Shared hosting / Bluehost


#1

So great work on the concept itself. IMHO everybody running a website now a days needs to feel safe and secure in doing so.

To the point: I have everything up and running and get the green padlock on my website showing me it;s working. I used this generator (https://gethttpsforfree.com/) to get it all working and almost everything works like a charm.

Issue1
nvexx.nl -> when I click the green padlock on my website it’s telling me that it’s using an old cipher? How ever bluehost itself shows me (putty) that they do support all ciphers ( openssl ciphers -v “SSLCipherSuite !aNULL:!eNULL:!EXPORT:!DSS:!DES:!SSLv2:RC4-SHA:RC4-MD5:ALL” )

Issue2/3

https://www.ssllabs.com/ssltest/analyze.html?d=nvexx.nl

shows me
** This server’s certificate chain is incomplete. Grade capped to B.*
** Chain issues Incomplete*

https://www.whynopadlock.com/check.php

shows me:
SSL verification issue (Possibly mis-matched URL or bad intermediate cert.). Details:
ERROR: cannot verify nvexx.nl’s certificate, issued by ‘/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X1’: Unable to locally verify the issuer’s authority.

I hope someone can point me in the right direction. Like I said the site does show the padlock and gives the all green/go in chrome. It’s just the two verification websites show me something is wrong somewhere.

EDIT1
running openssl s_client -connect ww*.nvexx.nl:443
shows several error’s (stripped www from below because of spam protection?)

CONNECTED(00000003)
depth=0 CN = ww*.nvexx.nl
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = ww*.nvexx.nl
verify error:num=27:certificate not trusted
verify return:1
depth=0 CN = ww*.nvexx.nl
verify error:num=21:unable to verify the first certificate
verify return:1

Certificate chain
0 s:/CN=ww*.nvexx.nl
i:/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X1


No client certificate CA names sent
Server Temp Key: ECDH, prime256v1, 256 bits

Verify return code: 21 (unable to verify the first certificate)


#2

Hi,

i think you used the wrong chain file.Look at https://www.ssllabs.com/ssltest/analyze.html?d=suche.org
It is possible with LE to get the highest possible rating.
Search the forum for fullchain.pem.


#3

Hi tlussnig, I don’t have chain or pem files. Bluehost has a TLS/SSl manager that takes care of it all. I just entered the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- parts and the crt files get generated for me. So to complete the chain I need to copy&paste both into 1 crt ?

EDIT1: so in short I can’t make a chained crt myself as I can only make 1 crt file at a time. Trying to chain them into one crt file can’t be done from the control panel. I can how ever do it via ftp


#4

Hello @KillerSneak,

When you created your certificate using gethttpsforfree, at the end, you saw two certificates, Signed Certificate that is the certificate for your domain(s) and Intermediate Certificate that is the certificate for Let’s Encrypt CA.

If your hosting company doesn’t specify a field to upload the CA cert, then you should upload both of them using the cert field, so you need to concatenate your cert file and after that, the let’s encrypt ca certificate and you will get this:

-----BEGIN CERTIFICATE-----
MIIGBjCCBO6gAwIBAgISAYoHAaUUvdWE1/MpKfAgZ/X1MA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMTAeFw0xNTEyMjIxMTUxMDBaFw0x
NjAzMjExMTUxMDBaMBcxFTATBgNVBAMTDHd3dy5udmV4eC5ubDCCAiIwDQYJKoZI
hvcNAQEBBQADggIPADCCAgoCggIBAOC8M/GHynyFgN/jk3V5tlC1rhc8GAUW9wQl
N/rJLyweYxxF4P1SHrK2LnFg85b8R/3ntAkMxWz9dLlN2Xu7mN1fYUJzqXzrxwoK
6eB2n+OMbBKX17P137xhEhua0nLCbCATURhe2K0CLqNcM9eoN3bTrgB4kwbDwhHW
LsV7g8u5wdGZ+eVa1Thyunsu53rpLyTy7VZOUAEoTDsqF1bDVMt4/s7qrinGYZge
b9xTtrNW+v3fzAiS2nr5ES03w7he/MMBcaeQ2n/G2PdlpWtMVZegWjGS+HBdP4L8
u0iGiYlGfka8rc8TMd59XB+SsZbqu1up//+MnxUvig6+yLKZztSTqfybAlauBr+j
LZNhTLDGn+FUV9jDoBQ+KDkaVr2UyufVR46Cp00BS6nTpQmToxR8bgpMB/RuMTdp
kM0AvKj0KzC4qGhetUZla5tMOdZYYg+rNAAVA8IF/PHs4feVG+vO+GK1VQk5iS5C
eE6+qxuMqOay7S7ueZVTNb6ZgLePlwwziAoPcjBGIXZ5i323uLXXX8kK0fEO2W6O
um/63GdegsGj4AepjjDF33w4SPdtwv63UsEcDTzN+AV0S9K5UYPztcVTJUVr3ug8
ggMlKrNVeHEjvWkeuCPGzdaL88ymUZP9iDNZ57/aQ+qAwfyFo6AoIrb1CqBi65E9
D5cleLGhAgMBAAGjggIXMIICEzAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYI
KwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFFh9XZEm
axMg6MmiwtVdmttts8sMMB8GA1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/zqOyh
MHAGCCsGAQUFBwEBBGQwYjAvBggrBgEFBQcwAYYjaHR0cDovL29jc3AuaW50LXgx
LmxldHNlbmNyeXB0Lm9yZy8wLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14
MS5sZXRzZW5jcnlwdC5vcmcvMCEGA1UdEQQaMBiCDHd3dy5udmV4eC5ubIIIbnZl
eHgubmwwgf4GA1UdIASB9jCB8zAIBgZngQwBAgEwgeYGCysGAQQBgt8TAQEBMIHW
MCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCBqwYIKwYB
BQUHAgIwgZ4MgZtUaGlzIENlcnRpZmljYXRlIG1heSBvbmx5IGJlIHJlbGllZCB1
cG9uIGJ5IFJlbHlpbmcgUGFydGllcyBhbmQgb25seSBpbiBhY2NvcmRhbmNlIHdp
dGggdGhlIENlcnRpZmljYXRlIFBvbGljeSBmb3VuZCBhdCBodHRwczovL2xldHNl
bmNyeXB0Lm9yZy9yZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEAXL6Poe7C
PMMtpehJMs/eETLOzB8pNgc/3Z4dBuY+aNG/PpoeshIELYzJdOmzCk2HrnsmPmxb
QYz1ZoBBsQ+XiwuVynr3z9Cbs5y74PBjAH9znrDeietNYgUrripcIFVAw0DcfM0t
/z1UatjduZzVMRPH4FDwaJo3dd7GayZ9H8luaD5h5HRi9VDcrIEi9uUF1viUoqdo
I10M7bWBoo0yce00HngNkiMszmx9q/GxWKMDHNB04MMtJ+2x1K72JYbAWWJdWJUr
wqVaJbKGuSQ6/0Vkr8RO2E3HN8VGWNrXnEplqBPBZTm//eVekmNP/8jT9d1f9KEY
zBNE+ivatzJL7w==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEqDCCA5CgAwIBAgIRAJgT9HUT5XULQ+dDHpceRL0wDQYJKoZIhvcNAQELBQAw
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzAeFw0xNTEwMTkyMjMzMzZaFw0yMDEwMTkyMjMzMzZa
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAJzTDPBa5S5Ht3JdN4OzaGMw6tc1Jhkl4b2+NfFwki+3uEtB
BaupnjUIWOyxKsRohwuj43Xk5vOnYnG6eYFgH9eRmp/z0HhncchpDpWRz/7mmelg
PEjMfspNdxIknUcbWuu57B43ABycrHunBerOSuu9QeU2mLnL/W08lmjfIypCkAyG
dGfIf6WauFJhFBM/ZemCh8vb+g5W9oaJ84U/l4avsNwa72sNlRZ9xCugZbKZBDZ1
gGusSvMbkEl4L6KWTyogJSkExnTA0DHNjzE4lRa6qDO4Q/GxH8Mwf6J5MRM9LTb4
4/zyM2q5OTHFr8SNDR1kFjOq+oQpttQLwNh9w5MCAwEAAaOCAZIwggGOMBIGA1Ud
EwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMH8GCCsGAQUFBwEBBHMwcTAy
BggrBgEFBQcwAYYmaHR0cDovL2lzcmcudHJ1c3RpZC5vY3NwLmlkZW50cnVzdC5j
b20wOwYIKwYBBQUHMAKGL2h0dHA6Ly9hcHBzLmlkZW50cnVzdC5jb20vcm9vdHMv
ZHN0cm9vdGNheDMucDdjMB8GA1UdIwQYMBaAFMSnsaR7LHH62+FLkHX/xBVghYkQ
MFQGA1UdIARNMEswCAYGZ4EMAQIBMD8GCysGAQQBgt8TAQEBMDAwLgYIKwYBBQUH
AgEWImh0dHA6Ly9jcHMucm9vdC14MS5sZXRzZW5jcnlwdC5vcmcwPAYDVR0fBDUw
MzAxoC+gLYYraHR0cDovL2NybC5pZGVudHJ1c3QuY29tL0RTVFJPT1RDQVgzQ1JM
LmNybDATBgNVHR4EDDAKoQgwBoIELm1pbDAdBgNVHQ4EFgQUqEpqYwR93brm0Tm3
pkVl7/Oo7KEwDQYJKoZIhvcNAQELBQADggEBANHIIkus7+MJiZZQsY14cCoBG1hd
v0J20/FyWo5ppnfjL78S2k4s2GLRJ7iD9ZDKErndvbNFGcsW+9kKK/TnY21hp4Dd
ITv8S9ZYQ7oaoqs7HwhEMY9sibED4aXw09xrJZTC9zK1uIfW6t5dHQjuOWv+HHoW
ZnupyxpsEUlEaFb+/SCI4KCSBdAsYxAcsHYI5xxEI4LutHp6s3OT2FuO90WfdsIk
6q78OMSdn875bNjdBYAqxUp2/LEIHfDBkLoQz0hFJmwAbYahqKaLn73PAAm1X2kj
f1w8DdnkabOLGeOVcj9LQ+s67vBykx4anTjURkbqZslUEUsn2k5xeua2zUk=
-----END CERTIFICATE-----

Note: the above is not just an example, it is your real cert (nvexx.nl & www.nvexx.nl) and the real cert for Let’s Encrypt CA.

If that doesn’t work, ask your hosting company what is the right procedure to upload them.

Cheers,
sahsanu


#5

I followed the instructions. The problem is I can’t upload it like above. If i enter it like this (chained) it only picks one like it cut’s off at the -----END CERTIFICATE----- part.

I can how ever change it via FTP and alter the CRT to contain both.

To make things clear my host does support uploading a crt / copy&pasting the above but only 1 part at a time. I can try to make my own crt file with both certificates in it to try and upload it as one.

Ill get back on this asap. Thanks for the responce/help

EDIT1:
So I just tried to make a new crt file www.nvexx.nl.crt with the above code. Yet it cuts off at the first -----END CERTIFICATE----- So it doesn’t get the 2nd part from lets encrypt (Intermediate Certificate)

EDIT2:
The main problem I’m facing is that I can’t access the webserver config.

<VirtualHost default:443>
ServerName foo.com:443
ServerAlias www.foo.com
DocumentRoot /var/www/foo.com/html
SSLEngine on
SSLCertificateFile /etc/ssl/certs/domain.crt
SSLCertificateKeyFile /etc/ssl/private/domain.key
SSLCertificateChainFile /etc/ssl/certs/intermediate.pem
SSLProtocol all -SSLv2 -SSLv3
SSlCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA;
SSLHonorCipherOrder on
<Directory /var/www/foo.com/html>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
</VirtualHost>

I can’t enter that as my Host doesn’t allow it


#6

Hi @KillerSneak,

So, your hosting doesn’t allow to upload a chained cert, your hosting doesn’t allow to upload your domain cert plus an intermediate cert, your hosting doesn’t allow to change your site web config… maybe you should try to find a new hosting company.

Did you contact your hosting provider to know what is the right procedure to upload a cert and the intermediate cert?. If the answer you get from them is “you can’t” then, please, move your site to another hosting provider.

Cheers,
sahsanu


#7

Hi @sahsanu

My hosting does allow to upload my domain cert
My hosting does allow to upload the intermediate cert
My hosting does “Not” allow me to upload/enter a chained cert

I’m in conctact with them now about this issue


#8

Then I can’t see the problem, if your hosting allows to upload the cert and the intermediate cert there should be no problem at all, you don’t need to upload a chained cert.


#9

@sahsanu

I’m lost as well. All i can see is that https://www.ssllabs.com/ssltest/analyze.html?d=nvexx.nl
Still shows the chain is broken. Bluehost has installed the crt for me now but looking at the ftp it’s the same setup only difference is that the SSL/TLS manager produced the following files for me:

  • Let_s_Encrypt_Authority_X1_9cd30_dc393_1603146816_dbd6c5e7d438293887768a3bfb168259.crt
  • www_nvexx_nl_e0bc3_8b1a1_1458561060_f40541d48ba16c37430c625c77b0e52d.crt

After bluehost “installed the crt” it looked like:

  • Let_s_Encrypt_Authority_X1_9cd30_dc393_1603146816_dbd6c5e7d438293887768a3bfb168259.crt
  • www.nvexx.nl.crt

In the SSL folder. I have to wait a bit to “propogate” but I doubt it will change/work.


#10

Seems that when the random part of the file name disappears is because your hosting included it in your apache conf so they didn’t process the Intermediate Cert yet.

In apache 2.2 and apache 2.4 (till version 2.4.8) they should use these directives to configure your certs:

SSLCertificateFile    /path/to/domain.crt
SSLCertificateKeyFile /path/to/private.key
SSLCertificateChainFile /path/to/intermediate.crt

From Apache 2.4.8, SSLCertificateChainFile directive is deprecated (you can still use it if you want but will dissapear in future versions) so you need to put the cert and the intermediate cert concatenated in the same cert using directive SSLCertificateFile:

SSLCertificateFile    /path/to/domain+intermediate.crt
SSLCertificateKeyFile /path/to/private.key

Since you have no control about this config, the only thing you can do is wait for your hosting support answer because they are the only ones to config your site properly.

Good luck :wink:
sahsanu


#11

It’s finally working now.

  • www.nvexx.nl.crt
  • www.nvexx.nl.cabundle

is the naming setup they use. Just spend another 45 minutes on live chat with them and they managed to fix it. Green locker on mobile / desktop and no more broken chain.

Thanks for taking the time to explain. I gave them a link to your page/answer maybe it helped in making things more clear for them while I was chatting with support.


#12

Glad you get it working ;). Now I can see that your site gets an A in sslabs test which is pretty fine.

Merry Christmas
sahsanu


#13

@sahsanu

Merry Christmas to you as well. I could try to get A+ but don’t know where to start. Ill start to read up on how to get the best out of it all.

For now I’m glad it’s working and running fine on desktop and mobile.


#14

To get A+ you need to add HSTS header in apache, something like this:

Header always set Strict-Transport-Security "max-age=17280000"

But as I said, this is something that should be configured in apache and don’t know if you can do that without the support of bluehost. By the way, keep in mind that setting this header, the first time a browser reach your https site, next time it will try to connect directly to https:// version, even if in the bar of browser it specifies http:// so maybe is something that you don’t like.

Take a look to this link

Cheers,
sahsanu


#15

Hi,

I already have it enabled (just now) via the htaccess with

<IfModule mod_headers.c>
Header set Strict-Transport-Security "max-age=10886400; includeSubDomains; preload"
</IfModule>

For HSTS Preloading to work I have to get added to the list maintained by chrome? The way I have setup the websites, also for clients everything will be https://www.*domain

using https:// is the future and most secure so i won’t be going back to http:// at all.

Only other thing I can think of is the “Cipher Strength” as when I click on the green locker on my website/domain it tells me an old/depricated Cipher is used?


#16

@KillerSneak Great work getting this done. I’ve got bluehost too and was just going to tackle this.

Any chance you could do a quick brain dump on the steps to getting this working with Bluehost? I’m sure a lot of us would be very appreciative!


#17

@burhop

I was planning on a short how to but this is a great start https://gethttpsforfree.com/ <- I used this setup/generator to get the certificates.

In esence it comes down to renaming the domain.crt and intermediate.pem to
www.*yourdomain.com.crt <- domain.crt
www.*yourdomain.com.cabundle <- intermediate.pem

And putting them in the /ssl/certs folder via FTP

In the bluehost CPanel you can use the SSL/TLS Manager for

  • Private Keys (KEY) Generate, view, upload, or delete your private keys.

  • Certificate Signing Requests (CSR) Generate, view, or delete SSL certificate signing requests.

Just don’t use the 3rd one to set the CRT/upload your certificates -> use ftp to upload them to the /ssl/certs folder.

I know this is a bit quick as I’m in the middle of putting my daughter to sleep.

I hope in the next few days I can write up a better how to as I need to get more websites updated to letsencrypt SSL


#18

This is good. Thanks for the quick reply. I’ve been down this path before so even this short answer is good for me :slight_smile: I’m typing in the info for https://gethttpsforfree.com/ now.

I signed my own certificate a while back (I’m cheap) so I’m looking forward to swapping it out for one that doesn’t give scary messages to my visitors :slight_smile:


#19

Keep in mind that to get A+ the max-age should be at least 180 days (15552000), you used 10886400 (120 days) so you won’t get A+.

Yes, you should add it to the list, but check carefully the requirements.[quote=“KillerSneak, post:15, topic:7643”]
Only other thing I can think of is the “Cipher Strength” as when I click on the green locker on my website/domain it tells me an old/depricated Cipher is used?
[/quote]

I see that your site still has SSL2 activated but doesn’t offer any cipher for it, strange. Anyway, you should modify the cipher list offered by apache, in this page you will get conf examples for differents web servers, versions and the type of cipher suite you want (modern, intermediate & old).

Also, take a look to this page for more info.

Cheers,
sahsanu


#20

Hi, I am also a Bluehost user and am attempting to setup SSL on my site. How did you get the public key? I can not find it in cPanel and it gives me an error via SSH.

OpenSSL> rsa -in account.key -pubout
Error opening Private Key account.key
140100725749576:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('account.key','r')
140100725749576:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
unable to load Private Key
error in rsa

Any help would be much appreciated…

Update:
I reached out to BlueHost and they said that they do not provide a Public key, but https://gethttpsforfree.com/ does now allow you to proceed with only a Certificate Signing Request. How did you bypass this?