Certificate obtained but certificate on server is different


#1

Please fill out the fields below so we can help you better.

My domain is: cleardesk.co

I ran this command: ./getssl -f cleardesk.co

It produced this output:

Registering account
Verify each domain
Verifying cleardesk.co
cleardesk.co is already validated
Verifying www.cleardesk.co
www.cleardesk.co is already validated
Verification completed, obtaining certificate.
Certificate saved in /root/.getssl/cleardesk.co/cleardesk.co.crt
The intermediate CA cert is in /root/.getssl/cleardesk.co/chain.crt
copying domain certificate to /etc/ssl/certs/domain.crt
copying private key to /etc/ssl/private/domain.key
getssl: cleardesk.co - certificate obtained but certificate on server is different from the new certificate

I ran this command: openssl req -in “/home/clearde3/ssl/certs/www.cleardesk.co.csr” -noout -text

It produced this output:

Subject: C=GB, CN=*.cleardesk.co

*NOTE1: it looks like the old Comodo wildcard .domain csr is still in place - don’t know how to update it?

NOTE: 2 I cannot see new certificate in whm when I try to add it - all the old expired comodo certs are still there ?

My operating system is (include version):
Linux server.cleardesk.co 2.6.32-642.6.2.el6.x86_64 #1 SMP Wed Oct 26 06:52:09 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

My web server is (include version): Apache/2.2.26 (Unix) mod_ssl/2.2.26 OpenSSL/1.0.1e-fips

My hosting provider, if applicable, is: Bluehost

I can login to a root shell on my machine (yes or no, or I don’t know): yes (ssh via Mac)

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
CPanel - 60.0 (build 19)


#2

and…

Can you see the difference? :wink:

Firstly: the last one is a CSR, not a certificate.

Secondly, the locations are different.


#3

Thanks for the reply - yes indeed these are in different locations. The problem I have:

  1. How do I get Apache to use the new certificate & key in (/etc/ssl/certs/domain.crt && /etc/ssl/private/domain.key)
  2. How do I change/update the old CSR (/home/clearde3/ssl/certs/www.cleardesk.co.csr( as this contains a different domain e.g. wildcard *.cleardesk.co --> the new cert is only valid for single domain e.g. cleardesk.co?
  3. Regarding (2) can this stay in the current location as it is different from (/etc/ssl/certs/) ?

Cheers Chris


#4

YOu have several options …

  1. edit the apache config to point to the correct location ( you probably don’t want to as cpanel probably writes this )
  2. create a symlink in the location where apache is currently obtaining the files from - and link to the /root/.getssl/cleardesk.co/ location
  3. configure getssl to copy the files to the current location in apache ( https://github.com/srvrco/getssl/wiki/Config-variables )

Yes, it can stay on the current location - it’s not used.


#5

Super thanks a lot!!! really appreciated - will try these…

Final question: Why don’t I need to place the CSR in the same folder as the CRT - what use does it have??

Cheers - DailyOliver


#6

Hi guys thanks for all you help.

I keep getting- certificate obtained but certificate on server is different from the new certificate - what does this mean ??? I have downloaded the new cert into the correct location for Apache as suggested by serverco - I can’t seem to find a way out of this?? output below any help would be very much appreciated.

root@server.cleardesk.co [~]# ./getssl -f cleardesk.co

A more recent version (v1.84) of getssl is available, please update
the easiest way is to use the -u or --upgrade flag

existing csr at /root/.getssl/cleardesk.co/cleardesk.co.csr does not have the same domains as the config - re-create-csr
creating domain csr - /root/.getssl/cleardesk.co/cleardesk.co.csr
Registering account
Verify each domain
Verifying cleardesk.co
cleardesk.co is already validated
Verification completed, obtaining certificate.
Certificate saved in /root/.getssl/cleardesk.co/cleardesk.co.crt
The intermediate CA cert is in /root/.getssl/cleardesk.co/chain.crt
copying domain certificate to /home/clearde3/ssl/certs/www.cleardesk.co.crt
copying private key to /home/clearde3/ssl/private/www.cleardesk.co.key
getssl: cleardesk.co - certificate obtained but certificate on server is different from the new certificate


#7

If you keep using -f to force new certificates you will simply hit the rate limits and not be able to get more certificates for a period, so please don’t do that :wink:

I’d suggest following this, and upgrading ( using the -u flag )

It means that you have a new certificate - but your current webserver isn’t using it. May you haven’t restarted / reloaded the webserver ?

I’d suggest restarting it and checking - then checking your certificate (as currently you are using an SSL cert for from bluehost).


#8

A CSR is used to obtain a certificate from a certificate authority. But only the certificate itself is presented to end-users like site visitors. As a vague analogy, to get a passport you need to complete a passport application. But when you travel to another country, you show the customs authorities there your passport, not your passport application. Depending on your situation, you likely have no need to retain a copy of your own passport application at all, once your passport has already been issued. But when it expires, you’ll need to complete a new one to get a new passport.


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.