How to Install RapidSSL
- Thread starter algore
- Start date
scsi
Verified User
- Joined
- Aug 19, 2008
- Messages
- 4,695
You followed the instructions here?
http://site-helper.com/ssl.html#install
After you install the ca cert it usually says your ssl should be working in a few moments.
Have you looked at your apache error log to see what it says is the reason for it failing?
http://site-helper.com/ssl.html#install
After you install the ca cert it usually says your ssl should be working in a few moments.
Have you looked at your apache error log to see what it says is the reason for it failing?
nobaloney
NoBaloney Internet Svcs - In Memoriam †
Solved this yet? Did you get a CARoot Certificate with your Cert? If so, did you install it?
Jeff
Jeff
Sorry to bump an old thread but I was racking my brain with this same issue a little today and yesterday.
All the tutorials I found online (even what is provided by GeoTrust) appear to be incomplete or plain wrong.
After literal trial and error I got it working though. So to help others with the same issue (and possibly myself in the future if I get stuck again and forget what I did) I wanted to post below what works.
To note:
I'm running DirectAdmin v1.43.3, with CustomBuild 2.x, ngnix Web server with php-fpm.
The SSL certificate was a GeoTrust RapidSSL certificate from www.rapidssl.com. Key Size: 2048 (bits)
I installed everything according to GeoTrusts instructions, then by http://www.site-helper.com/ssl.html and everything "appeared" to work fine. The SSL was installed and I didn't get any error on my computer when visiting the protected site. Where I noticed an issue was when visiting the site the next day on my cell phone (iPhone 4s) using the Chrome browser. I got the dialog saying there was an issue. So then I started to do more research and came across http://www.sslshopper.com/ssl-checker.html and http://www.digicert.com/help/ According to both of these checkers my RapidSSL certificate was INDEED not installed correctly. Everything came up as "OK" except the "Server-Chain" certificate. It wasn't getting to the chain servers. OK so this means the problem lies in the "Click Here to paste a CA Root Certificate" page right? Or I must have forgotten to click the "Use a CA Cert." box right? Forgot to restart the web server right? No to all. On the "Certificate Authority SSL Certificate" not only had I pasted the primary one listed in the email... I had actually gone online and found their secondary and posted that as well (as recommended by the web site). However this wasn't fixing the issue.
Then I went back to the main page and figured the "RSA Private Key" that was generated was wrong. I re-entered the "Create A Certificate Request" information a few times, did an rdiff on the two "Certificate Requests" and they were indeed the same. Everything seemed right.
I had installed the "INTERMEDIATE CA" on the "CA SSL" (Certificate Authority SSL Certificate) and clicked the "Use a CA Cert." box appropriately. Made sense right? Turns out, this was only half right. After literally plugging away things in trial-and-error I discovered what "worked" but wasn't posted ANYWHERE I've visited yet. But its also so silly and easy. Really the tutorials should be updated.
The fix:
On the "SSL" (SSL Certificates) page. Where you have "Paste a pre-generated certificate key" checked you need to have 3 *THREE* (yes 3, not 2) pieces of information. First the "Begin RSA Private Key" (which should already be there and generated by the system after you post your initial "Create A Certificate Request" then you'll have your "Begin Certificate" which is your actual certificate you had emailed to you from RapidSSL. Lastly you'll need to post your "Intermediate CA" Yes that's right. Originally I thought (wrongly) that this Intermediate CA should be installed separate from your actual certificate. This is incorrect. Yes you still need to install your Intermediate CA (and I recommend going to RapidSSL to also get their secondary Intermediate CA) on the "Click Here to paste a CA Root Certificate" page. Yes you also need to check "Use a CA Cert." but you ALSO need to post that Intermediate CA certificate WITH your Private Key and Certificate. Is it suppose to be this way? Is this only because I'm using ngnix? I can't say for sure. All I can say is after adding the Intermediate CA to the end of my regular certificate it works and all SSL checks online show it installed properly.
So to summarize.
My solution was to have the following:
On the "SSL Certificates" page (under "Paste a pre-generated certificate and key"):
-----BEGIN RSA PRIVATE KEY-----
PRIVATE KEY DATA
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
CERTIFICATE DATA
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
INTERMEDIATE CERTIFICATE DATA
-----END CERTIFICATE-----
Then under the Certificate Authority SSL Certificate page (where you get by clicking "Click Here to paste a CA Root Certificate"):
-----BEGIN CERTIFICATE-----
PRIMARY INTERMEDIATE CERTIFICATE
-----END CERTIFICATE-----
SECONDARY INTERMEDIATE CERTIFICATE
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
Notes: You could try adding the secondary intermediate certificate to your main certificate (in addition to the primary) but I didn't try it as it wasn't needed in my case. The less keys to decipher is probably best. Also remember in the notes strings (what designates where a certificate starts and ends) like "-----BEGIN CERTIFICATE-----" I believe the dashes (as in '-') HAS to be exactly 5 on each side of the text. Also try to remove any white space between certificates, but do keep a carriage return (as in don't start and end a certificate on the same line).
Links that I used:
http://www.digicert.com/help/ (SSL Certificate Tester)
http://www.sslshopper.com/ssl-checker.html (SSL Certificate Tester)
https://knowledge.rapidssl.com/supp...=content&id=SO9556&actp=LIST&viewlocale=en_US (SSL Certificate Tester)
http://www.quickdiff.com/ (Diff tool to distingish between differences in Keys/Requests)
http://www.site-helper.com/ssl.html (DirectAdmin SSL tutorial)
http://www.bluetreehost.com/support/knowledgebase.php?action=displayarticle&id=29 (DirectAdmin SSL Install Video.... not a real help)
http://www.ipserverone.info/control-panel/DirectAdmin-install-ssl-ertificates/ (Another DirectAdmin SSL tutorial)
http://nl.globalsign.com/en/support/ssl+certificates/directadmin/directadmin/install+certificate/ (GlobalSign's DirectAdmin SSL tutorial)
https://knowledge.rapidssl.com/supp...t/index?page=content&actp=CROSSLINK&id=AR1548 (RapidSSL's page for Intermediate CAs)
https://knowledge.rapidssl.com/supp.../index?page=content&actp=CROSSLINK&id=SO17664 (RapidSSL's page for help/tutorial)
Hope this is help to someone else.
Thanks,
Brian
All the tutorials I found online (even what is provided by GeoTrust) appear to be incomplete or plain wrong.
After literal trial and error I got it working though. So to help others with the same issue (and possibly myself in the future if I get stuck again and forget what I did) I wanted to post below what works.
To note:
I'm running DirectAdmin v1.43.3, with CustomBuild 2.x, ngnix Web server with php-fpm.
The SSL certificate was a GeoTrust RapidSSL certificate from www.rapidssl.com. Key Size: 2048 (bits)
I installed everything according to GeoTrusts instructions, then by http://www.site-helper.com/ssl.html and everything "appeared" to work fine. The SSL was installed and I didn't get any error on my computer when visiting the protected site. Where I noticed an issue was when visiting the site the next day on my cell phone (iPhone 4s) using the Chrome browser. I got the dialog saying there was an issue. So then I started to do more research and came across http://www.sslshopper.com/ssl-checker.html and http://www.digicert.com/help/ According to both of these checkers my RapidSSL certificate was INDEED not installed correctly. Everything came up as "OK" except the "Server-Chain" certificate. It wasn't getting to the chain servers. OK so this means the problem lies in the "Click Here to paste a CA Root Certificate" page right? Or I must have forgotten to click the "Use a CA Cert." box right? Forgot to restart the web server right? No to all. On the "Certificate Authority SSL Certificate" not only had I pasted the primary one listed in the email... I had actually gone online and found their secondary and posted that as well (as recommended by the web site). However this wasn't fixing the issue.
Then I went back to the main page and figured the "RSA Private Key" that was generated was wrong. I re-entered the "Create A Certificate Request" information a few times, did an rdiff on the two "Certificate Requests" and they were indeed the same. Everything seemed right.
I had installed the "INTERMEDIATE CA" on the "CA SSL" (Certificate Authority SSL Certificate) and clicked the "Use a CA Cert." box appropriately. Made sense right? Turns out, this was only half right. After literally plugging away things in trial-and-error I discovered what "worked" but wasn't posted ANYWHERE I've visited yet. But its also so silly and easy. Really the tutorials should be updated.
The fix:
On the "SSL" (SSL Certificates) page. Where you have "Paste a pre-generated certificate key" checked you need to have 3 *THREE* (yes 3, not 2) pieces of information. First the "Begin RSA Private Key" (which should already be there and generated by the system after you post your initial "Create A Certificate Request" then you'll have your "Begin Certificate" which is your actual certificate you had emailed to you from RapidSSL. Lastly you'll need to post your "Intermediate CA" Yes that's right. Originally I thought (wrongly) that this Intermediate CA should be installed separate from your actual certificate. This is incorrect. Yes you still need to install your Intermediate CA (and I recommend going to RapidSSL to also get their secondary Intermediate CA) on the "Click Here to paste a CA Root Certificate" page. Yes you also need to check "Use a CA Cert." but you ALSO need to post that Intermediate CA certificate WITH your Private Key and Certificate. Is it suppose to be this way? Is this only because I'm using ngnix? I can't say for sure. All I can say is after adding the Intermediate CA to the end of my regular certificate it works and all SSL checks online show it installed properly.
So to summarize.
My solution was to have the following:
On the "SSL Certificates" page (under "Paste a pre-generated certificate and key"):
-----BEGIN RSA PRIVATE KEY-----
PRIVATE KEY DATA
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
CERTIFICATE DATA
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
INTERMEDIATE CERTIFICATE DATA
-----END CERTIFICATE-----
Then under the Certificate Authority SSL Certificate page (where you get by clicking "Click Here to paste a CA Root Certificate"):
-----BEGIN CERTIFICATE-----
PRIMARY INTERMEDIATE CERTIFICATE
-----END CERTIFICATE-----
SECONDARY INTERMEDIATE CERTIFICATE
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
Notes: You could try adding the secondary intermediate certificate to your main certificate (in addition to the primary) but I didn't try it as it wasn't needed in my case. The less keys to decipher is probably best. Also remember in the notes strings (what designates where a certificate starts and ends) like "-----BEGIN CERTIFICATE-----" I believe the dashes (as in '-') HAS to be exactly 5 on each side of the text. Also try to remove any white space between certificates, but do keep a carriage return (as in don't start and end a certificate on the same line).
Links that I used:
http://www.digicert.com/help/ (SSL Certificate Tester)
http://www.sslshopper.com/ssl-checker.html (SSL Certificate Tester)
https://knowledge.rapidssl.com/supp...=content&id=SO9556&actp=LIST&viewlocale=en_US (SSL Certificate Tester)
http://www.quickdiff.com/ (Diff tool to distingish between differences in Keys/Requests)
http://www.site-helper.com/ssl.html (DirectAdmin SSL tutorial)
http://www.bluetreehost.com/support/knowledgebase.php?action=displayarticle&id=29 (DirectAdmin SSL Install Video.... not a real help)
http://www.ipserverone.info/control-panel/DirectAdmin-install-ssl-ertificates/ (Another DirectAdmin SSL tutorial)
http://nl.globalsign.com/en/support/ssl+certificates/directadmin/directadmin/install+certificate/ (GlobalSign's DirectAdmin SSL tutorial)
https://knowledge.rapidssl.com/supp...t/index?page=content&actp=CROSSLINK&id=AR1548 (RapidSSL's page for Intermediate CAs)
https://knowledge.rapidssl.com/supp.../index?page=content&actp=CROSSLINK&id=SO17664 (RapidSSL's page for help/tutorial)
Hope this is help to someone else.
Thanks,
Brian
nobaloney
NoBaloney Internet Svcs - In Memoriam †
Interestng. You don't need to add the CA Certificate under the main Certificate under what I'll call normal circumstances; putting it into the Click Here to paste a CA Root Certificate location should be enough.
One reason why it may not work in your case may be because you're also using nginx, and nginx may not know to look into the separate location.
Another reason may be because your domain is not under a reseller but rather under the user level of your admin account.
Please reply to let us know if the latter is true or not, so we may get DirectAdmin and possibly documentation corrected if necessary.
Thanks.
Jeff
One reason why it may not work in your case may be because you're also using nginx, and nginx may not know to look into the separate location.
Another reason may be because your domain is not under a reseller but rather under the user level of your admin account.
Please reply to let us know if the latter is true or not, so we may get DirectAdmin and possibly documentation corrected if necessary.
Thanks.
Jeff
Richard G
Verified User
Please do not reply to old threads (like also the other one you did). Create a new one for your issue.
There are help files like this one to install bought ssl certificates:
https://help.directadmin.com/item.php?id=15
There are help files like this one to install bought ssl certificates:
https://help.directadmin.com/item.php?id=15