DirectAdmin SSL Setup w/ Comodo PositiveSSL

C

ccf008

New member
Joined
Mar 13, 2009
Messages
2
I'm having issues with the Comodo PositiveSSL and my domain, www.peerfly.com

I've done everything as stated in the online help pages and I've read several of the messages on this forum with similar issues. The problem is that it gives a "sec_error_unknown_issuer" on FireFox with XP. Everything else works fine. All the other major browsers and other operating systems. It's just XP with FF3.

When I run an OpenSSL query on: s_client -connect www.peerfly.com:443 -showcerts

It shows:

CONNECTED(00000003)
depth=0 /OU=Domain Control Validated/OU=PositiveSSL/CN=www.peerfly.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /OU=Domain Control Validated/OU=PositiveSSL/CN=www.peerfly.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /OU=Domain Control Validated/OU=PositiveSSL/CN=www.peerfly.com
verify error:num=21:unable to verify the first certificate
verify return:1

Here are the files that are being loaded:

SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
SSLCACertificateFile /usr/local/directadmin/data/users/admin/domains/peerfly.com.cacert

I clicked all the correct radio buttons, checked and rechecked. What is the issue?

Thanks in advance!
 
When I look now I'm seeing the PositiveSSL cert is installed, but their CACert isn't. Do you own the server? If no, then contact your hosting company for information on where to put the cacert. You may need to check with Comodo to make sure that you're installing the right CACert.

If yes, if it is your server, then is the site created under the admin's login under "User Level"? If so it may need to go into a different location.

Exactly how did you install the CACert?

Next time buy a Certificate from me :); we charge a bit less than they do for a one-year Certificate with installation included.

:)

Jeff
 
Thanks for the reply. Yes, the server is mine. It looks like the domain is under the admin username. How can I move the domain to a new username?

I installed it like shown on http://www.site-helper.com/ssl.html

EDIT: I saw a thread on here on how to move a domain to another user and the person was having troubles with it. Is there an easier, fail proof way of moving a domain to another user? Our website cannot go down and I cannot risk losing any of our files or databases. What to do?
 
Last edited:
I haven't had problems moving sites between users, but that doesn't mean you won't. Since the admin user sites are handled slightly differently, you could have a problem.

Note that the following suggestions are NOT guaranteed. If you want us to guarantee what we say/do is accurate, then you must hire us :D.

You may want to build your site manually as a new site, and set up all the content the way you normally would.

For example, if your site name is example.com:

Create a new user with empty site named new.example.com. The package should be unlimited. The new IP# should be owned by the reseller and the new user.

Then once it's set up:

Backup your regular site: example.com.

Delete the old site, under user admin.

Restore the backup under the new user.

Delete the site new.example.com

This should give you close to no downtime.

Remember we're only responsible if we do the work. :D

Jeff
 
It happens when CAcert is not installed properly, in such case user once should re-install their CAcert properly. If any major problem in installation the best option is to contact the support team of your SSL Provider :) , may be you are not only the one who face such problems and it would have been a bug sometimes, so better to ask once to support team from where you purchase SSL Certificate. In such cases re-sellers are better than certification authority itself, i have bought comodo positive ssl from re-seller and got complete support from them, installation to notification of expiry.
 
FIXING directadmin SSL problems, INSTALL COMODO Positive SSL

This note describes
* Resetting SSL config --How to clear out problematic SSL configurations created by DA
* How to install COMODO Positive SSL and other Comodo certs that include multiple certificates.

FIRST: Never mess with SSL until you have to.
-- Don't just plan to INSTALL a new cert during off-peak hours.
-- DO PLAN to EVERYTHING -- Request the new cert, etc. -- during off peak hours.

SECOND: The cleaning out is under-the-hood stuff. Root access needed. If you're lucky you won't need to do this. Only for when things are messed up and unfixable by the DA control panel.


Finally: When getting a new SSL, I think problems come (on my old version of DA) by this confusing interface"
Create your own self signed certificate <<BAD
Create A Certificate Request << GOOD

Make sure you have clicked the right buttons. I think this is where leftover SSL junk comes from )

SO: If you are having problems making the DA SSL panels behave, you and DA may have messed things up. I personally messed things up with DA's SSL settings. Not sure how, but it's possible to create messed up settings that need to be fixed by hand.

Here's how to clear out the mess.
[I'll use "USERNAME" for your website's username and WEBSITE.COM for the domain name in these examples]

Your SSL stuff is found in the DA extra conf areas:
Code: 
cd /usr/local/directadmin/data/users/
cd USERNAME/domains

EDIT WEBSITE.COM.conf
Look at the top of the file and delete any line that looks like this. [It's not guaranteed that any of these lines will be present.]
Code: 
SSLCACertificateFile=/usr/local/directadmin/data/users/USERNAME/domains/WEBSITE.COM.cacert
SSLCertificateFile=/usr/local/directadmin/data/users/USERNAME/domains/WEBSITE.COM.cert
SSLCertificateKeyFile=/usr/local/directadmin/data/users/USERNAME/domains/WEBSITE.COM.key
NEXT:
DELETE any or all of these files. [It's not guaranteed that all will be in the directory.]
WEBSITE.COM.cacert
WEBSITE.COM.key
WEBSITE.COM.cert
Code: 
rm *.cacert;rm *.key; rm *.cert;

You have now CLEANED OUT ALL the SSL stuff created by DA and can start fresh.

INSTALLING A COMODO POSITIVE SSL CERT
You no longer need the terminal/root access.
This install is done using the DA control panel.

I like this COMODO cert because it is inexpensive.
It's not an easy install however.

The final CERTs from Comodo come by email in a zip file. (They also send the cerificate as text you can copy and paste from the email. I don't recommend that mehtod)

Unzip the directory.
You'll see four files.

Your website certificate: something like
website_com.cert

And three other files:

AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSADomainValidationSecureServerCA.crt

First: Open the website_com.cert, and copy and paste it after the line saying:
"-----END RSA PRIVATE KEY-----"
(FIRST Remove any text that happens to be already below that line.
Your textarea will show:
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
Blah blah blah...
-----END CERTIFICATE-----
)

Click SAVE.

Below the SAVE button, click the link that says "CLICK HERE" to paste a CA Root Certificate. (There is no indication that "click here" is a link, but it is -- click it.)

At the top of the window is a checkbox that says "USE A CA CERT."
CHECK that box.

Using a text editor, open the other Comodo files, copy and paste contents into the Root Cert textarea.

>>> IN THIS ORDER <<<
AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSADomainValidationSecureServerCA.crt

Your text area will look like this:
-----BEGIN CERTIFICATE-----
Blah blah blah...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Blah blah blah...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Blah blah blah...
-----END CERTIFICATE-----

Click Save to save the combined elements as the CA root cert and either wait for Apache to be restarted automatically or do it yourself if you are impatient.
 
Last edited:
You must log in or register to reply here.
Back
Top