dotnetco.de

Typically my domains are hosted by IP Projects. For administration of their php webhosting packages they use i-MSCP (internet Multi Server Control Panel).

Next typical thing: For my SSL-Certifications in most cases I use StartSSL. It’s a free, fast and reliable service, and it already exists for years, long before Googles and Mozillas Let’s encrypt campaign.

Unfortunately i-MSCP and certificates from StartSSL do not work quite well together by default…..

Invalid CA Bundle

That’s the error message when you just use the files provided by StartSSL via mail: Invalid CA Bundle.

In i-MSCP you have to provide 3 files to enable SSL:

1. Private Key
2. Certificate
3. CA-Bundle

The private key is created by yourself. You could use the Tool provided by StartSSL for it.

The certificate is then mailed to you by StartSSL. Open the ApacheServer.zip and there you’ll find a file called ‘2_yourdomain.com.crt’.

Create the CA Bundle file

And here comes the tricky part: You have to create the CA-Bundle file on your own! Again open ApacheServer.zip and now open file ‘1_root_bundle.crt’ in a text editor. Then have a look at OtherServer.zip and open the included ‘root.crt’ with a text editor. Copy the whole text from ‘root.crt’ and paste it AFTER the text of ‘1_root_bundle.crt’! So the new file should look like this (if replaced some lines just with the 3 dots to have a better overview. Your file should of course not include the dots)

So that’s your CA Bundle file. Copy it into your CA Bundle input textbox in your i-MSCP and everything should work fine now!

Update

At another provider I got the following warning (on german) when I upload my SSL certificates:

“Warnung: Das CA-Zertifikat signiert nicht das Zertifikat.”

which means “Warning: The CA-Certificate does not sign the certificate.”. To workaround this error, the solution is the same as described above. Just merge the 2 files and use this new file as the CA Certificate.