Problems installing StarterSSL Certificate

Codefighter

Verified User
Joined
Oct 21, 2004
Messages
21
I am trying to install an ssl certificate on one of my domains of my dedicated server. I have done this once before on the same machine with the same issuer (StartSSL) but with a different user, domain, and IP.

I have generated the CSR, given it to StartSSL (or GeoTrust?), and they responded back with the Key, which I then pasted under the "-----END RSA PRIVATE KEY-----" area of the "Paste a pre-generated certificate and key" field.

However, I get the following error every time: "Certificate is Invalid"

I also tried installing the CA Root key, which I found on Starterssl.com (that was a shot in the dark).

I tried pasting the certificate exactly as I received it. Then I tried with blank lines here and there, and other variations.

I then re-issued the certificate a second time, watching all instructions carefully, and again a third time.

The domain has a static IP address.

Just for the hexk of it, I generated my own certificate, and all worked fine. Tried StartSSL setup again, same 'certificate is invalid' message from DA.

No matter what I do, I get 'Certificate is Invalid' from DA when using the certificates from StartSSL.

The only difference I se between then and now, is that the common named for my first successful domain was secure.site.com, and this time around I chose www.site.com. Could the subdomain name be a problem?


PS: Read through Jeff Lasman's tutorial, an only difference I noted was secure. vs www. and the use of Comodo vs. StarterSSL.
 
Thanks for your input.


>>Have you considered that the cert may be corrupted?
Yes, but I re-issued the certificate 3 times in the hopes of working around the possibility. Each time I re-issued the certificate, I generated a new Certificate Request from my server.


>>Restart apache after installation?
Unfortunately, the problem is that the installation doesn't complete (Certificate is invalid message is displayed). But, I did restart both Apache and DirectAdmin.
 
I just tried to setup an SSL certificate using CACert.org on the same domain/computer/ip/account, and it worked like a charm the very first time.

I suspect something may be amiss with the StarterSLL certificates I am getting (more than 6 re-issues so far). One thing with them: Their last line looked like this:

sye3MbUpwTjz+lGpGB915VUDUx726sswWbsGt-----END CERTIFICATE-----

instead of this:
sye3MbUpwTjz+lGpGB915VUDUx726sswWbsGt
-----END CERTIFICATE-----

May be nothing though, as I also tried adding the line break in manualy.

Also, I purchased a second certificate because StarterSSL said my first card was declined. When they said my second card was also declined, I gave up. it turns out that both purchases went through ok, but their ite had some problem. They cancelled 1 purchase, and retained the second. Just wonder if this is an indicator that things might be screwey there at the moment.
 
It could be. Possibly an indication that they are not generating the codes properly or there is small mistake, (which any of could mess installation up)
 
Last edited:
The dashes and the "END CERTIFICATE" should be on a line of it's own.

Who are you buying your StarterSSL certs from (lots of people sell them).

We bought some yeterday from the GEOTrust site that's the main account for the company, and they continue to work fine for us.

For what it's worth, we have a special offer for DirectAdmin users for GEOTrust certs here.

Jeff
 
Maybe it's just me. I'll have a talk with their support in the morning. I got mine through rapidssl.com, and have a re-generate insurance where I can re-generate the certificate, but all come through with the ending ----- line on the same line as the last line of the data.

Hopefully, there support will have an answer tommorrow.
 
RapidSSL is, as they put it on the site "the new name for www.freessl.com".

So you're buying them directly from GEOTrust.

Their support group should be able to figure out the issue.

Jeff
 
I have things working, thanks to their support department, but I'm still confused.

So, here is the end of the certificate they originally sent me:

?????????????????????S8E2SwS0MA-----END CERTIFICATE-----

Here, is the end of the certificate that tech support later sent me:
?????????????????????S8E2SwS0MA==
-----END CERTIFICATE-----

Note the tech support version has '==' at the end which wasn't in my original certificate.

I re-generated the CSR and certificate again, tried to re-install the new certificate, and again it failed. But (this confuses me) I just added '==' at the end of the new certificate and tried again, and it worked!

It seems an awfully big coincedence that I would have '==' at the end of two my certificates, so maybe there's a better explanation.
 
Those two equal signs are supposed to be a part of the certificate. If all of the certificates you are buying from them have this problem, it would seem as if they have a critical bug in their system.
Did their support team give any other information on the problem other than the corrected certificate?
 
Are you sure you using the original key? Because if you generate a new key the SSL cert will not work and you will need a new one.
 
Thank-you so much!

I had exactly the same issue as you describe and had gotten very very very frustrated.

I eventually found this post, and added those two == signs and pushed the -----END CERTIFICATE-----
to a new line and now my StarterSSL cert is installed perfectly...

I've not tested it yet mind! But at least I'm making progress...

I'm going to drop rapidSSL.com a line and let them know that the problem still exists.

Many Many Thanks CodeFighter!
 
We don't have the problem when we buy any GeoTrust certs; my guess is the problem is with your system somehwere; perhaps your email.

Jeff
 
email issue

When I contacted RapidSSL they put it down to being an email client issue...

It strikes me as odd that both CodeFighter and I found exactly the same issue though...

In my humble opinion it should be documented by them so that people do not flounder the way I did if the cert doesn't work and it is visibly wrong. I didn't know it was visibly wrong until I found this thread. Furthermore although I'm using DA if I hadn't have been I might not have found this post at all... and if it is an email error it's obviously not DA specific!

I also attempted to get RapidSSL to consider the inclusion of instructions relating to the easy installation of Certs in DA, (so that people looking at their site know that they are compatible and creating further attention for DA) cause they document instructions for many other server configs and control panels.

I'm just pleased that with your help I managed to get it sorted... although I suspect I will be purchasing and renewing with you Jeff rather than RapidSSL looking at the price difference!

Again many thanks! :D
 
Back
Top