Cpanel certificate installation failed with cert obtained using getssl

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: ancestryweb.org

I ran this command: ./getssl

It produced this output: files: ancestryweb.org.crt, ancestryweb.org.key, ancestryweb.org.csr, chain.crt, fullchain.crt

My web server is (include version): Apache 2.2.31

The operating system my web server runs on is (include version): Linux version 4.19.150-76.ELK.el6.x86_64 (mockbuild@bambooagent01.atlassian.endurance.com) (gcc version 7.3.1 20180303 (Red Hat 7.3.1-5) (GCC)) #1 SMP Wed Oct 7 01:34:10 CDT 2020

My hosting provider, if applicable, is: site5

I can login to a root shell on my machine (yes or no, or I don't know): no

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):yes, 70.0

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): getssl, v2.41

I used the ancestryweb.org.crt as the new certificate
I used ancestryweb.org.key as the private key
I when i used chain.crt as the CA Bundle, I got the following error when trying to install the certificate:

Certificate verification failed! The system did not find the root certificate that corresponds to the supplied Certificate Authority Bundle’s intermediate certificate. Please supply a full Certificate Authority Bundle with the root certificate included.

I also tried using fullchain.crt and that also didn't work: it actually has three certificates in it, but i can't even install because cpanel says the ca bundle is invalid

2 Likes
2

Welcome to the Let's Encrypt Community, Stephen :slightly_smiling_face:

Try using this certificate as the CA bundle:

https://letsencrypt.org/certs/lets-encrypt-r3-cross-signed.pem

If you find that you also need the root certificate, use this certificate:

https://letsencrypt.org/certs/trustid-x3-root.pem.txt

3 Likes
3

The first is your leaf certificate (same as ancestryweb.org.crt). The last two are these:

https://letsencrypt.org/certs/lets-encrypt-r3.pem

https://letsencrypt.org/certs/isrg-root-x1-cross-signed.pem

which are the same as chain.crt.

The root here is also:

https://letsencrypt.org/certs/trustid-x3-root.pem.txt

3 Likes
4

This one (as the CA bundle) will only last until later this month:

https://letsencrypt.org/certs/lets-encrypt-r3-cross-signed.pem

These two (as the CA bundle) are equivalent to the one above and will last much longer:

https://letsencrypt.org/certs/lets-encrypt-r3.pem

https://letsencrypt.org/certs/isrg-root-x1-cross-signed.pem

3 Likes
5

Sorry for the many posts. If none of those work or they fail later this month, use these two (as the CA bundle):

https://letsencrypt.org/certs/lets-encrypt-r3.pem

https://letsencrypt.org/certs/isrgrootx1.pem

That last one is a true, self-signed root.

3 Likes
6

Hi @stephening

I'm one of the maintainers of getssl and use cpanel myself but haven't seen this problem with my hosting provider (namecheap).

Can you try adding the following line to your getssl.cfg line
FULL_CHAIN_INCLUDE_ROOT="true"

The fullchain.crt file will then include the root certificate

3 Likes
7

Thanks so much for your response. I really appreciate it! I tried what you supplied with the crt and private key i generated with getssl and when i tried to install in cpanel, it said:

The CA bundle does not match the certificate.

I guess this brings me to a related question. Is the CA bundle somehow tied to the cert or the private key. If so how were you able to produce a ca bundle for me without those. If not, then can everyone use the same ca bundle from letencrypt?

3 Likes
8

Thank you so much for responding. I tried what you suggested and when I tried installing it, the fullchain.crt was no a valid ca bundle. when I tried the chain.crt file, it didn't say it was invalid, but when I tried to install it said:

Certificate verification failed! The system did not find the root certificate that corresponds to the supplied Certificate Authority Bundle’s intermediate certificate. Please supply a full Certificate Authority Bundle with the root certificate included.

The following is my top level cfg:

-------------------------------------------------------------------------------
# vim: filetype=sh
#
# This file is read first and is common to all domains
#
# Uncomment and modify any variables you need
# see https://github.com/srvrco/getssl/wiki/Config-variables for details
#
# The staging server is best for testing (hence set as default)
CA="https://acme-staging-v02.api.letsencrypt.org"
# This server issues full certificates, however has rate limits
#CA="https://acme-v02.api.letsencrypt.org"

# The agreement that must be signed with the CA, if not defined the default agreement will be used
#AGREEMENT=""

# Set an email address associated with your account - generally set at account level rather than domain.
#ACCOUNT_EMAIL="me@example.com"
ACCOUNT_KEY_LENGTH=4096
ACCOUNT_KEY="/home/ancestry/.getssl/account.key"

# Account key and private key types - can be rsa, prime256v1, secp384r1 or secp521r1
#ACCOUNT_KEY_TYPE="rsa"
PRIVATE_KEY_ALG="rsa"
#REUSE_PRIVATE_KEY="true"

# Preferred Chain - use an different certificate root from the default
# This uses wildcard matching so requesting "X1" returns the correct certificate - may need to escape characters
# Staging options are: "(STAGING) Doctored Durian Root CA X3" and "(STAGING) Pretend Pear X1"
# Production options are: "ISRG Root X1" and "ISRG Root X2"
#PREFERRED_CHAIN="\(STAGING\) Pretend Pear X1"

# Uncomment this if you need the full chain file to include the root certificate (Java keystores, Nutanix Prism)
FULL_CHAIN_INCLUDE_ROOT="true"

# The command needed to reload apache / nginx or whatever you use.
# Several (ssh) commands may be given using a bash array:
# RELOAD_CMD=('ssh:sshuserid@server5:systemctl reload httpd' 'logger getssl for server5 efficient.')
#RELOAD_CMD=""

# The time period within which you want to allow renewal of a certificate
#  this prevents hitting some of the rate limits.
# Creating a file called FORCE_RENEWAL in the domain directory allows one-off overrides
# of this setting
RENEW_ALLOW="30"

# Define the server type. This can be https, ftp, ftpi, imap, imaps, pop3, pop3s, smtp,
# smtps_deprecated, smtps, smtp_submission, xmpp, xmpps, ldaps or a port number which
# will be checked for certificate expiry and also will be checked after
# an update to confirm correct certificate is running (if CHECK_REMOTE) is set to true
SERVER_TYPE="https"
CHECK_REMOTE="true"

# Use the following 3 variables if you want to validate via DNS
#VALIDATE_VIA_DNS="true"
#DNS_ADD_COMMAND=
#DNS_DEL_COMMAND=

# Unusual configurations (especially split views) may require these.
# If you have a mixture, these can go in the per-domain getssl.cfg.
#
# If you must use an external DNS Server (e.g. due to split views)
# Specify it here.  Otherwise, the default is to find the zone master.
# The default will usually work.
# PUBLIC_DNS_SERVER="8.8.8.8"

# If getssl is unable to determine the authoritative nameserver for a domain
# it will as you to enter AUTH_DNS_SERVER.  This is a server that
# can answer queries for the zone - a master or a slave, not a recursive server.
# AUTH_DNS_SERVER="10.0.0.14"
-------------------------------------------------------------------------

and the following is my domain level cfg:
-------------------------------------------------------------------------
# vim: filetype=sh
#
# This file is read second (and per domain if running with the -a option)
# and overwrites any settings from the first file
#
# Uncomment and modify any variables you need
# see https://github.com/srvrco/getssl/wiki/Config-variables for details
# see https://github.com/srvrco/getssl/wiki/Example-config-files for example configs
#
# The staging server is best for testing
#CA="https://acme-staging-v02.api.letsencrypt.org"
# This server issues full certificates, however has rate limits
#CA="https://acme-v02.api.letsencrypt.org"

# Private key types - can be rsa, prime256v1, secp384r1 or secp521r1
#PRIVATE_KEY_ALG="rsa"

# Additional domains - this could be multiple domains / subdomains in a comma separated list
# Note: this is Additional domains - so should not include the primary domain.
SANS=""

# Acme Challenge Location. The first line for the domain, the following ones for each additional domain.
# If these start with ssh: then the next variable is assumed to be the hostname and the rest the location.
# An ssh key will be needed to provide you with access to the remote server.
# Optionally, you can specify a different userid for ssh/scp to use on the remote server before the @ sign.
# If left blank, the username on the local server will be used to authenticate against the remote server.
# If these start with ftp:/ftpes:/ftps: then the next variables are ftpuserid:ftppassword:servername:ACL_location
# These should be of the form "/path/to/your/website/folder/.well-known/acme-challenge"
# where "/path/to/your/website/folder/" is the path, on your web server, to the web root for your domain.
# ftp: uses regular ftp; ftpes: ftp over explicit TLS (port 21); ftps: ftp over implicit TLS (port 990).
# ftps/ftpes support FTPS_OPTIONS, e.g. to add "--insecure" to the curl command for hosts with self-signed certificates.
# You can also user WebDAV over HTTPS as transport mechanism. To do so, start with davs: followed by username,
# password, host, port (explicitly needed even if using default port 443) and path on the server.
# Multiple locations can be defined for a file by separating the locations with a semi-colon.
ACL=('/home/ancestry/public_html/.well-known/acme-challenge')
#ACL=('/var/www/ancestryweb.org/web/.well-known/acme-challenge'
#     'ssh:server5:/var/www/ancestryweb.org/web/.well-known/acme-challenge'
#     'ssh:sshuserid@server5:/var/www/ancestryweb.org/web/.well-known/acme-challenge'
#     'ftp:ftpuserid:ftppassword:ancestryweb.org:/web/.well-known/acme-challenge'
#     'davs:davsuserid:davspassword:{DOMAIN}:443:/web/.well-known/acme-challenge'
#     'ftps:ftpuserid:ftppassword:ancestryweb.org:/web/.well-known/acme-challenge'
#     'ftpes:ftpuserid:ftppassword:ancestryweb.org:/web/.well-known/acme-challenge')

# Specify SSH options, e.g. non standard port in SSH_OPTS
# (Can also use SCP_OPTS and SFTP_OPTS)
# SSH_OPTS=-p 12345

# Set USE_SINGLE_ACL="true" to use a single ACL for all checks
#USE_SINGLE_ACL="false"

# Preferred Chain - use an different certificate root from the default
# This uses wildcard matching so requesting "X1" returns the correct certificate - may need to escape characters
# Staging options are: "(STAGING) Doctored Durian Root CA X3" and "(STAGING) Pretend Pear X1"
# Production options are: "ISRG Root X1" and "ISRG Root X2"
#PREFERRED_CHAIN="\(STAGING\) Pretend Pear X1"

# Uncomment this if you need the full chain file to include the root certificate (Java keystores, Nutanix Prism)
#FULL_CHAIN_INCLUDE_ROOT="true"

# Location for all your certs, these can either be on the server (full path name)
# or using ssh /sftp as for the ACL
#DOMAIN_CERT_LOCATION="/etc/ssl/ancestryweb.org.crt" # this is domain cert
#DOMAIN_KEY_LOCATION="/etc/ssl/ancestryweb.org.key" # this is domain key
#CA_CERT_LOCATION="/etc/ssl/chain.crt" # this is CA cert
#DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert
#DOMAIN_PEM_LOCATION="" # this is the domain key, domain cert and CA cert

# The command needed to reload apache / nginx or whatever you use.
# Several (ssh) commands may be given using a bash array:
# RELOAD_CMD=('ssh:sshuserid@server5:systemctl reload httpd' 'logger getssl for server5 efficient.')
#RELOAD_CMD=""

# Uncomment the following line to prevent non-interactive renewals of certificates
#PREVENT_NON_INTERACTIVE_RENEWAL="true"

# Define the server type. This can be https, ftp, ftpi, imap, imaps, pop3, pop3s, smtp,
# smtps_deprecated, smtps, smtp_submission, xmpp, xmpps, ldaps or a port number which
# will be checked for certificate expiry and also will be checked after
# an update to confirm correct certificate is running (if CHECK_REMOTE) is set to true
#SERVER_TYPE="https"
#CHECK_REMOTE="true"
#CHECK_REMOTE_WAIT="2" # wait 2 seconds before checking the remote server
-------------------------------------------------------------------------
3 Likes
9

sorry about the formatting. i guess is should have used the preformatted option?

3 Likes
10

Please edit your long post to put three backticks above and below the contents, like this:

```
contents
```

3 Likes
11

Please upload a copy of ancestryweb.org.crt, but change the extension from .crt to .txt before uploading.

I'm finding it odd that there hasn't been a certificate generation recorded for months...

https://crt.sh/?q=ancestryweb.org

Screenshot_20210903-112259_Samsung Internet
Screenshot_20210903-112259_Samsung Internet1920×3003 771 KB

3 Likes
12

Nope.

The CA bundle is usually a collection of intermediate certificates generated by the CA with the topmost one being used to issue/sign millions of leaf certificates (like yours).

Yep.

3 Likes
13

I had been generating using something other than getssl for several years, and the last certificate generated is probably the last from then. When letencrypt finally cut off the v01 protocol, then I was forced to change and have been struggling to get it working since then. I surprised that you show no certificates generated in the last month because that is what i have been trying to do using getssl. I seem to be getting certificates, so I don't know why you are not showing any being generated. Maybe I still have something wrong in the cfg file and the certificate that is being generated is not for my domain name.

The following is the last cert that i generated using getssl:

-----BEGIN CERTIFICATE-----
MIIGUzCCBTugAwIBAgITAPrQ0M+RgtR3KiZ/SsSi/hWmrTANBgkqhkiG9w0BAQsF
ADBZMQswCQYDVQQGEwJVUzEgMB4GA1UEChMXKFNUQUdJTkcpIExldCdzIEVuY3J5
cHQxKDAmBgNVBAMTHyhTVEFHSU5HKSBBcnRpZmljaWFsIEFwcmljb3QgUjMwHhcN
MjEwOTAzMDMyODA5WhcNMjExMjAyMDMyODA4WjAaMRgwFgYDVQQDEw9hbmNlc3Ry
eXdlYi5vcmcwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQD06QHwSGDh
VTBYfpw/yqa/AtWZBtHz/S3dvuhh1MLoEJgl/1ElvGb8i3BIo68ozKmyZHHgwDUK
lwnTtdft7b9aebcVf+MfjsYievAvLw8GfPaBGP8/hXotcdDfZ930QJ5G6nEQgMvV
n0qxrrqhZpkdKPva9a7oXjbyVQjifBUDQMbhF5fOYf4CdoseAPbAx14x37BsQC1Q
X56uya2Wa32z3gbnruPucnKdN+WLLpvBzmxTCpEScHdlxXhOPOXlo+8/qLhuN/fn
B5cjSbDqpCrlA8myuv5saHmAGsCcyLFIiKUMHPt+1VwhBQ1QTeXqy2oh7PKOxgNM
WZ95nztVazgGJEdRHeDQP2+VHjprpcQfzICWoJ+ZQYs9x87cF6YgqrXX3dBA+Qtn
OaQfGX5x+Kq57hRQ3k71c5UXJtXO/Ja9kbr6j02N/ia7fm6Eoc05ZK7hM4pv1GiD
HBxjI7dTcnw4koRSpraN8UGsVkVQbPa9vnHX/Pk0+wClfWixIprfp4oY3+d4Ooe2
f/LThJfKdFFIN/6svxwrG+MIu/CKzl+kzoVES6bTQzs9TEs5exR+R/JuJnOEFVwx
4qVUDoZTWc0iayjFmKcODfhaHW7TP3pKVep4LTdElMI0VIJHcxUfgxcEfZiBT0nQ
+WXWwODbyTB3hRQ6NwMgI7szbWF3yzcAvQIDAQABo4ICUTCCAk0wDgYDVR0PAQH/
BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8E
AjAAMB0GA1UdDgQWBBTXIJAPGpDqAk+quHCVf0uWcT1HBzAfBgNVHSMEGDAWgBTe
cnpI3zHDplDfn4Uj31c3S10uZTBdBggrBgEFBQcBAQRRME8wJQYIKwYBBQUHMAGG
GWh0dHA6Ly9zdGctcjMuby5sZW5jci5vcmcwJgYIKwYBBQUHMAKGGmh0dHA6Ly9z
dGctcjMuaS5sZW5jci5vcmcvMBoGA1UdEQQTMBGCD2FuY2VzdHJ5d2ViLm9yZzBM
BgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIB
FhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQMGCisGAQQB1nkCBAIEgfQE
gfEA7wB2AN2ZNPyl5ySAyVZofYE0mQhJskn3tWnYx7yrP1zB825kAAABe6np/34A
AAQDAEcwRQIhAJIIc0NiE6Zhwbpnr2enktDs69GbBEzMlosfc+sgrSxaAiA8+FU3
sHBqpxE48EYS2LjWIfuPU/jkQJc0hKCrdbXkqgB1ALDMg+Wl+X1rr3wJzChJBIcq
x+iLEyxjULfG/SbhbGx3AAABe6np/4IAAAQDAEYwRAIgMWR6FqhyAo+V0WAHJQZr
C7eINgdLWbQzrnDR3mu4Dt8CIAOrejbmdesD7gTMznW15ZGwpBbtCKySFmrIiwxW
1l1IMA0GCSqGSIb3DQEBCwUAA4IBAQCYLQ8l3+XGMb2ufsoEwB4qalv7St1JwENf
qRuJjm0nrv+2cyuE1pFfJCAbM/sAeJ/cgH8l0Plb8/M8Ey7py1jYvdjVqJUUG4aL
hO2PEvU1ev3cUqm4N3Qrjdp/TNtOJ23WE4h0DIIvDB5/pNTrpGxJkc0gXC/sxjwA
MrntxsthxVPQxI6z2Tm+y2XT1V49eDgrESiXt24Y+W/VIx8UjknwxCnflPGUWFvW
SyKGXszJOSw08rnYczFKUllK5bRKkb/mK0VRR498TxHvyHH8ZIJH/ID/6v26YyqP
YaNFnAcHW89KeM050ecjLF857N20HG1VnkPIz07dlhYUAqqLtAGv
-----END CERTIFICATE-----
2 Likes
14

:laughing:

:rofl:

:joy:

:dizzy_face:

You made my day, my friend. The reason that your certificate isn't appearing in the certificate transparency logs (and thus on crt.sh) is because it's a "fake" certificate issued by the Let's Encrypt's staging environment.

https://redkestrel.co.uk/products/decoder/

Issuer C=US, O=(STAGING) Let's Encrypt, CN=(STAGING) Artificial Apricot R3

3 Likes
15

And here's your problem:

3 Likes
16

I edited for @stephening, but there's a lot of white space I can't seem to get rid of. :open_mouth:
Unless there's a delay in processing occurring here. :thinking:

4 Likes
17

thanks so much for spotting that. I made that change in my cfg file and re-ran and didn't get and certificates generated. can you see if one was requested/generated on your end?

3 Likes
18

thank you!

3 Likes
19

Did you get an error of some kind?

I'm assuming your top level configuration now looks like this:

# The staging server is best for testing (hence set as default)
#CA="https://acme-staging-v02.api.letsencrypt.org"
# This server issues full certificates, however has rate limits
CA="https://acme-v02.api.letsencrypt.org"

If you had a new certificate issued, it would usually appear in the certificate transparency logs within a few minutes:

https://crt.sh/?q=ancestryweb.org

3 Likes
20

You need to fix this in your top level configuration too:

It should be this:

# Uncomment this if you need the full chain file to include the root certificate (Java keystores, Nutanix Prism)
#FULL_CHAIN_INCLUDE_ROOT="true"
3 Likes