[Resolved] Comodo InstantSSL Chained CA-Bundle

J.T.

Well-Known Member
#1
Hi,

We use Comodo InstantSSL for some of our domains.

I'd simply upload the crt to /conf/cert where the key is too, then give the SSl Private Key File, Certificate File and leave Chained No.

That then works fine for almost everybody.

But every now and then, some people say they get warnings about it being insecure. Probably those on a tightly secured network.

This tool confirms that:

http://www.sslshopper.com/ssl-checker.html

The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate. Learn more about this error. You can fix this by following Comodo's Certificate Installation Instructions for your server platform (use these instructions for InstantSSL). Pay attention to the parts about Intermediate certificates.
Note the link to Comodo's Apache OpenSSL instructions:

https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=264&nav=0,96,1,88

SO ideally, we'd use the ca-bundle file Comodo send along with the CRT.

Before using Litespeed, indeed this worked in Apache:

Code:
SSLCertificateChainFile /etc/ssl/crt/yourSERVERNAME.ca-bundle
But I can't get that to work in Litespeed.

If I upload the ca-bundle file in the same /conf/cert directory where the site's key and crt are, then say Chained Certificate - Yes, CA Certificate Path = $SERVER_ROOT/conf/cert/ and CA Certificate File = $SERVER_ROOT/conf/cert/yourSERVERNAME.ca-bundle

I restart LSWS and then that tool, and the browser thinks no SSL has been installed.

I don't understand the explanation of CA Certiticate Path and File either.

How can I use Comodo's chained bundle?
 
Last edited by a moderator:

mistwang

LiteSpeed Staff
#2
"Chained Certificate" off
"CA Certificate File" = $SERVER_ROOT/conf/cert/yourSERVERNAME.ca-bundle
"CA Certificate Path" should not be set
 

J.T.

Well-Known Member
#3
Thanks, I'll try that. Comodo just suggested to put the bundle certificate inside the normal certificate file. Normal certificate up top, followed by the bundle. I'll try that as well just in case.
 

J.T.

Well-Known Member
#5
"Chained Certificate" off
"CA Certificate File" = $SERVER_ROOT/conf/cert/yourSERVERNAME.ca-bundle
"CA Certificate Path" should not be set
Thanks, that seems to work. That SSL checker now has green ticks all over, great!
 
Last edited:

gdewey

Well-Known Member
#6
tks for the post J.T very helpful .

I did

"cat STAR_mydomain.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > ssl-bundle.crt"

and placed path and file on "CA Certificate File" , leave CA Certificate Path in blank and it worked

regards
 
Top