Can't install successfully(?) issued cert in cPanel

I'm using the cPanel Let's Encrypt plugin. Recently, renewed certificates started failing to be installed. From a bit of searching I gather this is related to the R3 certificate expiration. So I tried to reinstall using the alternate chains, but I get either the same error

Error re-installing ssl certificate on domain
wordforge.net
Certificate 2 is expired

(for default or DST Root CA X3)

or

There was a problem processing your request

Error re-installing ssl certificate on domain
wordforge.net
The certificate could not be installed on the domain “wordforge.net”. Certificate bundle verification failed! Verification Result [ stdin: C = US, O = Let's Encrypt, CN = R3 error 20 at 0 depth lookup:unable to get local issuer certificate ]

for ISRG Root X1.

Attempting to install the certificates manually (cPanel>SSL/TLS>Generate, view, upload, or delete SSL certificates) results in the second error again. Appreciate the help here, I'm rather in over my head on this.

My domain is: wordforge.net (there is also a certificate installed for host.wordforge.net for cPanel and WHM themselves). I'm trying to use the Let's Encrypt certificate for (www.)wordforge.net.

I ran this command: see above

It produced this output: see above

My web server is (include version): Apache/2.2.32 (Unix)

The operating system my web server runs on is (include version): CentOS 6.10 i686 virtuozzo

My hosting provider, if applicable, is: I don't know who the VPS provider is, but I have WHM access.

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): cPanel 56.0.52

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Let's Encrypt Plugin version: 0.19.1

Welcome to the Let's Encrypt Community

It appears that you have managed to successfully acquire many Let's Encrypt certificates covering wordforge.net and www.wordforge.net):

https://crt.sh/?q=wordforge.net

When you mention the "Let's Encrypt Plugin", I believe you're referring to what is now known as FleetSSL, which is highly discouraged by cPanel. There have been numerous issues with that plugin. The official plugin for managing Let's Encrypt certificates in cPanel is AutoSSL. If you do not have and cannot install AutoSSL, I can recommend using CertSage, the ACME client I authored and optimized for acquiring Let's Encrypt certificates with cPanel hosting.

This R3 is expired (and has been retired for a long time now):

https://letsencrypt.org/certs/lets-encrypt-r3-cross-signed.pem

This R3 is current:

https://letsencrypt.org/certs/lets-encrypt-r3.pem

If you want to use the "long chain", use that last R3 PEM file I provided along with this one:

https://letsencrypt.org/certs/isrg-root-x1-cross-signed.pem

Only using the R3 intermediate certificate without using the ISRG Root X1 intermediate certificate is known as using the "short chain".

Personally, I use the "short chain" with my GoDaddy cPanel shared hosting because it avoids some headaches in cPanel that using the "long chain" can cause, particularly with the mail subdomain.

Thanks for the quick reply.

As I think you guessed, I can't install AutoSSL because it requires WHM+cPanel 58 or later, and those don't work on 32-bit systems. I can't change the VM to 64-bit anytime soon.

I tried following the CertSage installation instructions, but step 5 is not working:

404 Not Found
The server can not find the requested page:

wordforge.net/certsage.php (port 443)
Please forward this error screen to wordforge.net's WebMaster.

I can't seem to access the site over HTTP at all since trying to use the SSL/TLS control panel to install manually. It looks like it's force upgrading to SSL, but pointing everything to the wrong web root (presumably, host.wordforge.net's). I don't have a "Domains" button in the Domains section in my cPanel to turn it off or on (as per the instructions at the bottom of the CertSage link).

I think something has gone wrong with the trust store on your cPanel server. The cPanel API shouldn't be producing those verification errors for an unexpired Let's Encrypt certificate (regardless of what ACME client you used to get it).

What is the output of:

trust dump --filter="pkcs11:id=%79%b4%59%e6%7b%b6%e5%e4%01%73%80%08%88%c8%1a%58%f6%e9%9b%6e;type=cert"

Trying just the short chain gets me the [ stdin: C = US, O = Let's Encrypt, CN = R3 error 20 at 0 depth lookup:unable to get local issuer certificate ] error, while trying to use the long chain results in Certificate 2 is expired.

In both cases I'm putting them in the SSL/TLS>Manage SSL Websites>Install an SSL website page's Certificate Authority Bundle (CABUNDLE) field.

-bash: trust: command not found

Huh. Try after installing this command:

yum -y install p11-kit-trust

I think @_az is on the right track. I'm wondering which specific certificates it thinks are expired. When you only use the current R3 PEM I provided, are you getting that error 20? I'm just making sure you aren't using the expired R3.

I can confirm that you have the following redirects in place (all from Apache):

http://wordforge.net/certsage.php
302 Found
https://wordforge.net/certsage.php
404 Not Found

http://www.wordforge.net/certsage.php
302 Found
https://wordforge.net/certsage.php
404 Not Found

http://host.wordforge.net/certsage.php
404 Not Found

This is odd because I'm used to cPanel putting 301 redirects in the Apache configuration, not 302 redirects. This makes me wonder if the 302 redirects are in .htaccess files.

https://redirect-checker.org/

By the by, be sure to take @_az's recommendations with precedence over mine. He has much more experience.

root@host [~]# yum -y install p11-kit-trust
Loaded plugins: fastestmirror
Setting up Install Process
Loading mirror speeds from cached hostfile
epel/metalink                                            | 4.1 kB     00:00     
 * epel: d2lzkl7pfhq30w.cloudfront.net
base                                                     | 3.7 kB     00:00     
extras                                                   | 3.3 kB     00:00     
letsencrypt-cpanel                                       | 2.9 kB     00:00     
psrepo                                                   | 2.9 kB     00:00     
updates                                                  | 3.4 kB     00:00     
Package p11-kit-trust-0.18.5-2.el6_5.2.i686 already installed and latest version
root@host [~]# trust dump --filter="pkcs11:id=%79%b4%59%e6%7b%b6%e5%e4%01%73%80%08%88%c8%1a%58%f6%e9%9b%6e;type=cert"
-bash: trust: command not found
root@host [/etc]# p11-kit trust dump --filter="pkcs11:id=%79%b4%59%e6%7b%b6%e5%e4%01%73%80%08%88%c8%1a%58%f6%e9%9b%6e;type=cert"
p11-kit: 'trust' is not a valid p11-kit command. See 'p11-kit --help'
root@host [/etc]# p11-kit --help
usage: p11-kit command <args>...

Common p11-kit commands are:
  extract          Extract certificates
  list-modules     List modules and tokens

See 'p11-kit <command> --help' for more information
root@host [~]# p11-kit list-modules
p11-kit-trust: /usr/lib/pkcs11/p11-kit-trust.so
    library-description: PKCS#11 Kit Trust Module
    library-manufacturer: PKCS#11 Kit
    library-version: 0.18
    token: System Trust
        manufacturer: PKCS#11 Kit
        model: p11-kit-trust
        serial-number: 1
        hardware-version: 0.18
        flags:
               write-protected
               token-initialized
    token: Default Trust
        manufacturer: PKCS#11 Kit
        model: p11-kit-trust
        serial-number: 1
        hardware-version: 0.18
        flags:
               write-protected
               token-initialized
root@host [~]# echo $PATH
/usr/local/jdk/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/X11R6/bin:/usr/local/apache/bin:/root/bin

Where is trust supposed to live?

Yep, definitely using the current R3 PEM.

Okay, one problem down, thank you. Found a redirect a predecessor had left me, so I've got the site back up using HTTP, at least.

        RewriteCond %{SERVER_PORT} 80
        RewriteRule ^(.*)$ https://wordforge.net/$1 [R,L]

Do you think it's still worth trying Certsage?

Try finding it:
which trust
find / -name trust

Both print nothing.

It should be:
/usr/bin/trust

[not sure what's going on with your system]

Ah, I just noticed you are on CentOS 6 and cPanel 56.

I don't think there is any straightforward way to fix this issue, running on software this old. Sorry.

Since certificate installation is the problem, CertSage won't help since its role is to acquire certificates. If you can directly modify your Apache configuration (per your root access), we can install the certificates (and redirects) directly.

What's the output of:

sudo apachectl -S

root@host [~]# apachectl -S
VirtualHost configuration:
127.0.0.1:80           is a NameVirtualHost
         default server host.wordforge.net (/usr/local/apache/conf/httpd.conf:366)
         port 80 namevhost host.wordforge.net (/usr/local/apache/conf/httpd.conf:366)
127.0.0.1:443          host.wordforge.net (/usr/local/apache/conf/httpd.conf:424)
67.222.30.83:443       is a NameVirtualHost
         default server host.wordforge.net (/usr/local/apache/conf/httpd.conf:330)
         port 443 namevhost host.wordforge.net (/usr/local/apache/conf/httpd.conf:330)
         port 443 namevhost host.wordforge.net (/usr/local/apache/conf/httpd.conf:424)
67.222.31.83:443       is a NameVirtualHost
         default server host.wordforge.net (/usr/local/apache/conf/httpd.conf:424)
         port 443 namevhost host.wordforge.net (/usr/local/apache/conf/httpd.conf:424)
67.222.31.83:80        is a NameVirtualHost
         default server wordforge.net (/usr/local/apache/conf/httpd.conf:293)
         port 80 namevhost wordforge.net (/usr/local/apache/conf/httpd.conf:293)
         port 80 namevhost host.wordforge.net (/usr/local/apache/conf/httpd.conf:366)
wildcard NameVirtualHosts and _default_ servers:
*:*                    is a NameVirtualHost
         default server host.wordforge.net (/usr/local/apache/conf/httpd.conf:270)
         port * namevhost host.wordforge.net (/usr/local/apache/conf/httpd.conf:270)
Syntax OK