ChainedSSL Installation Problem..
- Thread starter jeffery
- Start date
nobaloney
NoBaloney Internet Svcs - In Memoriam †
Jason,
What's the actual system directory path to the directory where the whois.cart files are located?
Knowing that may help debug the problem.
Jeff
What's the actual system directory path to the directory where the whois.cart files are located?
Knowing that may help debug the problem.
Jeff
jdlitson
Verified User
- Joined
- May 29, 2003
- Messages
- 246
Hi, Jeff
I should also mention that:
1. The name on my SSL Cert is www.linkdisk.com and not just linkdisk.com
When I set the final.php page to https://(www).linkdisk.com/cart/final.php for some reasone the final.php page redirects itself to the index.php page of the whois.cart dir.
When I set the final.php page to https://linkdisk.com/cart/final.php the page is not redirected, but then the name on the certificate does not match
2. I have also changed the path of the secure directory to point to public_htm instead of private_htm, so that my license for whois.cart would function properly.
3. Even when viewing a secure page outside of whois.cart, my ChainedSSL still pops up. When viewing the details it reads:
a: In (IE 6) "This certificate cannot be verified up to a trusted certification authority."
b: In (Mozilla Firefox) "Could not verify this certificate because the issuer is unknown."
Thanks -Jason
/home/admin/domains/linkdisk.com/public_html/cart/
I should also mention that:
1. The name on my SSL Cert is www.linkdisk.com and not just linkdisk.com
When I set the final.php page to https://(www).linkdisk.com/cart/final.php for some reasone the final.php page redirects itself to the index.php page of the whois.cart dir.
When I set the final.php page to https://linkdisk.com/cart/final.php the page is not redirected, but then the name on the certificate does not match
2. I have also changed the path of the secure directory to point to public_htm instead of private_htm, so that my license for whois.cart would function properly.
3. Even when viewing a secure page outside of whois.cart, my ChainedSSL still pops up. When viewing the details it reads:
a: In (IE 6) "This certificate cannot be verified up to a trusted certification authority."
b: In (Mozilla Firefox) "Could not verify this certificate because the issuer is unknown."
Thanks -Jason
nobaloney
NoBaloney Internet Svcs - In Memoriam †
Hi. First I'm going to start at the beginning.jdlitson said:
The cert (as shown in my browser) doesn't have a chain cert installed; we have to figure out why, and where it goes.
I thought freeSSL certs didn't require a chain cert. What kind of freeSSL cert is this, and when did you get it?
Did you install the cert and the chain cert in the site section of the admin login?
Then you probably know you're always going to have a problem with redirection to linkdisk.com as opposted to www.linkdisk.com
This will probably take some intensive troubleshooting of the code and/or the the httpd.conf file and/or the apache logs. Have you asked Whois.Cart customer support if they know why this may be happening?
When I set the final.php page to https://linkdisk.com/cart/final.php the page is not redirected, but then the name on the certificate does not match
The only way around this with the cert is to buy a wildcard site for *.linkdisk.com. They're not cheap.
Better if you can get help from Whois.Cart to redirect it to www.
I don't know why Whois.Cart would require that, but I haven't tried it yet.
Does the actual chain show up in your browser window at any point? It doesn't in mine.
Jeff
jdlitson
Verified User
- Joined
- May 29, 2003
- Messages
- 246
Bought it from ev1servers. It is not the 30 day freessl cert. freessl and GeoTrust seem to have a partnership in this particular cert. http://www.ev1servers.net/english/chainedssldetails.asp
The locations to the actual files are located here.
SSLCertificateFile /etc/httpd/conf/ssl.crt/linkdisk.crt/
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/linkdisk.key/
SSLCACertificateFile /etc/httpd/conf/ca-bundle/chain.crt/
And these locations were added to my httpd.conf file for the admin user. I tried adding these locations to my main httpd.conf file and it crashed Apache. I have also added my cert. and key using the DA user panel. And I added the chain cert to the CA bundle in the user panel and got a message that my site would be secure within a few minuites. I assumed that it was reading the chain cert because initially when I first uploaded the chain cert to my server it didn't work at all. What I found was that I coppied and pasted it into the file like this:
-----BEGIN CERTIFICATE----- XXXXXXXXXXXXXXXXXXXXXXXXXXXX
And then changed it and re-uploaded like this:
-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXXXXXXXXXXXXXXX
Only then did the DA user CP tell me that my site would be secure within a few min.
I am not so worried about this yet. I am more interested in getting the cert installed properly first. I will then upgrade to the latest version of Whois.cart which I know I need to do. And then I will figure out the www problem by contacting Whois.cart support or using the forums. I don't think when I bought the cert I put www.linkdisk.com I am not in the habit of typing www before a URL. But of course I am not 100% sure. Any ways this is not the important thing right now.
So is what you are saying is the chaincert is not being read. I would have to agree. Do you think then I should move the files to my /home/ directory instead of the /etc/ directory?
Because the whois.cart license is directory specific. When I purchased my license it was for this location: /home/admin/domains/linkdisk.com/public_html/cart/
SSL location is: /home/admin/domains/linkdisk.com/private_html/cart/
So when you get to the final PHP page using https:// you will get an error message that says your IP address has been logged and something else, I don't recall. So what it comes down to is I had to change my secure location to public_htm. And BTW a symlink won't work either.
I would have to say no, but to be honest I don't know what it would look like if it had. This is my first experience with a purchased cert. of any kind.
Thanks -Jason
Hey,
When you added the certs through the DA panel, why did you then go add them to the httpd.conf file? Doesn't DA add the necessary lines/files?
What does the httpd.conf file look like?
If you haven't tried it yet, I say remove your cert entries in the httpd.conf file that you put in there and then re-paste the certs in DA and see what happens.
David
When you added the certs through the DA panel, why did you then go add them to the httpd.conf file? Doesn't DA add the necessary lines/files?
What does the httpd.conf file look like?
If you haven't tried it yet, I say remove your cert entries in the httpd.conf file that you put in there and then re-paste the certs in DA and see what happens.
David
nobaloney
NoBaloney Internet Svcs - In Memoriam †
David's response makes sense.
Try it.
If it doesn't work, then try this:
WARNING:
The following suggestion is presented as a best efforts solution, and took a great deal of time to verify. However I cannot guarantee that it is error free, or that it will not completely break your server. We guarantee only work that we do on your servers ourselves, under contract.
If you do not feel comfortable doing this yourself, or do not want to take full responsibility for any end result, then you may of course either ignore everything I've written, or contract me at nobaloney.net to contract for a guaranteed solution to your problem.
First, in a root shell, navigate to the proper directory for admin's domain's certs:
# cd /usr/local/directadmin/data/users/admin/domains
In that directory there should be a file named:
linkdisk.com.conf
Is there?
If not, then the domain was not properly set up.
If so, let's continue...
The contents of this file should be similar to:
All the lines don't have to be exactly like this; I did some guessing. But the important ones are the three at the top, and the line "ssl=ON".
If they're not what I have here, then let us know.
If they are, then we can move on...
You wrote that your cert files were at:
Are you sure these are the files from your install of your freeSSL cert? If you're not sure, you can verify them by cutting and pasting the linkdisk.crt file to the desktop of your local Windows or Linux system (probably Apple as well, though I'm not certain) and double-clicking on them, to make sure that the cert was issued by whom you expect, and in the name of www.linkdisk.com. Only once you're certain these are the correct files should you move on.
You need to make sure you have copies at those three files defined in the three lines at the top of your linkdisk.com.conf file...
Check the contents of:
/usr/local/directadmin/data/users/admin/domains/linkdisk.com.cacert
It needs to be the same as the contents of:
/etc/httpd/conf/ca-bundle/chain.crt
If it's not, then do the following (the "#" sign means do it as root):
# cp /etc/httpd/conf/ca-bundle/chain.crt /usr/local/directadmin/data/users/admin/domains/linkdisk.com.cacert
Next, check the contents of:
/usr/local/directadmin/data/users/admin/domains/linkdisk.com.cert
It needs to be the same as the contents of:
/etc/httpd/conf/ssl.crt/linkdisk.crt/
If it's not, then do the following:
# cp /etc/httpd/conf/ssl.crt/linkdisk.crt /usr/local/directadmin/data/users/admin/domains/linkdisk.com.cert
Next, check the contents of:
/usr/local/directadmin/data/users/admin/domains/linkdisk.com.key
It needs to be the same as the contents of:
/etc/httpd/conf/ssl.key/linkdisk.key
If it's not, then do the following:
cp /etc/httpd/conf/ssl.key/linkdisk.key /usr/local/directadmin/data/users/admin/domains/linkdisk.com.key
Now check the ownership and permissions of the files in /usr/local/directadmin/data/users/ezsecure/domains
They need to be owned by diradmin, group diradmin, and should be read-write only by their owner. If they're not, execute these two commands:
# chown diradmin:diradmin /usr/local/directadmin/data/users/ezsecure/domains/*
# chmod 600 /usr/local/directadmin/data/users/ezsecure/domains/*
Then restart apache:
/etc/rc.d/init.d/httpd restart
Now it should work.
If it doesn't, report back here or, if you wish, contact me at my email address or phone number, both below in my sig.
Try it.
If it doesn't work, then try this:
WARNING:
The following suggestion is presented as a best efforts solution, and took a great deal of time to verify. However I cannot guarantee that it is error free, or that it will not completely break your server. We guarantee only work that we do on your servers ourselves, under contract.
If you do not feel comfortable doing this yourself, or do not want to take full responsibility for any end result, then you may of course either ignore everything I've written, or contract me at nobaloney.net to contract for a guaranteed solution to your problem.
First, in a root shell, navigate to the proper directory for admin's domain's certs:
# cd /usr/local/directadmin/data/users/admin/domains
In that directory there should be a file named:
linkdisk.com.conf
Is there?
If not, then the domain was not properly set up.
If so, let's continue...
The contents of this file should be similar to:
Code:
SSLCACertificateFile=/usr/local/directadmin/data/users/admin/domains/linkdisk.com.cacert
SSLCertificateFile=/usr/local/directadmin/data/users/admin/domains/linkdisk.com.cert
SSLCertificateKeyFile=/usr/local/directadmin/data/users/admin/domains/linkdisk.com.key
bandwidth=unlimited
cgi=ON
defaultdomain=yes
domain=linkdisk.com
ip=64.156.241.105
quota=unlimited
ssl=ON
suspended=no
username=adminIf they're not what I have here, then let us know.
If they are, then we can move on...
You wrote that your cert files were at:
Are you sure these are the files from your install of your freeSSL cert? If you're not sure, you can verify them by cutting and pasting the linkdisk.crt file to the desktop of your local Windows or Linux system (probably Apple as well, though I'm not certain) and double-clicking on them, to make sure that the cert was issued by whom you expect, and in the name of www.linkdisk.com. Only once you're certain these are the correct files should you move on.
You need to make sure you have copies at those three files defined in the three lines at the top of your linkdisk.com.conf file...
Check the contents of:
/usr/local/directadmin/data/users/admin/domains/linkdisk.com.cacert
It needs to be the same as the contents of:
/etc/httpd/conf/ca-bundle/chain.crt
If it's not, then do the following (the "#" sign means do it as root):
# cp /etc/httpd/conf/ca-bundle/chain.crt /usr/local/directadmin/data/users/admin/domains/linkdisk.com.cacert
Next, check the contents of:
/usr/local/directadmin/data/users/admin/domains/linkdisk.com.cert
It needs to be the same as the contents of:
/etc/httpd/conf/ssl.crt/linkdisk.crt/
If it's not, then do the following:
# cp /etc/httpd/conf/ssl.crt/linkdisk.crt /usr/local/directadmin/data/users/admin/domains/linkdisk.com.cert
Next, check the contents of:
/usr/local/directadmin/data/users/admin/domains/linkdisk.com.key
It needs to be the same as the contents of:
/etc/httpd/conf/ssl.key/linkdisk.key
If it's not, then do the following:
cp /etc/httpd/conf/ssl.key/linkdisk.key /usr/local/directadmin/data/users/admin/domains/linkdisk.com.key
Now check the ownership and permissions of the files in /usr/local/directadmin/data/users/ezsecure/domains
They need to be owned by diradmin, group diradmin, and should be read-write only by their owner. If they're not, execute these two commands:
# chown diradmin:diradmin /usr/local/directadmin/data/users/ezsecure/domains/*
# chmod 600 /usr/local/directadmin/data/users/ezsecure/domains/*
Then restart apache:
/etc/rc.d/init.d/httpd restart
Now it should work.
If it doesn't, report back here or, if you wish, contact me at my email address or phone number, both below in my sig.
jdlitson
Verified User
- Joined
- May 29, 2003
- Messages
- 246
Hi David,
The results were not what I had expected.
Every thing seems to have remained the same. That was a good idea you had. I have also looked at my httpd.conf files afterwards and it did not change anything in the conf files. by repasting the certs.
For anyone new to all this and trying to fallow along, (When I say conf files, I mean the httpd.conf file for my admin user, and my main httpd.conf file as root or super user).
Ok now off to see what Jeff has to say about all this.
Thanks -Jason
nobaloney
NoBaloney Internet Svcs - In Memoriam †
Don't worry about it; my eyes go crazy on me sometimes, as well.
Let me know if my suggestions work out for you.
Jeff
Let me know if my suggestions work out for you.
Jeff
jdlitson
Verified User
- Joined
- May 29, 2003
- Messages
- 246
1. In the linkdisk.com.conf this line was, defaultdomain=no so I changed it to, defaultdomain=yes
2. In the /usr/local/directadmin/data/users/admin/domains/linkdisk.com.cacert, file at the end of every line was an, ^M so I deleted all of the, ^M and saved the file.
3. This file did not exsist: /usr/local/directadmin/data/users/admin/domains/linkdisk.com.cert, so I coppied it and changed the group and permissions.
4. This file did not exsist: /usr/local/directadmin/data/users/admin/domains/linkdisk.com.key, so I coppied it and changed the group and permissions.
5. Currently my httpd.conf files are now pointinting to a self sign cert. I don't know if that makes any deifference? When I view SSL in the browser it still shows up the same. From what I have read so far my httpd.conf files are supossed to be pointing to my .cert and .key files.
None of this made any difference in the way the certificate works.
BTW I did restart apache many times
I am going to contact DA support and see if they can find the problem.
Thank you both for your time and help -Jason
When the problem is found I will post the details here.
2. In the /usr/local/directadmin/data/users/admin/domains/linkdisk.com.cacert, file at the end of every line was an, ^M so I deleted all of the, ^M and saved the file.
3. This file did not exsist: /usr/local/directadmin/data/users/admin/domains/linkdisk.com.cert, so I coppied it and changed the group and permissions.
4. This file did not exsist: /usr/local/directadmin/data/users/admin/domains/linkdisk.com.key, so I coppied it and changed the group and permissions.
5. Currently my httpd.conf files are now pointinting to a self sign cert. I don't know if that makes any deifference? When I view SSL in the browser it still shows up the same. From what I have read so far my httpd.conf files are supossed to be pointing to my .cert and .key files.
None of this made any difference in the way the certificate works.
BTW I did restart apache many times
I am going to contact DA support and see if they can find the problem.
Thank you both for your time and help -Jason
When the problem is found I will post the details here.
nobaloney
NoBaloney Internet Svcs - In Memoriam †
Please do let us know, Jason.
I know I can find it if I log in, but I can only do that under contract. If DA owes you support let them try first
.
I'm sure they can do it.
Just so you know, that ^M happens when the cert is uploaded from a Windows system without converting windows line endings to linux line endings. In many files (perl programs for example) it makes a difference, but it shouldn't in certs.
Jeff
I know I can find it if I log in, but I can only do that under contract. If DA owes you support let them try first
.I'm sure they can do it.
Just so you know, that ^M happens when the cert is uploaded from a Windows system without converting windows line endings to linux line endings. In many files (perl programs for example) it makes a difference, but it shouldn't in certs.
Jeff
jdlitson
Verified User
- Joined
- May 29, 2003
- Messages
- 246
Hi Jeff,
DA doesn't owe me, but hopefuly they will help?
Unfortunately, I don't have the funds to pay anyone, otherwise you would be the first person on my list of people to hire for any type of linux problem. And I do appreciate your help in the forum.
On the other hand I could trade service for service, such as if you needed any type of design work done in photoshop? Right now my time is the only form of currency.
Regards -Jason
DA doesn't owe me, but hopefuly they will help?
Unfortunately, I don't have the funds to pay anyone, otherwise you would be the first person on my list of people to hire for any type of linux problem. And I do appreciate your help in the forum.
On the other hand I could trade service for service, such as if you needed any type of design work done in photoshop? Right now my time is the only form of currency.
Regards -Jason
jdlitson
Verified User
- Joined
- May 29, 2003
- Messages
- 246
Hey hey hey ,
Only when I installed the cert and key files using the DA CP did I see any change to my SSL while viewing it in my browser.
I have contacted DA support, so I am going to leave it alone until I hear back from them.I don't want to make any changes while or if they make any changes.
Regards -Jason
,The only line that DA seemed to create properly was the line for the CA root cert. So, I would agree that something is "out-a-wack"? The rest I had to create manually, that is, the lines that Jeff told me were supposed to be in the linkdisk.com.conf file.
The lines in the httpd.conf file are not created auto-magically. According to the istallation instructions, you are supposed to add the lines to your httpd.conf file manually.
Only when I installed the cert and key files using the DA CP did I see any change to my SSL while viewing it in my browser.
I have contacted DA support, so I am going to leave it alone until I hear back from them.I don't want to make any changes while or if they make any changes.
Regards -Jason