SSL certificates for cPanel and other users - now focusing on Let's Encrypt (previously focused on StartCom StartSSL certificates).

Unfortunately, the major browsers have decided to no longer trust StartCom/StartSSL SSL certificates. Is it really about security, or is it about SSL Certificate Authorities exerting their financial market authority. One has to wonder. So now, for the moment, it's Let's Encrypt., viable but a hassle IMHO. C'mon guys, really? It's just an SSL certificate, and even the purchased ones are as good as the green curtain that hides the Great Wizard of Oz. It's really about whether or not you trust the site you are putting your credit card or whatever into. Hoohaw!

Until they get things sorted out, I'm going to be using very affordable DV (domain-validated) Comodo PositiveSSL certificates from cheapsslsecurity and then looking at Let's Encrypt and related ACME solutions for free certificates.

StartCom (Formerly StartSSL) provides free SSL certificates, there is now no reason to not use signed certificates. In the past, I used self-signed certificates for non-public facing admin services. However, the warning caused problems because users and clients would still worry. I will note that it can be a little confusing, especially since it uses a chained certificate but that's why I keep these notes updated. As of 11.48 (perhaps before), cPanel handles chaining directives much better now. And now (early 2017), it appears that cPanel will automatically generate and install certificates for your server (need to find the setting)

StartSSL Note: Starting in either late 2014 or early 2015, StartSSL issued a new Class 1 Intermediate CA certificate, using SHA256 (since SHA1 is now considered insecure). However, anyone using StartSSL certs prior will have issues with later Chrome browsers (40+, depending on the OS) which will report a problem since the old intermediate certificate (SHA1) is still cached in the browser's certificate store and will confuse the browser (don't ask me why, I'm clueless about that part, and still awaiting an answer). 

Testing SSL Certificates

Test SSL (TLS) Certificates: ImmuniWeb | SSLShopper | DigiCert (only one that tests FTP over explicit TLS) | GeoCerts (HTTPS only) | BlueSSL | Manual Diagnosis | Test Browser Root CA Compatibility | SSL/TLS Certificate Decoder | Browser Support Test 

cPanel Service Certificates

Let cPanel do this for you automatically as of April 2017 (or earlier). Nice.

Generate a SSL Certificate and Signing Request and install similar to Client Account certs below (this will do the main site only, but not services)

Install SSL certificates for cPanel services (WHM -> using Service Configuration -> Manage Service SSL Certificates). In the CAbundle, put both the intermediate and root CA certs in there (in that order). All should be good.

They still weren't quite working from a chaining standpoint (they do but digicert checker shows them out of order). Certificates are in /var/cpanel/ssl (at least as of 11.32,  and still as of 11.48). To make them work correctly for chained services:

• HTTPS (443) - uses certificates in /etc/ssl/certs, replace the hostname.domain.com.crt certificate with the one received from the CA (and the intermediate if necessary). edit <apache>/conf/includes/post_virtualhost_global.conf per the host stuff below (no longer necessary as of 11.48, perhaps before, as directives are now in the )
• WHM (2087), cPanel (2083), WebMail (2096) - edit ./cpanel/mycpanel.pem, add certs (in this specific order): RSA private key (.key file); signed cert (.crt file), ca-intermediate-cert (startssl's sub.class1.server.ca.pem), ca-public-cert (startssl's ca.pem). mycpanel.cabundle should be okay, but it should contain both the intermediate and root CA certificates in that order; restart the cpanel service.
• SMTP (465, 587, 25) - exim (or could be postfix) - edit ./exim/myexim.crt, add certs (in this specific order): signed cert (.crt file), ca-intermediate-cert (startssl's sub.class1.server.ca.pem), ca-public-cert (startssl's ca.pem); restart the exim service; not sure about the 587 port
• IMAP (993), POP (995) - dovecot (or courier) - edit ./dovecot mydovecot.crt, add certs (in this specific order): signed cert (.crt file), ca-intermediate-cert (startssl's sub.class1.server.ca.pem), ca-public-cert (startssl's ca.pem); restart the dovecot service
• FTP (990, 989): myftpd-rsa-key.pem includes the private key; myftp-rsa.pem includes the signed certificate, ca-intermediate-cert, and the ca cert; pure-ftpd.pem includes both sets of info in a single file; also have to setup ports 30000
• I previously (prior to 11.48/2015) had to put both the intermediate and root CA certs together as the cabundle but now only the intermediate. Order does seem to matter. Need to test further.

cPanel Client Account SSL Certificates:

Generate SSL certificate for SUB.domain.com using STARTSSL:

• Use cPanel SSL/TLS Manager to generate Certificate Signing Request (CSR): use SUB.domain.com, use passphrase.
• Copy the output
• Use STARTSSL Certificates Wizard -> Web Server SSL/TLS Certificate - enter info
• You get PEM, which is Signed Certificate (CRT), used in cPanel
• In cPanel, Manage SSL Hosts, choose domain, then enter PEM into CRT, Private Key (from signing), and enter the Intermediate (and perhaps Root CA .pem) file into the CABUNDLE.

Notes:

• Best to use from client's cPanel so SSL certs are stored in their account (/home/account/ssl) instead of the root account (/var/cpanel/ssl/installed).
• if re-installing, then may need to delete first, then re-enter (had to do this to get StartSSL intermediate cert installed)

SSL Certificate Authorities

These are certificates signed by Certificate Authorities and usable on the web to provide SSL without any questions about the certificates. There are a number of vendors, but these days, most work pretty well.

• StartCom (formerly Start SSL) - Free SSL certificates and more
• SecureSSL (starts at $49/year, uses Comodo chain)
• Comodo (starts at $139)
• XRamp Technologies (starting at $128/year)
• Thawte (starts at $199/$159 renewal)
• Verisign (the original and most expensive)

Installation

The process should be the same for new and renewals, to some degree.

• Using WHM, generate a SSL certificate and signing request for the HostInQuestion.
  • 3 Keys are generated to the screen: KEY (RSA), CSR (Certificate Signing Request), CRT (Self-Signed Request)
  • Optional (not recommended): you can be e-mailed a set of keys: CSR and RSA (Private Key)
  • Files are created in ./certs and ./private for the domain and domain.xxxxxxxxx where x is some number (I think we can get rid of those "extras")
    • ./certs/<server>.crt is the screen CRT and NOT e-mailed (the .xxxxxxxxx is unknown)
    • ./certs/<server>.csr is the screen CSR and IS e-mailed (the .xxxxxxxxx is unknown but e-mailed, too)
    • ./private/<server>.key is the screen RSA and IS e-mailed (the .xxxxxxxx and .old.xxxxxxxxx are unknown but e-mailed, too)
• The SSL Issuer will need the CSR.
• The Certificate Authority will provide the other pieces to enter into the server. Follow their instructions. (You may need to install intermediate certificates aka ca-bundles per their instructions).

For StartSSL certificates, you also have to add the apache chain directives/ca-bundle into the equation (httpd.conf host directives): I added this to /includes/post_virtualhost_global.conf (for the primary certificate). No longer needed (as of 11.48 for me, perhaps before)

<VirtualHost aaa.bbb.ccc.ddd:443>
ServerName hostname.domain.com
DocumentRoot /usr/local/apache/htdocs
ServerAdmin admin@domain.com
UseCanonicalName Off
<IfModule mod_suphp.c>
suPHP_UserGroup nobody nobody
</IfModule>
SSLEngine on

SSLCertificateFile /etc/ssl/certs/server.domain.com.crt
SSLCertificateKeyFile /etc/ssl/private/server.domain.com.key
SSLCertificateChainFile /etc/ssl/certs/startssl.sub.class1.server.ca.pem
SSLCACertificateFile /etc/ssl/certs/startssl.ca.pem
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
<Directory "/usr/local/apache/htdocs/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
</VirtualHost>

I also had to figure out hot to do chaining for the main server FQDN for WHM/cPanel. Per this article, in /usr/local/cpanel/etc/mycpanel.pem, I placed the certs in order: Signed Cert, Intermediate Keys, Private Key, thus CRT, SUB.CLASS1, CA (Bundle), KEY. I restarted cPanel. (that order is likely incorrect, try chain order: private key, signed certificate, intermediate certs - if any, root CA cert). Test it with command line SSL certificate test: 'openssl verify -CAfile mycpanel.pem mycpanel.pem'. 

Deletions / Revocations

If you need to revoke a certificate, contact your certificate authority for a revocation request.

theNoise SSL Certificate Authority (now Obsolete)

theNoise uses a self-signed certificate for communication via SSL to our servers. Each server's shared IP has a single certificate associated with it for SSL. All clients on the shared IP will use this certificate. If they want to stop getting the pop-up errors, they will need to download and install the public certificate for theNoise.

Directories:

• Certificate Authority: /etc/ssl (old /usr/share/ssl)
• Cpanel Certifications: /var/cpanel/ssl

Commands (that I made):

• createcert: openssl req -new -keyout newkey.pem -out newreq.pem -days 365 -config openssl.cnf
• catkeys: cat newreq.pem newkey.pem > new.pem
• signcert: openssl ca -policy policy_anything -out newcert.pem -config openssl.cnf -infiles new.pem

Initial Setup/Configuration

• the certicates get signed using the CA on the main server - server.noise.org - in the directory /usr/share/ssl/
• Using WHM, generated a SSL certificate and signing request for the HostInQuestion. (used Host: serverX.noise.org, Country: US, State: Texas, City: Austin, CompanyName: theNoise, CompanyDiv: Headquarters, e-mail: admin@noise.org, PW: PEM passphrase).
  • 3 Keys are generated to the screen: KEY (RSA), CSR (Certificate Signing Request), CRT (Self-Signed Request)
  • You will be e-mailed a set of keys: CSR and RSA
  • Files are created in ./certs and ./private for the domain and domain.xxxxxxxxx where x is some number (I think we can get rid of those &quot;extras&quot;)
    • ./certs/<server>.crt is the screen CRT and NOT e-mailed (the .xxxxxxxxx is unknown)
    • ./certs/<server>.csr is the screen CSR and IS e-mailed (the .xxxxxxxxx is unknown but e-mailed, too)
    • ./private/<server>.key is the screen RSA and IS e-mailed (the .xxxxxxxx and .old.xxxxxxxxx are unknown but e-mailed, too)
  • Generate a key using the CA using the createcert command (creates newkey.pem and newreq.pem)
  • Upload the CSR to the ssl directory as newreq.pem (replacing the one just generated).
  • CAT the two files using the catkeys command.
  • Sign the certificate using the signcert command. PEM passphrase for this is the CA passphrase. This generates the signed certificate newcert.pem.
  • Using WHM, Install a SSL Certificate and Setup the Domain, enter the domain (servername). I think the username is the name on the account. After tabbing out of the field it will load the CRT and RSA, and IP address. The CRT should be replaced with the certificate contained in newcert.pem. The key is the RSA private key generated in the signing request.

Renewals

• Generate a new key on the server using WHM. Save all that stuff for usage later.
• Generate a key using the CA using the createcert command (creates newkey.pem and newreq.pem)
• Upload the CSR to the ssl directory as newreq.pem (replacing the one just generated).
• CAT the two files using the catkeys command.
• Revoke the previous certificate. First, find the previous certificate in the certs directory. It will be server.domain.com.crt.1234567890. Revoke using the openssl ca -config openssl.cnf -revoke certs/server.domain.org.crt.1234567890 command.
• Sign the certificate using the signcert command. PEM passphrase for this is the CA passphrase. This generates the signed certificate newcert.pem.
• Using WHM, Install a SSL Certificate and Setup the Domain, enter the domain (servername). I think the username is the name on the account (root worked for the server.noise.org domain). After tabbing out of the field it will load the CRT and RSA, and IP address. The CRT should be replaced with the certificate contained in newcert.pem. The key is the RSA private key generated in the signing request.