Adding SSL certificates


#1

I’m trying to install SSL certificates on to a dedicated server running symbiosis

I’ve followed the instructions here about getting a new IP address, creating the config/ip file etc. my new IP address, if pasted in to the browser resolves to the correct site.

I then followed these instructions about generating the SSL key and certificate request.

I’ve been and purchased a certificate and downloaded the certificates locally. I have

random-numbers.crt
AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSADomainValidationSecureServerCA.crt

I’ve made ssl.bundle with the contents of the following files in this order

COMODORSADomainValidationSecureServerCA.crt
COMODORSAAddTrustCA.crt
AddTrustExternalCARoot.crt

including the -----BEGIN CERTIFICATE----- & -----END CERTIFICATE----- for each one.

I’ve renamed random-numbers.crt as ssl.crt and uploaded both the /srv/mysite/config

when I visit https://mysite.tld I get a warning that the connection is untrusted because

https://mysite.tld uses an invalid security certificate.
The certificate is not trusted because it is self-signed.
The certificate is only valid for mydedicatedservername.dh.bytemark.co.uk

What am I doing wrong or missing here?


#2

Hey @bewitchedweb: I’ve literally just been struggling with the same thing!

Thankfully you got further than me, as I neglected to get an IP address first-time around… I’m all setup now thanks to some tips from @pcherry.

First, confirm you have the three relevant files under /srv/mysite.tld/config/:

  • ssl.key (either from § 12.2, line 3 or maybe Comodo?)
  • ssl.crt
  • ssl.bundle

EDIT: Check they’re readable by the admin user.

Then, try running the following:

openssl verify -CAfile /srv/mysite.tld/config/ssl.bundle /srv/mysite.tld/config/ssl.crt

If SSL is set up fine, the output should be:

/srv/mysite.tld/config/ssl.crt: OK

Do you get the OK with that command?

[Note, this is a different command to the troubleshooting guide in the documentation (which applies only to self-signed certificates).]


#3

Hi @joshr

ssl.key
ssl.crt
ssl.bundle

are all there in the /srv/mysite.tld/config when I look with ftp

I’ve tried running openssl verify -CAfile and nothing happens, terminal just sits there…

Hmmmmm


#4

Ah, I’ve just tested this: the command I’ve specified should all be one line. The forum has split it over two, unfortunately. If you just type the first half, the Terminal does indeed just sit there.

So the command at the prompt looks like:

openssl verify -CAfile /srv/mysite.tld/config/ssl.bundle /srv/mysite.tld/config/ssl.crt

Try now?


#5

Hi @joshr

I’d just come back to play about with this, rather than watching Antiques Roadshow…

If I run the command without the break (not sure why I didn’t) I get

/srv/mysite.tld/config/ssl.crt: OK

So I’m at a bit of a loss.

It isn’t anything to do with this when I run traceroute

my-added-ip.no-reverse-dns-set.bytemark.co.uk (my.added.ip)  31.894 ms

Is it?


#6

Hi @bewitchedweb: I just want to ask a few questions that may help me clarify.

  • Is the traceroute showing the correct IP that you added for the SSL certificate in /srv/site.tld/config/ip?

  • Also, have you ever hand-edited the DNS snippet in /srv/site.tld/config/dns/site.tld.txt?

  • Finally, does your home connection support IPv6?

I ask because hand-editing the snippet can cause problems though if you haven’t, it should be automatic. This is particularly notable if you use IPv6. I just panicked when my own site wasn’t serving SSL in the office which, of course, is IPv6 and I’d hand-edited my DNS snippet because I’m using a different mail provider, temporarily.


#7

Hi @joshr

traceroute for mysite.tld resolves to the IP for mydedicatedserver.dh.bytemark.co.uk and not the IP address that is in /srv/site.tld/config/ip pasting the IP address from /srv/site.tld/config/ip in to a browser does resolve back to mysite.tld

No I’ve never edited the /srv/site.tld/config/dns/site.tld.txt file

According to my router IPv6 is disabled


#8

I’m beginning to suspect a DNS problem at our end may be the source of the problem.

Have you ever previously used that domain on another Symbiosis installation - even one that might now be trashed/deleted (e.g. on a BigV server) or rebuilt from scratch?


#9

@joshr Yes I have,

I’ve moved a lot of my domains from a BigV to a dedicated server recently.


#10

As frustrating as this may sound, I’m pretty sure that the problem you’re experiencing results from the situation as described here.

If you drop us an email with details of all the domains you’ve moved, we can check and, if required, update authority for those domains to the correct content DNS account: support@support.bytemark.co.uk.

This is to protect against unauthorised users hijacking DNS for domains hosted on our name servers by creating new Symbiosis installations for domains that are already configured through Symbiosis (or were previously, but are no longer).

Let me know how you get on - do mention this forum post!


#11

Hi @joshr

I mailed in and had support change the DNS on each domain as I did it… As per this thread Moving domains between machines


#12

Bother, I thought I’d got it…! I think at this stage, emailing to get a proper sysadmin to consider the issue is probably the best thing to do. I’ve been able to help you only based on the documentation and my own experience in the same area and I’m afraid the limits of that have been quickly surpassed.


#13

I’ve just sent a mail to support with a link to this thread, see what they can find

:slight_smile: