I struggled with cleaning up the absolute mess that SSL manager makes out of installing something that should be a no brainer, SSL CERTS. Have you looked at your SSL Manager in WHM listing lately? Do you know which certs are current and which are not? Are you seeing certs with the extension TEST and OLD? Not only that, my GeoTrust and FREESSL cert didn't install thru the SSL Manager GUI. It just gave me one problem after another for about 3 days and still it would't install properly from the GUI.

The only way to clean up the mess is to clean up SSL Manager. Every cert should only have 3 certs and possibily a cabundle and it should appear on ONE LINE, not speard out across zillions of lines displaying OLD and unused certs. I cleaned mine up. Now I have 3 certs displayed on one line and 3 cabundle files and thats iit . You dont need to see anything more.

The only way to install certs is manually! Ahmen!

HOW TO CLEAN UP THE MESS!

su to your box

Open up WHM & SSL MANAGER on the box your going to clean up.

Your certs are stored in a directory called

/usr/share/ssl/certs

Go into that directory:

cd /usr/share/ssl/certs

The only files you need in this directory are

ftpd-dsa.pem -> /etc/ftpd-dsa.pem
ftpd-rsa.pem -> /etc/ftpd-rsa.pem
imapd.pem
ipop3d.pem
dummy-cert
Makefile
srv08.primenet.cc.cabundle -- My state of authority cert
srv08.primenet.cc.crt -- My signed certificate
srv08.primenet.cc.csr -- My CSR

Nothing else!

Everthing else should be REMOVED WITH CARE.

Go into your private key directory

cd /usr/share/ssl/private

Again, the only files you need in this directory are:

ftpd-dhparam.pem -> /etc/ftpd-dhparam.pem
ftpd-dsa-key.pem -> /etc/ftpd-dsa-key.pem
ftpd-rsa-key.pem -> /etc/ftpd-rsa-key.pem
srv08.primenet.cc.key -- My private key.

Nothing else.

Everthing else should be removed with care.

In WHM simply REFRESH your screen. Clean as a whistle.

HOWTO INSTALL A FREESSL CERT:

This procedure work flawlessly and is the only way i could install this cert without problems. No mess, very little fuss and keeps your SSL Manager display free of clutter.

My example here uses a hostname called: my.securesite.com. You will replace my.securesite.com with the name of your cert

Go into the cert directory:

cd /usr/share/ssl/certs

You should already see a .csr file in this directory mine is called:

my.securesite.com.csr

You want to create a .cabundle and a .crt file to manually copy the certs from your e-mail into these files.

Create the .cabundle file

pico my.securesite.com.cabundle

copy and paste the certificate of authority cert from your email into this file. It should be called something like The ChainedSSL Baltimore Intermediate Certificate.

Cntrl-x and save after pasting.

Create the .crt file

pico my.securesite.com.crt

copy and paste the cert that says, Your Web Server Certificate into this file.

Cntrl-x and save after pasting.

Your done in this directory.

Cd into the private key directory:

cd /usr/share/ssl/private

You should already see a match file called my.securesite.com.key in here. Dont touch it, your done!

Before reloading SSL manager you need to make the necessary adjustments to httpd.conf

cd /etc/httpd/conf/

pico httpd.conf

Scroll to the bottom of the file and add this entry for your FREESSL cert!



ServerAdmin webmaster@my.securesite.com
DocumentRoot /usr/local/apache/htdocs
BytesLog domlogs/my.securesite.com-bytes_log
ServerName my.securesite.com
CustomLog /usr/local/apache/domlogs/my.securesite.com-ssl_log "%t %{version}c %{cipher}c %{clientcert}c"
SSLEnable
SSLCertificateFile /usr/share/ssl/certs/my.securesite.com.crt
SSLCertificateKeyFile /usr/share/ssl/private/my.securesite.com.key
SSLCACertificateFile /usr/share/ssl/certs/mysecuresite.com.cabundle
SSLLogFile /var/log/my.securesite.com
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown



NOTE: Replace 111.11.111.111 ip above with your server ip
Replace my.securesite.com with the proper name of your certificate.

IMPORTANT: If this cert is being installed on an ip that you have given a client, say you gave him an ip based site, then you need to change 111.11.111.111 above to the ip you assigned him and also you need to change line four, above, thats bolded out from:

DocumentRoot /usr/local/apache/htdocs

to

DocumentRoot /home/{username}/public_html

Otherwise, 111.11.111.111 should be replaced with the shared ip thats assigned to your server and DocumentRoot /usr/local/apache/htdocs is the correct setting.

Save, cntrl-x and restart apache /etc/rc.d/init.d/httpd stop then start. SSL is much happy being stopped first then started.

Now go back into WHM and reload WHM. In SSL Manager you should see your FREESSL cert! No clutter no mess.

I never received the certificate of authority cert from FreeSSL. Where do I get this?

Thanks.

P.S. Nice docment.

Neither did I. Only the one file and the website says click here and that page is dead :-(

Nice how-to. I actually got a site's SSL working without the how-to. Was pretty easy. Then I read this and went back and cleaned up the mess afterwards.

Also, I found this article to explain a lot of the questions left unanswered regarding CPanel SSL:
http://forums.cpanel.net/showthread.php?s=...=&threadid=8889

I still don't have SSL working for WHM or CPanel (just a static IP site). So that's what I'm working on now.

I can't seem to get rid of the plain.rackshack.net certificate. And the plain.rackshack.net certificate only shows up on the WHM/CPanel SSL Ports. Any suggestions?

I know someone else here had the same problem and the only solution posted was to IM aussie and stay up until 3 AM.

If it's not in the normal directory tried a whereis ?

If that fails read your httpd.conf file, that will certianly tell you where it's hiding.

And well us Aussies have to wait till 3am for you lot to wake up :-)

(Posted at 0130 AussieStandardTime :-)

What would I search for in the httpd.conf file?

I searched for plain.rackshack.net and replaced all of them. Really annoying considering that I carefully updated the server name, server admin email, and more through WHM. But yet it was as if I never made the changes to those values.

SSL certificate for the secure ports still showing up as plain.rackshack.net though...

Rebooted after making those changes and about 4 hours of trying different things this morning. Works now!!

/me kills CPanel and goes and plays with his trusty Ensim box for a while.

HeHe....Swap you...my Ensim Pro box for your CPanel.

Ohhh locked myself out, so can't get in via SSH (jsut a small problem).

I'm about to install a firewall on mine, so hmmm, it's not that bad of a deal!

/me prays he doesn't lock himself out

Okay, I just had to go through the whole process again because I just purchased my SSL certificate from Rackshack/Geotrust to replace my self-signed test.

For those who posted questions about the "pass phrase". It doesn't interfere with anything. I chose a pass phrase when I generated the CSR and Geotrust didn't care.

Also, the cabundle stuff can be ignored. Geotrust doesn't need it.

If you have the self-signed certificate up and running then this is the easiest way of switching to the Geotrust certificate.

1) pico -w /usr/share/ssl/certs/yourservername.com.crt
[erase everything using ctrl-k: copy and paste your Geotrust SSL in to the file and remove any blank lines at the top or bottom: then ctrl x and save changes]

2) service httpd restart

If this is for a static IP SSL or your shared SSL then the certificate should work now. Test: https://server.yourdomain.com/~username or simply https://yourdomain.com/ for a static IP domain.

If you were installing this for your server's WHM/CPanel then you need to do the following:

1) Login to WHM and go to Change CPanel/WHM Certificate
2) Copy and paste the certificate from Geotrust into the first box
3) Enter the domain name into the second box where it asks.
3) Fetch the private key
4) Do it!

Then test it (for me it did not work yet). If it does not work, then reboot! (I tried restarting httpd and cpanel but that did not work, so reboot is the only solution from what I can tell)

Then it will work: https://yourserver:2087/ for WHM