SSL activation for Noobs! B+ intermediate certificate issue


#1

Ok so i am a total noob and have been trying to figure out how to get ssl activated!

What i have done -

Obtain certificates from - https://www.sslforfree.com/
Added my own CSR and then got a certificate.

I use a free hosting through cpanel. There is an SSL/TLS manager where i could generate CSR and then i just pasted the certificate in the certificate block and i didnt use the ca bundle.

Now my issue is that i get a warning on android devices! https://www.ssllabs.com/ssltest/ gives a B+ with an error -

‘Chain issues Incomplete’

  1. extra download -Let’s Encrypt Authority X3
    Fingerprint SHA1: e6a3b45b062d509b3382282d196efe97d5956ccb
    Pin SHA256: YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=
    RSA 2048 bits (e 65537) / SHA256withRSA

I have tried but have no idea how to get access to apche etc to modify indeterminate chains.

I am a total noob and all help will greatly be appreciated

Thanks :slight_smile:


#2

You mean you can put a “ca bundle” in your cPanel? Because if so you might want to put the “Let’s Encrypt Authority X3 (IdenTrust cross-signed)” (pem) in there.

Otherwise, you might want to make a “fullchain.pem” out of your certificate you got from sslforfree by and the intermediate cert mentioned above an put that in cPanel’s certificate place.


#3

No i cant put the ca bundle, sorry should have mentioned that! I didnt use it cause i cant put it in. I have 3 options under ssl - 1) private Key 2) CSR 3) Certificate … Do i really have an option or should i just move to a paid hosting ( last resort) I am open to moving to any other free hosting where i can get ssl working for free.


#4

can you paste the “fullchain.pem” file into the “Certificate” box ? (you need box 1 completed with the private key as well )


#5

The private key is probably filled already, as he has a CSR :wink:


#6

yup private key is filled since i generated it when i got the csr. Has anyone successfully used letsencrypt on these freehosting sites which give almost no access to the server.


#7

serverco- i have all boxes filled - CSR, Private Key and Certificate. Only issue is on android devices the https version of my page shows a not secure and gets a security warning. I did a ssllab test and seems to be incomplete chain. On research i found out it could be due to this missing - “SSLCertificateFile /etc/letsencrypt/live/[FQDN]/fullchain.pem” Now i dont know where or how to add this or as far as i think i dont have accesses since i am using a free webhost service.


#8

What file did you paste into the certifcate box ? just cert.pem? or fullchain.pem ?


#9

Umm, i dont know. Its the certificate.crt - -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----

i went to https://www.sslforfree.com/

i typed in my website domain and went through by uploading files in .wellknown and acmechallenege and it asked if i had a csr i ticked that and added my csr and then it gave me a certificate that looked like this -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----

i simply pasted that certificate in the certificate box in my webhost


#10

You also have the “ca bundle” ? or “fullchain.pem” ? which should be a combination of the “certificate” and the “ca certificate” (ie. all the certificates in a single file … it will contain more than one “-----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----”

Paste that combination into the “certificate box”


#11

yes i do have it, but when i try and paste the ca bundle into certificate i get an error saying - The certificate uploaded is NOT for the domain name


#12

did that “ca bundle” contain more than one “-----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----” ?

if not, then add both the “certificate” and the “ca bundle” combined - so it does contain more than one “-----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----”


#13

ok added both and got an error - It appears this certificate is in pem format / requires intermediates to function, this is not supported on free hosting. :frowning:


#14

If your host doesn’t support it, then I can’t help a lot I’m afraid. You need to talk to your host (or move to one that does).


#15

Any idea of a free host that supports ssl! Got ya man thanks a ton :slight_smile:


#16

Have a look at the list of hosts who support Let’s Encrypt There are a number of “free” hosts there.


#17

I checked every single host and none are free :frowning: If you could recommend any or should i end the hunt and just go for something paid?


#18

I don’t know your exact requirements - you could try one like onesite.co - I haven’t used them myself, but it’s free hosting that support Let’s Encrypt certs and use cpanel.


#19

Ok awesome will try it out :slight_smile: Honestly completely new to this and just need that secure padlock in green and need to be able to upload my website :stuck_out_tongue: :slight_smile: But thanks a lot you have been more then helpful already and i really appreciate your time :slight_smile:


#20

Hey serverco, I have made an account and been successful with the lets encrypt plugin but it still shows a unsecured warning in older android devices . after change of host my certificate has been upgraded to an A-
and the chains issues have disappeared.
please help
Thanks :slight_smile: