Hello, I have set up my webpage using the domain from Namecheap,
I have set up the SSL on namecheap and put the keys into my domain in Hestia. However the website says its self signed. Namecheap support gave me this link to reference.
I have the certificate downloaded but cant seem to find the location to upload or how to validate it.
Ive tried googling but cant find anything and was given this resource
but does not seem to help.
Thanks for your time and attention.
Hi @fortune,
So you edited your web domain and filled the fields SSL Certificate, SSL Private Key and SSL Certificate Authority / Intermediate with the right data?
If you did that, when you saved it and enter again to edit the web domain, what do you see here?
is what i get. I have scrubbed personal info using inspect element but its the correct data for my website.
To make the cert i needed a CSR. The link i was given was
I saw no option for Hestia, the website said i could use
where i put the info in manually.
Edit:
I have no idea where to find SSL Cert Authority data when making the SSL so its currently blank. I can see that being the issue.
In the first link you posted:
It shows how to download your certificate (.crt file), and the ca certificate (.ca-bundle file) and this one is the right you must add into field SSL Certificate Authority / Intermediate
So i opened the CA-Bundle file and pasted the content. it was 3 separate certificates. (IE -----BEGIN CERTIFICATE----- {content} -----END CERTIFICATE----- 3x)
I get a Error: SSL intermediate chain is not valid error.
I suppose they are including also your certificate in the ca-bundle it should be the first cert in the file, copy the other two or if you want to know which are the three certs included and the order, use this command:
openssl storeutl -noout -text -certs /tmp/whatever.ca-bundle | grep -E 'Issuer:|Subject:|Not\s[AB]|DNS:' | sed 's/^\s*//' | column -t -s ':' -l 2 | sed 's/^Issuer/\nIssuer/'
Note; replace /tmp/whatever.ca-bundle with the path and file name to the ca-bundle.
neither three work seperately. Doing the grep command gives me. Neither of the three codes match the certs ive already input.
Issuer C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority
Subject C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA
Issuer C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA Certificate Services
Subject C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority
Issuer C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA Certificate Services
Subject C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA Certificate Services
Seems all three are the ca certificates, the first two the intermediates and the last one the root ca. If doesn’t work using all three, use only the first 2 certs.
No combination of all three certs seems to work, all return a Error: SSL intermediate chain is not valid when placed into the SSL Certificate Authority / Intermediate
The cert starts with?
-----BEGIN CERTIFICATE-----
The private key starts with?
-----BEGIN PRIVATE KEY-----
The CA certs start with?
-----BEGIN CERTIFICATE-----
Just asking in case they are in any other format.
You can also check what is the issuer of your certificate to be sure what is the CA that signed your cert:
openssl x509 -noout -in /tmp/whatever.crt -issuer -dates -subject -ext subjectAltName
Note: replace /tmp/whatever.crt with the path and file name of your certificate.
SSL Cert
-----BEGIN CERTIFICATE-----
SSL Private Key
-----BEGIN RSA PRIVATE KEY-----
CA Certs
-----BEGIN CERTIFICATE-----
CRT file:
Issuer C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA
Not Before xxxxxxxxxxx
Not After xxxxxxxxxxxx 2025
Subject CN=domain.url
DNS domain.url, DNS:www.domain.url
I see no problem. The ca-bundle contains the chain you need to verify the certificate, indeed with only the first 2 it should work because the last one should be already in the cert store of the client computer or browser.
I would copy the certs and will paste it to an editor without format and then I’ll copy them again and paste in the right fields to avoid wrong dashes.
So i found a solution. The main issue comes i think from two places.
then follow the steps to reissue the SSL on namecheap, and provide the SSL CSR
to name cheap
Then after pasting the data into the corresponding fields
Afterwords everything seems to work.
Thank you for your help. Im glad to have this problem resolved. seeing that my SSL Private key was off sent me down the correct line of actions.
If you use Let’s Encrypt you are not using the certificate generated by Namecheap and the point 1 is irrelevant in this case.
Im new to webhosting outside of cpanel so this is my first time doing this more manually. the main issue of getting a security warning goes away now when going to the domain via incognito. So no warning pops up when a user would visit.
but upon looking at the domain using https://decoder.link/sslchecker/ I do see that it is not using the certificate generated by Namecheap.
So this issue would still be open
It is ok to use Let’s Encrypt certificates, is there any reason you want to pay for a certificate?
Anyways, you could try to update the cert from command line, create a dir (for example /tmp/cert/) where you will copy the certificate, the key and the ca-bundle and the files must have this format (I’ll use example.com as the domain):
example.com.crt
example.com.key
example.com.ca
Then execute this command (replace fortune by your actual Hestia user):
v-update-web-domain-ssl fortune example.com /tmp/cert/ updatessl
Well i got it for free and assumed its important as i would get the security error before getting it (likely just me being incompetent)
The command gives me sudo: v-update-web-domain-ssl: command not found
which is another issue. but for now this is good enough.
That’s because the command is not in your PATH.
Use this:
sudo su -
v-update-web-domain-ssl fortune example.com /tmp/cert/ updatessl
Or this:
sudo /usr/local/hestia/bin/v-update-web-domain-ssl fortune example.com /tmp/cert/ updatessl
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.