O
ozzi4648
Guest
I struggled with cleaning up the absolute mess that SSL manager makes out of installing something that should be a no brainer, SSL CERTS. Have you looked at your SSL Manager in WHM listing lately? Do you know which certs are current and which are not? Are you seeing certs with the extension TEST and OLD? Not only that, my FREESSL didn't install thru the SSL Manager GUI. It just gave me one problem after another for about 3 days and still it would't install properly from the GUI.
The only way to clean up the mess is to clean up SSL Manager. Every cert should only have 3 certs and possibily a cabundle and it should appear on ONE LINE, not speard out across zillions of lines displaying OLD and unused certs. I cleaned mine up. Now I have 3 certs displayed on one line and 3 cabundle files and thats iit . You dont need to see anything more.
The only way to install certs is manually! Ahmen!
HOW TO CLEAN UP THE MESS!
su to your box
Open up WHM & SSL MANAGER on the box your going to clean up.
Your certs are stored in a directory called
/usr/share/ssl/certs
Go into that directory:
cd /usr/share/ssl/certs
The only files you need in this directory are
ftpd-dsa.pem -& /etc/ftpd-dsa.pem
ftpd-rsa.pem -& /etc/ftpd-rsa.pem
imapd.pem
ipop3d.pem
dummy-cert
Makefile
srv08.primenet.cc.cabundle &-- My state of authority cert
srv08.primenet.cc.crt &-- My signed certificate
srv08.primenet.cc.csr &-- My CSR
Nothing else!
Everthing else should be REMOVED WITH CARE.
Go into your private key directory
cd /usr/share/ssl/private
Again, the only files you need in this directory are:
ftpd-dhparam.pem -& /etc/ftpd-dhparam.pem
ftpd-dsa-key.pem -& /etc/ftpd-dsa-key.pem
ftpd-rsa-key.pem -& /etc/ftpd-rsa-key.pem
srv08.primenet.cc.key &-- My private key.
Nothing else.
Everthing else should be removed with care.
In WHM simply REFRESH your screen. Clean as a whistle.
[u:3ce41cf877]HOWTO INSTALL A FREESSL CERT:[/u:3ce41cf877]
This procedure work flawlessly and is the only way i could install this cert without problems. No mess, very little fuss and keeps your SSL Manager display free of clutter.
My example here uses a hostname called: my.securesite.com. You will replace my.securesite.com with the name of your cert
Go into the cert directory:
cd /usr/share/ssl/certs
You should already see a .csr file in this directory mine is called:
my.securesite.com.csr
You want to create a .cabundle and a .crt file to manually copy the certs from your e-mail into these files.
Create the .cabundle file
pico my.securesite.com.cabundle
copy and paste the certificate of authority cert from your email into this file. It should be called something like The ChainedSSL Baltimore Intermediate Certificate.
Cntrl-x and save after pasting.
Create the .crt file
pico my.securesite.com.crt
copy and paste the cert that says, Your Web Server Certificate into this file.
Cntrl-x and save after pasting.
Your done in this directory.
Cd into the private key directory:
cd /usr/share/ssl/private
You should already see a match file called my.securesite.com.key in here. Dont touch it, your done!
Before reloading SSL manager you need to make the necessary adjustments to httpd.conf
cd /etc/httpd/conf/
pico httpd.conf
Scroll to the bottom of the file and add this entry for your FREESSL cert!
&IfDefine SSL&
&VirtualHost 111.11.111.111:443&
ServerAdmin [email protected]
[b:3ce41cf877]DocumentRoot /usr/local/apache/htdocs[/b:3ce41cf877]
BytesLog domlogs/my.securesite.com-bytes_log
ServerName my.securesite.com
CustomLog /usr/local/apache/domlogs/my.securesite.com-ssl_log &%t %{version}c %{cipher}c %{clientcert}c&
SSLEnable
SSLCertificateFile /usr/share/ssl/certs/my.securesite.com.crt
SSLCertificateKeyFile /usr/share/ssl/private/my.securesite.com.key
SSLCACertificateFile /usr/share/ssl/certs/mysecuresite.com.cabundle
SSLLogFile /var/log/my.securesite.com
SetEnvIf User-Agent &.*MSIE.*& nokeepalive ssl-unclean-shutdown
&/VirtualHost&
&/IfDefine&
NOTE: Replace 111.11.111.111 ip above with your server ip
Replace my.securesite.com with the proper name of your certificate.
IMPORTANT: If this cert is being installed on an ip that you have given a client, say you gave him an ip based site, then you need to change 111.11.111.111 above to the ip you assigned him and also you need to change line four, above, thats bolded out from:
DocumentRoot /usr/local/apache/htdocs
to
DocumentRoot /home/{username}/public_html
Otherwise, 111.11.111.111 should be replaced with the shared ip thats assigned to your server and DocumentRoot /usr/local/apache/htdocs is the correct setting.
Save, cntrl-x and restart apache /etc/rc.d/init.d/httpd stop then start. SSL is much happy being stopped first then started.
Now go back into WHM and reload WHM. In SSL Manager you should see your FREESSL cert! No clutter no mess.
Test
-Me
The only way to clean up the mess is to clean up SSL Manager. Every cert should only have 3 certs and possibily a cabundle and it should appear on ONE LINE, not speard out across zillions of lines displaying OLD and unused certs. I cleaned mine up. Now I have 3 certs displayed on one line and 3 cabundle files and thats iit . You dont need to see anything more.
The only way to install certs is manually! Ahmen!
HOW TO CLEAN UP THE MESS!
su to your box
Open up WHM & SSL MANAGER on the box your going to clean up.
Your certs are stored in a directory called
/usr/share/ssl/certs
Go into that directory:
cd /usr/share/ssl/certs
The only files you need in this directory are
ftpd-dsa.pem -& /etc/ftpd-dsa.pem
ftpd-rsa.pem -& /etc/ftpd-rsa.pem
imapd.pem
ipop3d.pem
dummy-cert
Makefile
srv08.primenet.cc.cabundle &-- My state of authority cert
srv08.primenet.cc.crt &-- My signed certificate
srv08.primenet.cc.csr &-- My CSR
Nothing else!
Everthing else should be REMOVED WITH CARE.
Go into your private key directory
cd /usr/share/ssl/private
Again, the only files you need in this directory are:
ftpd-dhparam.pem -& /etc/ftpd-dhparam.pem
ftpd-dsa-key.pem -& /etc/ftpd-dsa-key.pem
ftpd-rsa-key.pem -& /etc/ftpd-rsa-key.pem
srv08.primenet.cc.key &-- My private key.
Nothing else.
Everthing else should be removed with care.
In WHM simply REFRESH your screen. Clean as a whistle.
[u:3ce41cf877]HOWTO INSTALL A FREESSL CERT:[/u:3ce41cf877]
This procedure work flawlessly and is the only way i could install this cert without problems. No mess, very little fuss and keeps your SSL Manager display free of clutter.
My example here uses a hostname called: my.securesite.com. You will replace my.securesite.com with the name of your cert
Go into the cert directory:
cd /usr/share/ssl/certs
You should already see a .csr file in this directory mine is called:
my.securesite.com.csr
You want to create a .cabundle and a .crt file to manually copy the certs from your e-mail into these files.
Create the .cabundle file
pico my.securesite.com.cabundle
copy and paste the certificate of authority cert from your email into this file. It should be called something like The ChainedSSL Baltimore Intermediate Certificate.
Cntrl-x and save after pasting.
Create the .crt file
pico my.securesite.com.crt
copy and paste the cert that says, Your Web Server Certificate into this file.
Cntrl-x and save after pasting.
Your done in this directory.
Cd into the private key directory:
cd /usr/share/ssl/private
You should already see a match file called my.securesite.com.key in here. Dont touch it, your done!
Before reloading SSL manager you need to make the necessary adjustments to httpd.conf
cd /etc/httpd/conf/
pico httpd.conf
Scroll to the bottom of the file and add this entry for your FREESSL cert!
&IfDefine SSL&
&VirtualHost 111.11.111.111:443&
ServerAdmin [email protected]
[b:3ce41cf877]DocumentRoot /usr/local/apache/htdocs[/b:3ce41cf877]
BytesLog domlogs/my.securesite.com-bytes_log
ServerName my.securesite.com
CustomLog /usr/local/apache/domlogs/my.securesite.com-ssl_log &%t %{version}c %{cipher}c %{clientcert}c&
SSLEnable
SSLCertificateFile /usr/share/ssl/certs/my.securesite.com.crt
SSLCertificateKeyFile /usr/share/ssl/private/my.securesite.com.key
SSLCACertificateFile /usr/share/ssl/certs/mysecuresite.com.cabundle
SSLLogFile /var/log/my.securesite.com
SetEnvIf User-Agent &.*MSIE.*& nokeepalive ssl-unclean-shutdown
&/VirtualHost&
&/IfDefine&
NOTE: Replace 111.11.111.111 ip above with your server ip
Replace my.securesite.com with the proper name of your certificate.
IMPORTANT: If this cert is being installed on an ip that you have given a client, say you gave him an ip based site, then you need to change 111.11.111.111 above to the ip you assigned him and also you need to change line four, above, thats bolded out from:
DocumentRoot /usr/local/apache/htdocs
to
DocumentRoot /home/{username}/public_html
Otherwise, 111.11.111.111 should be replaced with the shared ip thats assigned to your server and DocumentRoot /usr/local/apache/htdocs is the correct setting.
Save, cntrl-x and restart apache /etc/rc.d/init.d/httpd stop then start. SSL is much happy being stopped first then started.
Now go back into WHM and reload WHM. In SSL Manager you should see your FREESSL cert! No clutter no mess.
Test
-Me
