CA Bundle is not updated after reinstalling certificate through cPanel
Sometimes, customers with cPanel servers may face the unpleasant situation when trying to update the Certificate Authority Bundle for their certificates. Despite multiple attempts to reinstall the certificate with the alternative version of CA Bundle, this new version is never installed. This situation is often observed with Comodo (now Sectigo) SSL certificates, for instance, which have different variants of trusted chain that may end up either with SHA-2 root or with SHA-1 root. Since SHA-2 Comodo (now Sectigo) root certificate is not that popular yet, it is not included in the trusted storage of all clients. That is why, using SHA-2 root frequently causes security warnings on mobile devices.
The problem usually presents itself like this: a user makes a fresh installation of a Comodo (now Sectigo) certificate along with ‘SHA-2 root’ chain. It causes all other installations of the certificates of the same type to be associated with the same CA bundle. No matter how many times one tries to install the certificate with the alternative variant of the CA chain through cPanel or WHM interface, the server will still return the initially-installed bundle.
In the screenshot, the output of openssl command used to check the certificate installation is shown. It detected the certificate installed along with SHA-2 root chain. The same chain will be automatically fetched for all PositiveSSL certificates on the server.
The only way to overcome this issue is to update the CA chain via SSH. To do this, you need to have root access to the server.
If you notice similar behavior on Namecheap Shared or Reseller Hosting server, please report the issue to our support team. If you have shared hosting with a third-party hosting company, contact your hosting provider so that they can resolve the issue for you.
Provided you have root access to the server (VPS or Dedicated), you will be able to fix the issue yourself via command line interface. Please follow the steps below:
Step 1. Log in to your server via SSH using the root account. You can utilize any SSH client you want,for example,PuTTy for Windows, or standard Terminal tool on Mac and Linux OS.
Note: If you log in with a non-root account, you will not be able to perform the steps below, and you will receive a permission error.
Step 2. Locate the configuration file with Virtual hosts for the websites on the server. On cPanel servers, the configuration file should be located in /usr/local/apache/conf/httpd.conf or /etc/httpd/conf/httpd.conf
The correct location can be checked using httpd -V command.
Step 3.Open the configuration file using any text editor and locate the SSL virtual host for the domain name (443 port). After the certificate was installed via cPanel or WHM, the corresponding virtual host was created in the config file. It will start with a tag with the server IP address and 443 port, and it will have the corresponding domain next to the ServerName directive.
Look for the SSLCACertificateFile line. It will indicate the path to the file with the CA bundle, which you need to open and modify.
If you take a look at other virtual hosts for the websites with the same certificate type, you may notice that the directives SSLCACertificateFile in them refer to the same file.
Step 4. Open the file with the CA bundle using any text editor and modify it replacing the certificate chain within it. Once completed , save the changes in the file.
Note: If you are encountering the described issue with a Comodo (now Sectigo) certificate purchased with Namecheap, you can download the correct CA bundle file in your Namecheap account, or use SHA-2 bundles from this page (not SHA-2 under SHA-2 root).
Step 5. Restart Apache. You can use the following command for this:service httpd restart
After you have completed these steps, the bundle file should be updated and the server should be able to return it. Please note that cPanel will assign the updated CA bundle for all other installations of certificates of the same type.