i-MSCP 1.1.9 - SSL Bug

  • When i add an SSL Certifikate like in the Version before 1.1.9, i only get the Information:


    A certificate in your CA bundle is missing or invalid.


    It is a Side Seal Comodo SSL Certifikate, its not the first time i add an SSL Certifikate to I-MSCP. I do it like every time, Copy Past Crt, Copy Past Key, Copy Past CA Bundle, but with the newest Version it dont work.

  • Hello ;


    It's not a bug. You must provide the full CA chain (including the CA root file). Now, the full certificate chain is verified through GUI.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • Re;


    Do you have searched on our forum already for this issue? I don't think and so, I'm repeating myself again due to your laziness :whistling:


    Most of the SSL providers do not provide the root certificate in the CA bundle because that certificate is already included in most browsers and also in your distro (with the ca-certificates package). Therefore, when you add your certificate manually by concatenating the private key, the certificate and the CA bundle, which is provided by your SSL provider, this works. However, to be able to validate the certificate signature through the GUI, the library must access the whole certificate chain (including the root certificate) which must be added at bottom of your CA bundle.


    You are using a comodo certificate so, for you, the CA root is the AddTrustExternalCARoot certificate:



    To resume, in the GUI

    • Add your private key in the private key input field
    • Add your certificate in the certificate input field
    • Add your CA bundle in the CA bundle input field
    • Add the root certificate (see above) at bottom of the CA bundle input field
    • Save the certificate

    Refs

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • ok, i think i am not the last one which ask for this problem. What is the case to make this workaround?


    Normally it is enough to add to the Apache vHost:
    SSLCertificateFile
    SSLCertificateKeyFile
    SSLCertificateChainFile


    With this Settings, at all devices it works fine. At your settings
    SSLCertificateFile
    SSLCertificateChainFile


    In the pase there were problems with mobile device. But if you split crt file and key file, there is no problem with mobile devices and using the normal chain file :)


    But ok, i will add this information to your dokumentations that all stuff Members know this case.

  • @MichaelSchinzel


    Just follow my instructions. The past stay the past. In the past, the certificate signature was validated on the backend side only (using the "openssl verify" command).
    It's now also done on the GUI side to avoid unless backend execution. The GUI doesn't have access to root certificates which are stored on your system (we are using an extra library for validation which do not allow to setup the path)...


    BTW: The change about the CA root certificate which must be included in the CA bundle has been clearly announced.


    About your advises in the way the certificate is setup in the vhost files


    We are using only one container which hold the private key, the certificate and the CA bundle and it's working like it should. Nothing at been changed at this level. Now if you say that when the private key is not in a separate file, SSL do not work on mobile devices, then, just create a ticket for that issue which will be addressed in next release. Do you get me?

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • Isn't it easier to copy all root certificates to the GUI Directory? So you have access to all validate root certificates and do the validation in php without changing the system of including certs.. :)

  • No, I'll not do that. It's really easy to add a certificate...

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • Yes but I thought it's easier for customers (not admins) without so much technical knowledge.. :)

  • It's not hard to add the CA root at bottom of the CA bundle input field... No need to be an expert...

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206