SSL Certificate Installation Problem (GeoTrust)

[picster]

Hi everyone,

I have just bought a ssl certificate from GeoTrust using the plesk "Buy Cert" button.
I completed the process at GeoTrust and bought a "GeoTrust - QuickSSL Premium" certificate.
When I login to myplesk.com I can see my certificate, but I don't seem to be able to install it right.

When the purchase process was completed, I received an email from GeoTrust containing my "Your Web Server Certificate"
-----BEGIN CERTIFICATE-----
something
-----END CERTIFICATE-----

To find out how to install the certificate I searched in the Plesk User's Guide and found the topic "Obtaining and Installing SSL Certificates from GeoTrust, Inc. or GoDaddy"

As stated in the help guide I copied the certificate from the email to a file, and from the Domains > domain name > Certificates I clicked the "Browse" button and selected my certificate and clicked "Send File". When I did that I got the followig error:

Error: Unable to find the appropriate private key for the certificate.

I do not know why it says the private key is not appropriate for the certificate, because when I clicked the Buy Cert button, the plesk system created my certificate (www.cyberbit.com), containing a CSR and a Private Key, by it self, just as described in the user's guide. So I assume that the plesk system has sent the CSR to GeoTrust, because I was not asked to fill in any CSR when I bought the certificate from GeoTrust as I usually am when buying the certificate manually.

I have spent several hours looking through this forum, googled and read user manuals to find out what I have done wrong but without success.

I am fairly certain that I have chosen the right certificate for my domain, when I go to Domains > cyberbit.com > Setup it states:
IP Address: 192.168.x.x Exclusive (1)
Certificate: www.somedomain.com (Repository of domain somedomain.com)
which is the certificate I bought and also the only certificate present, except for the plesk default.

If anyone have any ideas why I get this error it would be greately appreciated.

Thanks

 

[faris]

The easiest way to do this is to use the certificate handling features in the Server section, rather than in the individual domain section.

Make sure you have the following to hand: the certificate, the private key and the CA cert (if applicable to your cert)

Create a new key in the Server section and paste in the above three things.

Then in the domain itself, under Hosting Setup, select the certificate from the drop down.

I'm afraid I may have left out a step or so but that's the basic outline.


Faris.

 

[picster]

The keys you mention, how do I create them?
I dont suppose I can just request a new CSR and Private Key, because then the CA certificate from GeoTrust will not work, right?

 

[picster]

Ok, I reissued the certificate at GeoTrust and create a new CSR and Private Key in Plesk, and the CA certificate from GeoTrust was successfully added.

I added it in the Server section as you suggested, and I selected the certificate for my domain in via Server > IP Addresses as this was the only place I could select my certificate for my domain.

When I go to the Hosting Setup of my domain, it shows that is using the right certificate, but when I go to my website, it is not using the right certificate, in fact it is using a certificate that is not present in the Plesk system.

Can I somehow see what certificate it is using?

 

[picster]

I have found the certificate on the server.

The certificate is named
SSLCertificateFile /usr/local/psa/var/certificates/cert-vw0Mcp

And contains the "BEGIN RSA PRIVATE KEY" and "BEGIN CERTIFICATE"
And both the RSA and the Certificate is the same as in Plesk.

I have checked the file:
/var/www/vhosts/mydomain.com/conf/httpd.include
to see if it really used the right certificate. Below is what is written in the above file:

SSLEngine on
SSLVerifyClient none
SSLCertificateFile /usr/local/psa/var/certificates/cert-vw0Mcp

So it should be using the right cert, but still when I try using ssl on the website it says that the certificate is self signed an that it is only valid for mydomain.com and not www.mydomain.com (mydomain being my real domain name)

And I am 100% sure that I made it for www.mydomain.com, I have double checked it.

If I look at the details of the certificate in the browser, it says SomeOrganization and SomeOrganizationUnit as if it was a self signed certificate. I only have two certs in plesk, the one for my domain and the default used by plesk, and none of them has this info, the one I bought for my domain, has the right company info and real name, etc and the one for plesk has the usual plesk info.

If someone has any idea what is wrong it would be greatly appreciated, because I am really lost.

 

[faris]

You could have copied and pasted the existing private key from the not-setup certificate you had created for the domain itself, but re-issuing is just fine

I think all you really need to do is restart apache (service httpd restart) to get it working now. Restart Plesk itself if need be.

Also, optionally, look at the settings for the IP address (again via Server) and try making the certificate the default certificate for the IP the domain is on.

Faris.

 

[splacknuck@]

Restarted Apache?

I have checked the file:
/var/www/vhosts/mydomain.com/conf/httpd.include
to see if it really used the right certificate. Below is what is written in the above file:

SSLEngine on
SSLVerifyClient none
SSLCertificateFile /usr/local/psa/var/certificates/cert-vw0Mcp

Just for experiment’s sake – you have restarted your Apache, haven’t you?

What does the following command reveal?

openssl x509 -noout -text -in /usr/local/psa/var/certificates/cert-vw0Mcp

 

[faris]

Just to update this post --- I had an interesting issue a few days ago. It isn't totally related to this (though it might be), but worth posting about anyway.

No matter what I did, I got a "CA Certificate does not sign Certificate" error in Plesk, whether I added the certificate via the domain or via the admin side of things.

Now, here's the key thing: If I ignored the error and tried to view the website via https://, I did not get a certificate error. I got a blank page.

In general what this means is that there really is a problem with the private key and the certificate -- they don't match.


It turned out that -- well, either I copied the wrong CSR when requesting the certificate, or the certificate issuing company got something wrong.

The solution was just to start again - I created a new CSR and got the certificate re-issued based on the new CSR. It installed with no problems at all.

Faris.

p.s. if you have two CA certificates, the order that they go in is important!