DA SSL CSR Request not working with GoDaddy new 2048 bit requirement

WholesaleDialup

WholesaleDialup

Verified User
Joined
Sep 25, 2004
Messages
178
Location
San Antonio, TX
I have ordered and installed many Godaddy SSL certs on my DA servers in the past, OK not many but at least a handful :)

Today I tried to order a new one, I paid, then went out to DA to generate the CSR.

I did everything as normal and selected 1024 bit as I usually do. Got my CSR and pasted in the GoDaddy order form.

It rejected it and said:
The CSR key length must be greater then 2048 and less then 4096

So, I went back to DA and did it again, but this time selecting 2048.

Got the new CSR and pasted in the GoDaddy form and again got the same error:
The CSR key length must be greater then 2048 and less then 4096

No matter what I do, I get the same error.

Is GoDaddy broke or is DA not creating a proper 2048 CSR?

Anyone else run into this or know what might be happening?

Thanks in advance for any help. :D
 
Oh, if you've already created a 1024 bit key for the original request, the only way to get a new key is to create a "self-signed" certificate.

Only this will overwrite the existing key.
When creating a request, if there is an existing key already, DA will reuse it, so that a currently active site will not go down when a new key is written which doesn't match the old certificiate... hence DA reuses the old key.

So to start over, create a self-signed certificate at 2048.. then create a certificate request, which will use the newly created key.

John
 
Thank You

Was having the same issue, thanks John that worked beautifully, at least my site is now secure.
 
Thanks, John. I was using a more complex method: going in through the shell and deleting the old key. Your way is much faster :).

Jeff
 
DirectAdmin Support said:
Oh, if you've already created a 1024 bit key for the original request, the only way to get a new key is to create a "self-signed" certificate.

Only this will overwrite the existing key.
When creating a request, if there is an existing key already, DA will reuse it, so that a currently active site will not go down when a new key is written which doesn't match the old certificiate... hence DA reuses the old key.

So to start over, create a self-signed certificate at 2048.. then create a certificate request, which will use the newly created key.

John
Click to expand...

Any chance of being able to fix this so it's a little less vague?

EDIT: Also thanks for letting us know how to get around it, though! :)
 
floyd said:
Its 2 simple steps. How much clearer do you want it?
Click to expand...

Well, being a software developer, any application that requires me to Google a problem to find a solution has a problem with 1) the interface or 2) a bug. Since I had to Google to find out why GoDaddy was complaining about my CSR being too short when I specifically asked for a 2048 bit key, there seems to be a problem that should be fixed. Although I know about this workaround now, there are likely many others who do not yet know. I would think DA would like to have their software work to people's expectations, so I would expect them to want to fix this bug.
 
Since you quoted John's explanation and then asked for it to be fixed so that its a little less vague I thought you wanted the explanation to be a little less vague not the problem itself. The explanation seemed fine to me. But I agree I never would have known what to do either, except for the fact that I do not use the control panel to install SSL certificates.
 
Hello,

At the moment, the issue is that if DA generates a new key and overwrite the old one, your existing website will now have a mismatched cert/key pair, so you'll get an ssl popup until you get the reply from the certificate issuer.

What I'll do for the next release is perhaps have all certificate requests give you the key and the certificate in the window. However, the catch with that is the User absolutely must copy/paste and save the key after it's generated, or else it will get lost, and the whole certificate purchase process will be completely wasted.

DA currently saves the key with CSR generation so that doesn't happen.. but the introduction of the 2048 bit key messes that up.

Another thought that came to mind is another file that contains all keys ever made. DA could then just go through each one until it finds a match. It's slightly more overhead, and not a very "clean" solution, but it would solve all issues of losing keys, ensuring correct matches, and allows 2048 bit keys to actually be 2048 bit keys.

I'm happy to accept any other suggestions or thoughts on how you would like it to work, or what methods/steps you'd think would work best for ease of use and functionality. I agree when you select a 2048 bit key, it should create one as such.

John
 
John,

I definitely think the SSL side of things has some room for improvement. I always found it strange that creating a CSR removes your existing cert, and that the interface had both items in the same page. I think the CSR should be separate from pasting in the actual cert.

Is it fairly simple to test a key against a cert? Perhaps just having a directory full of keys generated, and then once you paste in a new cert it looks for the key and errors out if it can't find it. The keys could be grouped by CN so maybe you only have 1-2 keys to check anyway?

Again I don't really know what goes on behind the scenes. I have run into the problem of losing the key for the CSR in the past, which was really annoying. I think GoDaddy was good though and was able to re-key it or something.
 
John, how about saving the new key separately, and then requiring a button when you're ready to install the new Certificate; the button would redraw the screen showing the new key and awaiting input of the new Certificate.

Seems fairly simple to me, but maybe I'm missing something.

Jeff
 
Hello,

What I've noticed is that Users like to keep clicking and creating self-signed certs, or new requests, after their original request has been created. So that orignial key from say, 3 creations ago, needs to be retrieved later on, knowing it's the correct key for the certificate being pasted.

John
 
I am having the same problem with godaddy.
However when I tried to make my own new self-signed 2048 key certs I get the following:
Cannot Execute Your Request

Details

Error creating certificate: Generating a 2048 bit RSA private key .........................+++ ..........................................................+++ writing new private key to '/usr/local/directadmin/data/.../xxx.com.key.tmp' ----- /usr/local/directadmin/data/users/cgcglass/domains/xxx.com.cert: Permission denied 2105:error:0200100D:system library:fopen:Permission denied:bss_file.c:352:fopen('/usr/local/directadmin/data/.../xxx.com.cert','w') 2105:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354:

Should I just delete all the prior certificate data or will that mess up something? tiy

EDIT:
deleted all and starting from scratch fixed it!
 
Last edited:
2048 Option

Hi,

Been having this issue with renewal of a cert - I can't see any option to change to 2048 bit on DA? Where should this option be please?

Thanks

Greg
 
My recollection is that you need to create a self-signed Certificate with 2048 set on DirectAdmin, to get a new Private key.

Then immediately afterwards create a CSR to get the CSR with the new Private key.

If having the old Certificate work until the new one is installed is important to you, then you need to save the working, old, about to expire, Private key and Certificate pair first, before doing the above.

Then after you've gotten the new CSR and the new 2048-bit private key, save the private key to a file on your system and then restore what you'd saved previously so you can still use the old Certificate until the new one is issued.

Once the new Cert is issued you can copy back the new private key and the new cert, and save them.

If you need help in installing a new Certificate with a 2048 bit key, look at our offering in the DirectAdmin Advertising forum, here.

Jeff
 
You must log in or register to reply here.
Back
Top