private key directory

cd /usr/share/ssl/private

Again, the only files you need in this directory are:

ftpd-dhparam.pem -& /etc/ftpd-dhparam.pem
ftpd-dsa-key.pem -& /etc/ftpd-dsa-key.pem
ftpd-rsa-key.pem -& /etc/ftpd-rsa-key.pem
srv08.primenet.cc.key &-- My private key.

Nothing else.

Everthing else should be removed with care.

In WHM simply REFRESH your screen. Clean as a whistle.

[u:3ce41cf877]HOWTO INSTALL A FREESSL CERT:[/u:3ce41cf877]

This procedure work flawlessly and is the only way i could install this cert without problems. No mess, very little fuss and keeps your SSL Manager display free of clutter.

My example here uses a hostname called: my.securesite.com. You will replace my.securesite.com with the name of your cert

Go into the cert directory:

cd /usr/share/ssl/certs

You should already see a .csr file in this directory mine is called:

my.securesite.com.csr

You want to create a .cabundle and a .crt file to manually copy the certs from your e-mail into these files.

Create the .cabundle file

pico my.securesite.com.cabundle

copy and paste the certificate of authority cert from your email into this file. It should be called something like The ChainedSSL Baltimore Intermediate Certificate.

Cntrl-x and save after pasting.

Create the .crt file

pico my.securesite.com.crt

copy and paste the cert that says, Your Web Server Certificate into this file.

Cntrl-x and save after pasting.

Your done in this directory.

Cd into the private key directory:

cd /usr/share/ssl/private

You should already see a match file called my.securesite.com.key in here. Dont touch it, your done!

Before reloading SSL manager you need to make the necessary adjustments to httpd.conf

cd /etc/httpd/conf/

pico httpd.conf

Scroll to the bottom of the file and add this entry for your FREESSL cert!

&IfDefine SSL&
&VirtualHost 111.11.111.111:443&
ServerAdmin [email protected]
[b:3ce41cf877]DocumentRoot /usr/local/apache/htdocs[/b:3ce41cf877]
BytesLog domlogs/my.securesite.com-bytes_log
ServerName my.securesite.com
CustomLog /usr/local/apache/domlogs/my.securesite.com-ssl_log &%t %{version}c %{cipher}c %{clientcert}c&
SSLEnable
SSLCertificateFile /usr/share/ssl/certs/my.securesite.com.crt
SSLCertificateKeyFile /usr/share/ssl/private/my.securesite.com.key
SSLCACertificateFile /usr/share/ssl/certs/mysecuresite.com.cabundle
SSLLogFile /var/log/my.securesite.com
SetEnvIf User-Agent &.*MSIE.*& nokeepalive ssl-unclean-shutdown
&/VirtualHost&
&/IfDefine&

NOTE: Replace 111.11.111.111 ip above with your server ip
Replace my.securesite.com with the proper name of your certificate.

IMPORTANT: If this cert is being installed on an ip that you have given a client, say you gave him an ip based site, then you need to change 111.11.111.111 above to the ip you assigned him and also you need to change line four, above, thats bolded out from:

DocumentRoot /usr/local/apache/htdocs

to

DocumentRoot /home/{username}/public_html

Otherwise, 111.11.111.111 should be replaced with the shared ip thats assigned to your server and DocumentRoot /usr/local/apache/htdocs is the correct setting.

Save, cntrl-x and restart apache /etc/rc.d/init.d/httpd stop then start. SSL is much happy being stopped first then started.

Now go back into WHM and reload WHM. In SSL Manager you should see your FREESSL cert! No clutter no mess.

Test

-Me

:)
 

pingo

Well-Known Member
Nov 16, 2002
428
0
166
Thanks alot for that how - I have waited for weeks on sys. admins to install it but they couldn't figure it out. Something strange happened when they tried to do it though WHM.

John
 
O

ozzi4648

Guest
[quote:9e4f60d5c8][i:9e4f60d5c8]Originally posted by shaun[/i:9e4f60d5c8]

i installed a freessl cert just fine thru the gui...

twice.
[/quote:9e4f60d5c8]

Well good for you! Im glad somebody could!:p
 
O

ozzi4648

Guest
Im not trying to install anything, everthing is done. Read above.
 

AusJeff

Active Member
Jan 10, 2003
42
0
156
What did I miss

Mmm just followed that to a tea, and quadripled checked. but HTTPD fails to start. Comment out all the lines between IfDefine and httpd starts OK.

What am I missing ???
 

AusJeff

Active Member
Jan 10, 2003
42
0
156
What did I miss

Mmm just followed that to a tea, and quadripled checked. but HTTPD fails to start. Comment out all the lines between IfDefine and httpd starts OK.

What am I missing ???
 
O

ozzi4648

Guest
[quote:427f220a3e][i:427f220a3e]Originally posted by AusJeff[/i:427f220a3e]

Mmm just followed that to a tea, and quadripled checked. but HTTPD fails to start. Comment out all the lines between IfDefine and httpd starts OK.

What am I missing ???[/quote:427f220a3e]

Dont know, can you post your IfDefines?
 

elor

Active Member
Apr 20, 2003
32
0
156
I had the same problem. Did you get through this??

But I noticed something else.

The CRT that was gernerated with the KEY does not match the CRT that came with the cabundle ?? If I use the ChainedSSL CRT, then that crt gets put in the noKey bin.

Any thoughts on this one?
 

elor

Active Member
Apr 20, 2003
32
0
156
I got to a point where I can get httpd to start, but only using the existing ca-bundle found within usr/share/ssl/certs, httpd does not start with the chained ssl baltimore ca crt.

But.... even though the details look correct in the certificate, it comes up as an unknown ( not trusted) site.

Anyone have this and get through it?
 

Gliebster

Active Member
Jul 17, 2002
25
0
151
Thank you, ozzi!

I just followed your guide to get my new GeoTrust cert installed

whew!

cPanel.net Support Ticket Number: