"The certificate is not valid" on cpanel

I'm kind of training myself with CertSage and cpanel to get familiar with certificates installation.
Upon pasting the certificates in the related cpanel textarea, though, I get the problem mentioned in the subject. Why?

Thanks in advance!

Andrea

3 Likes

Maybe you're trying to upload the staging certificate instead of a cert from the production environment?

9 Likes

Good idea, but I just checked and it's not a staging cert, looks good to me.

8 Likes

No, I'm not. I tried anyway both with staging and production. Could ever be possible to configure cpanel to make it reject free certificates?

Thanks!

Andrea

2 Likes

I don't know. Maybe? That's probably something you could ask your hosting provider.

Also, I noticed the CertSage instructions say to upload only the first certificate in certificate.crt, but maybe your cPanel requires the entire certificate chain?

9 Likes

Welcome to the Let's Encrypt Community, @AppLEaDaY! :slightly_smiling_face:

I'm the author of CertSage.

As long as you're using CertSage version 1.2.0, you needn't ever worry about accidently installing staging certificates since they're never actually saved to disk.

Make certain when pasting your certificate that you're including the header (begin) and footer (end) lines of your certificate. The same goes when pasting your certificate's key.

I'm suspecting this is likely the crux of the issue:

Do you have a CA bundle/certificate box in your panel? If so, paste the second certificate from certificate.crt in that box.

11 Likes

Hello, griffin!

I had no luck...

@Osiris, is that what you meant for entire certificate chain?

Thanks!

Andrea

3 Likes

Please make very certain that you're exactly following the instructions that I wrote. In particular, check to be sure you've done this:

15. Select your domain name in the drop-down list.

There are three certificates in certificate.crt in this order:

  1. Your leaf certificate signed by R3
  2. R3 signed by ISRG Root X1
  3. ISRG Root X1 signed by DST Root CA X3

When we say "your certificate", we mean the first certificate in that list.

When we say "CA bundle" or "intermediate certificates", we mean the second and third certificates in that list.

We we say "the full certificate chain", we mean all the certificates in that list.

For the certificate box, you should only paste the first certificate from certificate.crt into the box.

For the CA bundle box, you can choose to do any one of the following:

  • Leave the box blank to let cPanel fill it in
  • Paste only the second certificate from certificate.crt into the box to use the "short chain"
  • Paste both the second and third certificates from certificate.crt into the box to use the "long chain"

The first choice is usually the best. The second choice usually produces the same effect as the first choice. The third choice can be problematic with some versions of cPanel.

7 Likes

I'm really grateful to you and at the same embarrassed for the evidence of ignorance I just showed.
The first choice was successful, so I stopped there.
Next step will be trying to place a more recent certificate in the same path and with the same name as the certificate I've just installed. I wonder if such a trivial action will be ever enough to automate the renewal process...

Many thanks!!!

Andrea

3 Likes

No need to be embarrassed. :slightly_smiling_face:

The process can seem rather convoluted the first time around. Now that you've succeeded :partying_face:, it should be much easier going forward.

Once I have enough spare time, I'm going to create a separate PHP script that will install the certificate in cPanel for you, so that you won't need to go through that arduous process.

7 Likes

@griffin In the mean time, maybe CertSage could split the full chain send by the ACME server into the separate cert and chain and present them to the user? Although it could complicate stuff for people who just require the entire chain..

7 Likes

I did that at one point in time. I switched to the current "combined" method to simplify the code by simply dumping the entire acquisition response into certificate.crt. For full disclosure, the simplification was driven by the fact that the original regular expression for parsing the certificates in the acquisition response could only handle two certificates. When the "long chain" was first issued, this immediately broke CertSage, so I switched to the current method as a quick fix.

6 Likes

Do you want me to try correcting it?

7 Likes

Thanks much for the offer, truly, but it would be redundant at this point. :slightly_smiling_face:

I originally (like most of the planet ) just never conceived of receiving multiple intermediate certificates. I did correct the regex later to handle N certificates, but since I found that the extra file usually only served the purpose of not needing to specify the copying of only the first certificate in certificate.crt (which would probably be more aptly named certificates.crt), I decided that it wasn't worth switching back to the more complex code since the simpler code could handle literally anything that Let's Encrypt could ever put on the wire. I will likely need to revisit the split concept when writing the cPanel installer though, so this will resurface soon. I'll honestly probably just use a regex that only captures the first certificate anyhow since I believe that the installation command only needs the leaf certificate to mirror the first choice above for the CA bundle box.

7 Likes

Sounds good! I typically use a string split to decouple certificates, though I've sometimes used a regex to find the indexes in the string. I've been meaning to try and get everything done via regex lately, as my knowledge/skills recently improved after fixing a few edge cases on a project and realizing people on StackOverflow are often stupid/lazy/wrong and one can easily accomplish a whole lot of things that community thinks are impossible.

7 Likes

It always feels good to improve one's skillz and share that benefit with others. :blush: I find that regex, while a bit slower and less flexible to change, does wonders for sanity checking and assurance of format. The amount of silly things posted on StackOverflow through which one needs to wade to get to a nugget of usefulness can often be astounding. I find the skill needed there is to be able to recognize a true solution when you see it. That research ability, to me, differentiates the engineers from the hacks.

7 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.