I have just bought a chainedSSL at FreeSSL.COM and followed the steps that provided here :

http://www.freessl.com/resources/install/chainedssl/apache_mod_ssl.htm


The Browser always get a popup saying that www.jzoneplus.com is not a certified authorithy..


Can anyone offer a help for me..? :(

Is that anything I need to deal with the ca-bundle.crt file?

I have searched other forums and cPanel. WHM also get it works.

Sorry, I am not so familiar with this.. :confused:

You need to use the 'chain' certificate also.... all the info you need is on the FreeSSL website... as a hint theres an extra line required in the httpd.conf

Chris

Thanks,
I have bought the chainedSSL, isn't it a chained certificate?

I have also added that line in my user's (admin) httpd.conf,
still doesn't work.... :(

p.s. I have restarted apache after doing so!

Typically you setup a 'standard; cert using the folowing 2 lines:

SSLCertificateFile /usr/local/apache/conf/ssl.crt/yourdomain.crt (or server.crt)
SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/domainname.key

with the chained certificates you need the extra line:

SSLCACertificateFile /usr/local/apache/conf/ca-bundle/chain.crt

The key is what you *generated* before purchasing the certificate, the certificate is what they will have emailed you, and the intermediate/chain you have is the chain.crt

Ensure you have all 3 lines in the vhost then restart apache... also check all the paths are correct in those lines and hold the correct data :)

Chris

Thanks Christ your prompt reply!

But I have really done what you've told :

This is my httpd.conf file :


SSLEngine on

SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt

SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
SSLCACertificateFile /usr/local/directadmin/data/users/admin/domains/jzoneplus.com.cacert

(have changed to /etc/httpd/conf/ca-bundle/chain.crt but still no luck)


The key is generated during the certificate request using DA.
The cert and the intermediate cert are both email to me and put in server.crt and chain.crt.


Still, same problem exists..

It drives me crazy........=_=

Hello,

I think you've fixed it. When I go to:

https://www.jzoneplus.com/asdf

I dont' get a popup and the cert is valid. You might have had the certificate cached in your browser, in which case just close all browsers and load the page again. :)

John

I have rollback my system to use the freessl, bacause I don't want my customer to see that popup..

I have totally gave up to try..

checkout my certificate and it's just a single root certificate!


Sorry I didn't mention that..:eek:

you are putting the 3 lines in the vhost of the domain, not that main httpd.conf?

Chris

Yes..
I am putting the 3 lines in the vhost file, the 'tutotial' did mention that?

Do I need to add those 3 lines to main httpd.conf file?

Could you point me to a file in the private html folder.... at the moment im just getting redirected back to an unsecure conenction...

These are all the correct paths also (for all the new data?)

/etc/httpd/conf/ssl.crt/server.crt
/etc/httpd/conf/ssl.key/server.key
/usr/local/directadmin/data/users/admin/domains/jzoneplus.com.cacert

try doing it clean...



mkdir /etc/httpd/conf/jzoneplus
cd /etc/httpd/conf/jzoneplus
pico -w jzoneplus.key
pico -w jzoneplus.crt
pico -w jzoneplus.cacrt


key is what you generated, crt is the cert emailed to you, cacrt is the intermediate cert emailed. Make sure you add the -----start----- and -----end------ lines in them files also.



SSLCertificateFile /etc/httpd/conf/jzoneplus/jzoneplus.key
SSLCertificateKeyFile /etc/httpd/conf/jzoneplus/jzoneplus.crt
SSLCACertificateFile /etc/httpd/conf/jzoneplus/jzoneplus.cacrt


If it still fails all I can think is you're using the wrong key (must be the key you used to order the certificate with), but i have no idea what error you are getting either... so cant really say.

Chris

Chris,
I have tried the steps, but still, it seems that it's no luck.


However, I put those 3 lines in main httpd.conf ............. SUCCESS!

Still not sure what's going on of the vhost httpd.conf..

investigating~


Try it out, see if popup shows?

https://www.jzoneplus.com/hk/user

By the way, how can I set it to use with DA?

I know how to set a single root, but not a chained one..

directadmin.conf only comes with 2 lines!:D

The equivalent to the SSLCACertificateFile in the directadmin.conf would be carootcert, which you can just add yourself.

John

Thanks Chris and John,
Everything got done now!


Hope it creates a good guide for future admins.



Cheers,
Jeffery ;)

Hi,
I have followed everything in this thread, and have only one problem now. (Well at least when it comes to SSL.) :D
When viewing my cert. located https://www.linkdisk.com
It shows"cannot be verified up to a trusted cert. auth."
I have all 3 of the lines in my admin user httpd.conf file and they are pointing to the correct paths.

SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/linkdisk.crt/
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/linkdisk.key/
SSLCACertificateFile /etc/httpd/conf/ca-bundle/chain.crt/

Does any one know why I would get this message?


Thanks -Jason

Hey,

Looks like you have the SSL fixed...

Now you've got insecure items on the page... Looks like it's because of the way they are called:

http://linkdisk.com/images/

Some of your links are that way as well... But, you probably know that already!

David

Hi David,
Thank you for your reply.
It does apear that it is working properly on my home page, but please try my order system and see if you come up with the same results.

1 Add a hosting plan to the cart.
2 Enter a domain name which alredy exsists such as yahoo.com it doesn't realy matter.
3 Click finish
4 This will take you to the final.php page which is the payment page and is where I need SSL. I get a popup here, and if you do also please let me know.

http://linkdisk.com/hosting.htm

Thanks for your time and help -Jason

Hey Jason,

Sorry about the delay in answering...

Yep, I see what you mean...

However, now I get the error on your homepage:

https://www.linkdisk.com

It's showing it can't be verified... Strange, it did appear to be working earlier.

Back to square one.

One thought, take the trailing slash "/" off the path on the SSL statements...

Also, who can read this (permissions)?
/etc/httpd/conf/ca-bundle/chain.crt

David

Hey,

OK, maybe you're working on it as I was testing it as NOW the https://www.linkdisk.com is pulling up OK.

With that, where you may be having problems is when you're in the cart and click on Finish, it appears as though you're redirecting to the https (maybe through a whois.cart config)...

It appears as if the call sees the http://linkdisk.com and if you look at the cert it's telling you the name doesn't match. You'll see the cert chain is complete...

Damn, does that make sense?

Maybe it's a whois.cart config that's giving the problem?

David

Edit:

Well, it's not working again... Unless you're working on it then, that seems to be a problem all it's own.

Yes, that may be the problem.
I will play around with it and post my results if any.

Thanks again for your help :D

-Jason

Jason,

What's the actual system directory path to the directory where the whois.cart files are located?

Knowing that may help debug the problem.

Jeff

Hi, Jeff


What's the actual system directory path to the directory where the whois.cart files are located?
/home/admin/domains/linkdisk.com/public_html/cart/

I should also mention that:

1. The name on my SSL Cert is www.linkdisk.com and not just linkdisk.com

When I set the final.php page to https://(www).linkdisk.com/cart/final.php for some reasone the final.php page redirects itself to the index.php page of the whois.cart dir.

When I set the final.php page to https://linkdisk.com/cart/final.php the page is not redirected, but then the name on the certificate does not match :(

2. I have also changed the path of the secure directory to point to public_htm instead of private_htm, so that my license for whois.cart would function properly.

3. Even when viewing a secure page outside of whois.cart, my ChainedSSL still pops up. When viewing the details it reads:

a: In (IE 6) "This certificate cannot be verified up to a trusted certification authority."
b: In (Mozilla Firefox) "Could not verify this certificate because the issuer is unknown."

Thanks -Jason

Originally posted by jdlitson
Hi, Jeff
Hi. First I'm going to start at the beginning.

The cert (as shown in my browser) doesn't have a chain cert installed; we have to figure out why, and where it goes.

I thought freeSSL certs didn't require a chain cert. What kind of freeSSL cert is this, and when did you get it?

/home/admin/domains/linkdisk.com/public_html/cart/
Did you install the cert and the chain cert in the site section of the admin login?

I should also mention that:

1. The name on my SSL Cert is www.linkdisk.com and not just linkdisk.com
Then you probably know you're always going to have a problem with redirection to linkdisk.com as opposted to www.linkdisk.com

When I set the final.php page to https://(www).linkdisk.com/cart/final.php for some reasone the final.php page redirects itself to the index.php page of the whois.cart dir.
This will probably take some intensive troubleshooting of the code and/or the the httpd.conf file and/or the apache logs. Have you asked Whois.Cart customer support if they know why this may be happening?

When I set the final.php page to https://linkdisk.com/cart/final.php the page is not redirected, but then the name on the certificate does not match :(

The only way around this with the cert is to buy a wildcard site for *.linkdisk.com. They're not cheap.

Better if you can get help from Whois.Cart to redirect it to www.

2. I have also changed the path of the secure directory to point to public_htm instead of private_htm, so that my license for whois.cart would function properly.
I don't know why Whois.Cart would require that, but I haven't tried it yet.

3. Even when viewing a secure page outside of whois.cart, my ChainedSSL still pops up. When viewing the details it reads:

a: In (IE 6) "This certificate cannot be verified up to a trusted certification authority."
b: In (Mozilla Firefox) "Could not verify this certificate because the issuer is unknown."
Does the actual chain show up in your browser window at any point? It doesn't in mine.

Jeff

Hi. First I'm going to start at the beginning.The cert (as shown in my browser) doesn't have a chain cert installed; we have to figure out why, and where it goes.

I thought freeSSL certs didn't require a chain cert. What kind of freeSSL cert is this, and when did you get it?

Bought it from ev1servers. It is not the 30 day freessl cert. freessl and GeoTrust seem to have a partnership in this particular cert. http://www.ev1servers.net/english/chainedssldetails.asp


Did you install the cert and the chain cert in the site section of the admin login?
The locations to the actual files are located here.

SSLCertificateFile /etc/httpd/conf/ssl.crt/linkdisk.crt/
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/linkdisk.key/
SSLCACertificateFile /etc/httpd/conf/ca-bundle/chain.crt/

And these locations were added to my httpd.conf file for the admin user. I tried adding these locations to my main httpd.conf file and it crashed Apache. I have also added my cert. and key using the DA user panel. And I added the chain cert to the CA bundle in the user panel and got a message that my site would be secure within a few minuites. I assumed that it was reading the chain cert because initially when I first uploaded the chain cert to my server it didn't work at all. What I found was that I coppied and pasted it into the file like this:

-----BEGIN CERTIFICATE----- XXXXXXXXXXXXXXXXXXXXXXXXXXXX

And then changed it and re-uploaded like this:

-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXXXXXXXXXXXXXXX

Only then did the DA user CP tell me that my site would be secure within a few min.


This will probably take some intensive troubleshooting of the code and/or the the httpd.conf file and/or the apache logs. Have you asked Whois.Cart customer support if they know why this may be happening? I am not so worried about this yet. I am more interested in getting the cert installed properly first. I will then upgrade to the latest version of Whois.cart which I know I need to do. And then I will figure out the www problem by contacting Whois.cart support or using the forums. I don't think when I bought the cert I put www.linkdisk.com I am not in the habit of typing www before a URL. But of course I am not 100% sure. Any ways this is not the important thing right now.

So is what you are saying is the chaincert is not being read. I would have to agree. Do you think then I should move the files to my /home/ directory instead of the /etc/ directory?


I don't know why Whois.Cart would require that, but I haven't tried it yet. Because the whois.cart license is directory specific. When I purchased my license it was for this location: /home/admin/domains/linkdisk.com/public_html/cart/
SSL location is: /home/admin/domains/linkdisk.com/private_html/cart/

So when you get to the final PHP page using https:// you will get an error message that says your IP address has been logged and something else, I don't recall. So what it comes down to is I had to change my secure location to public_htm. And BTW a symlink won't work either.


Does the actual chain show up in your browser window at any point? It doesn't in mine. I would have to say no, but to be honest I don't know what it would look like if it had. This is my first experience with a purchased cert. of any kind.

Thanks -Jason :D

Hey,

When you added the certs through the DA panel, why did you then go add them to the httpd.conf file? Doesn't DA add the necessary lines/files?

What does the httpd.conf file look like?

If you haven't tried it yet, I say remove your cert entries in the httpd.conf file that you put in there and then re-paste the certs in DA and see what happens.

David

Ok, It's worth a try :)
I will let you know.

Thanks -Jason

David's response makes sense.

Try it.

If it doesn't work, then try this:

WARNING:
The following suggestion is presented as a best efforts solution, and took a great deal of time to verify. However I cannot guarantee that it is error free, or that it will not completely break your server. We guarantee only work that we do on your servers ourselves, under contract.

If you do not feel comfortable doing this yourself, or do not want to take full responsibility for any end result, then you may of course either ignore everything I've written, or contract me at nobaloney.net to contract for a guaranteed solution to your problem.

First, in a root shell, navigate to the proper directory for admin's domain's certs:

# cd /usr/local/directadmin/data/users/admin/domains

In that directory there should be a file named:

linkdisk.com.conf

Is there?

If not, then the domain was not properly set up.

If so, let's continue...

The contents of this file should be similar to:

SSLCACertificateFile=/usr/local/directadmin/data/users/admin/domains/linkdisk.com.cacert
SSLCertificateFile=/usr/local/directadmin/data/users/admin/domains/linkdisk.com.cert
SSLCertificateKeyFile=/usr/local/directadmin/data/users/admin/domains/linkdisk.com.key
bandwidth=unlimited
cgi=ON
defaultdomain=yes
domain=linkdisk.com
ip=64.156.241.105
quota=unlimited
ssl=ON
suspended=no
username=admin
All the lines don't have to be exactly like this; I did some guessing. But the important ones are the three at the top, and the line "ssl=ON".

If they're not what I have here, then let us know.

If they are, then we can move on...

You wrote that your cert files were at:

SSLCertificateFile /etc/httpd/conf/ssl.crt/linkdisk.crt/
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/linkdisk.key/
SSLCACertificateFile /etc/httpd/conf/ca-bundle/chain.crt/

Are you sure these are the files from your install of your freeSSL cert? If you're not sure, you can verify them by cutting and pasting the linkdisk.crt file to the desktop of your local Windows or Linux system (probably Apple as well, though I'm not certain) and double-clicking on them, to make sure that the cert was issued by whom you expect, and in the name of www.linkdisk.com. Only once you're certain these are the correct files should you move on.

You need to make sure you have copies at those three files defined in the three lines at the top of your linkdisk.com.conf file...

Check the contents of:
/usr/local/directadmin/data/users/admin/domains/linkdisk.com.cacert
It needs to be the same as the contents of:
/etc/httpd/conf/ca-bundle/chain.crt
If it's not, then do the following (the "#" sign means do it as root):
# cp /etc/httpd/conf/ca-bundle/chain.crt /usr/local/directadmin/data/users/admin/domains/linkdisk.com.cacert

Next, check the contents of:
/usr/local/directadmin/data/users/admin/domains/linkdisk.com.cert
It needs to be the same as the contents of:
/etc/httpd/conf/ssl.crt/linkdisk.crt/
If it's not, then do the following:
# cp /etc/httpd/conf/ssl.crt/linkdisk.crt /usr/local/directadmin/data/users/admin/domains/linkdisk.com.cert

Next, check the contents of:
/usr/local/directadmin/data/users/admin/domains/linkdisk.com.key
It needs to be the same as the contents of:
/etc/httpd/conf/ssl.key/linkdisk.key
If it's not, then do the following:
cp /etc/httpd/conf/ssl.key/linkdisk.key /usr/local/directadmin/data/users/admin/domains/linkdisk.com.key

Now check the ownership and permissions of the files in /usr/local/directadmin/data/users/ezsecure/domains

They need to be owned by diradmin, group diradmin, and should be read-write only by their owner. If they're not, execute these two commands:

# chown diradmin:diradmin /usr/local/directadmin/data/users/ezsecure/domains/*
# chmod 600 /usr/local/directadmin/data/users/ezsecure/domains/*

Then restart apache:

/etc/rc.d/init.d/httpd restart

Now it should work.

If it doesn't, report back here or, if you wish, contact me at my email address or phone number, both below in my sig.

If you haven't tried it yet, I say remove your cert entries in the httpd.conf file that you put in there and then re-paste the certs in DA and see what happens.
Hi David,
The results were not what I had expected.
Every thing seems to have remained the same. That was a good idea you had. I have also looked at my httpd.conf files afterwards and it did not change anything in the conf files. by repasting the certs.

For anyone new to all this and trying to fallow along, (When I say conf files, I mean the httpd.conf file for my admin user, and my main httpd.conf file as root or super user).

Ok now off to see what Jeff has to say about all this.

Thanks -Jason

First, in a root shell, navigate to the proper directory for admin's domain's certs:

# cd /usr/local/directadmin/data/users/admin/domains

In that directory there should be a file named:

linkdisk.com.conf

Is there?

Hi Jeff,

As I navigate to the above location, my journey stops here.
/usr/local/directadmin/data/users/admin/

I don't have a domains directory in this location.

Thanks -Jason

As I navigate to the above location, my journey stops here.
/usr/local/directadmin/data/users/admin/

I don't have a domains directory in this location.
I do have a domains dir in that location. Don't know whay I didn't see it before.

Don't worry about it; my eyes go crazy on me sometimes, as well.

Let me know if my suggestions work out for you.

Jeff

Hey Jason,


Every thing seems to have remained the same. That was a good idea you had. I have also looked at my httpd.conf files afterwards and it did not change anything in the conf files. by repasting the certs.

Did you remove the entries in the httpd.conf first?

I'm just curious.

Also, you probably are but, you do restart Apache after any changes...

David

1. In the linkdisk.com.conf this line was, defaultdomain=no so I changed it to, defaultdomain=yes

2. In the /usr/local/directadmin/data/users/admin/domains/linkdisk.com.cacert, file at the end of every line was an, ^M so I deleted all of the, ^M and saved the file.

3. This file did not exsist: /usr/local/directadmin/data/users/admin/domains/linkdisk.com.cert, so I coppied it and changed the group and permissions.

4. This file did not exsist: /usr/local/directadmin/data/users/admin/domains/linkdisk.com.key, so I coppied it and changed the group and permissions.

5. Currently my httpd.conf files are now pointinting to a self sign cert. I don't know if that makes any deifference? When I view SSL in the browser it still shows up the same. From what I have read so far my httpd.conf files are supossed to be pointing to my .cert and .key files.

None of this made any difference in the way the certificate works.
BTW I did restart apache many times :p
I am going to contact DA support and see if they can find the problem.

Thank you both for your time and help -Jason
When the problem is found I will post the details here.

Please do let us know, Jason.

I know I can find it if I log in, but I can only do that under contract. If DA owes you support let them try first :) .

I'm sure they can do it.

Just so you know, that ^M happens when the cert is uploaded from a Windows system without converting windows line endings to linux line endings. In many files (perl programs for example) it makes a difference, but it shouldn't in certs.

Jeff

Hi Jeff,
DA doesn't owe me, but hopefuly they will help?
Unfortunately, I don't have the funds to pay anyone, otherwise you would be the first person on my list of people to hire for any type of linux problem. And I do appreciate your help in the forum.

On the other hand I could trade service for service, such as if you needed any type of design work done in photoshop? Right now my time is the only form of currency.

Regards -Jason

Hey,

There simply has to be something slightly out-a-whack....

What are the lines that are created in your linkdisk.com.conf file related to SSL?

What lines are created in your httpd.conf file for the domain related to SSL.

David

Hey hey hey :),

What are the lines that are created in your linkdisk.com.conf file related to SSL? The only line that DA seemed to create properly was the line for the CA root cert. So, I would agree that something is "out-a-wack"? The rest I had to create manually, that is, the lines that Jeff told me were supposed to be in the linkdisk.com.conf file.

What lines are created in your httpd.conf file for the domain related to SSL. The lines in the httpd.conf file are not created auto-magically. According to the istallation instructions, you are supposed to add the lines to your httpd.conf file manually.

Only when I installed the cert and key files using the DA CP did I see any change to my SSL while viewing it in my browser.

I have contacted DA support, so I am going to leave it alone until I hear back from them.I don't want to make any changes while or if they make any changes.

Regards -Jason

Hey,

Be interesting what they say...

BTW, do you remember if was SSL=on in the linkdisk.com.conf file?

David

Yes, I was using a self signed cert before the one I am trying to install now. Also if it were not on you would get a page not found error.

Thanks -Jason

Mark, from DA fixed it! :D

Here is how he did it.


All I added was:
SSLCACertificateFile /etc/httpd/conf/ssl.crt/caroot.crt

to the https section in the /etc/httpd/conf/httpd.conf file (bottom) and pasted the CA certificate into that file.


Ok so now my main httpd conf file looks like this.
SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
SSLCACertificateFile /etc/httpd/conf/ssl.crt/caroot.crt

So, how the heck did this work anyway?
Well, I was wondering the same thing.

So I typed this: # cat /etc/httpd/conf/ssl.crt/server.crt
This showed the content of the server.crt file. I then took a look at my new certificate which I had pasted in the DA user control panel and it matched! I did the same for server.key and that matched as well.

So that means that the Key and Certificate that you paste into the Direct Admin user panel automagically updates these two files.

-Jason