I created a test certificate for a domain on my server (Centos7/cPanel). When I try to install the certificate, cPanel reports back the following error:
“The system did not find the Certificate Authority Bundle that matches this certificate.
Contact 'Fake LE Intermediate X1’ to obtain the Certificate Authority Bundle.”
I need to use test certificates while developing an application for my server or I will run into the rate limits after a few tests, but part of the process I’m working on is to have the server install the new certificate after it’s created. Is there a way to tell the server to accept the “test” certificates from LetsEncrypt?
That should be just after the Intermediate cert, which is copied over by the client isnt it ? or does it need the full root cert ? If so I think you can get it from;
curl http://cert.stg-root-x1.letsencrypt.org/ | openssl x509 -inform der -outform pem -text
Also, are you aware that cpanel has support for Let’s Encrypt directly ? see https://blog.cpanel.com/announcing-cpanel-whms-official-lets-encrypt-with-autossl-plugin/ which may save you some work
I’m not sure what you mean by “copied over by the client”. I’m using the ZeroSSL interface of le.pl and after calling it, I get a CSR, Private Key and Certificate generated for me.
The generated Certificate file does have two sections with -----BEGIN CERTIFICATE----- / -----END CERTIFICATE-----. I was able to install the generated Certificate file data directly using the cPanel API when I generated a “live” certificate file, but not when I generated “test” certificate. Then cPanel complains that it needs the CA bundle.
As explained on ZeroSSL (in Read More section and on the last step of the process), for cPanel the resulting certificate file needs to be split in two, where the second part (the issuer’s cert) is what cPanel expects as CA bundle. Same goes for AWS services and old Apache versions. If for some reason the root certificate is also required, it could indeed be downloaded as shown above by @serverco.
I split the certificate file and used the first part as the cert and the second part as the bundle in cPanel, but it gave the error:
Certificate bundle verification failed!
Verification Result [ stdin: CN = Fake LE Intermediate X1
error 20 at 0 depth lookup:unable to get local issuer certificate
I also tried getting the root cert that I downloaded from the link provided (and converted via openssl as described) but cPanel then gave a message “The CA bundle does not match the certificate.” as soon as I pasted it into the bundle field.
Is it possible that cPanel doesn’t want to import a certificate that doesn’t chain up to a publicly-trusted root CA?
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.