Comodo SSL Certificates

Following yet another super-insightful Roots article on SSL Certificates by @ben.

I went to the Comodo website and–my people in Clifton, New Jersey–they were super-helpful!

I noticed that the certificate I download from certificatechain.io is slightly different than the one their tech guy had me assemble and wanted to check in with y’all.

With certificatechain.io you input the -----RSA PRIVATE KEY----- and it builds a crt that starts with that key, followed by the pem info from the following two files downloadable from the Comodo Knowledgebase page:

  1. comodorsadomainvalidationsecureserverca.crt
  2. comodorsaaddtrustca.crt

My man Ron at comodo said that for different web servers the required format is different, but that for nginx you also want to include the contents of addtrustexternalcaroot.crt (AddTrustExternalCARoot).

Additionally he mentioned that “Some nginx require also the private key”, which I presume is why with trellis we include both:

ssl:
  enabled: true
  cert: ~/ssl/example_com.crt
  key: ~/ssl/example_com.key

Ben’s article is from a couple of years ago and I’m not sure if

  1. things have changed
  2. Ron with Comodo was incorrect
  3. It works with or without AddTrustExternalCARoot or
  4. Yea but this is different

Input and clarification, as always, hoped for.

What would I be without you?

  1. Any reason you aren’t just using Let’s Encrypt?
  2. Just use the chain generated from certificatechain.io
  3. Try it out and test on SSL labs
  4. Try something different if it says something is wrong

It’s not a big deal if it’s not correct/perfect, you can just change the cert chain /shrug

Well we had purchased the certificate to use a shared hosting for this domain previously because it was taking me so long to provision the server (i’m embarrassed to say) and I was sort of under the impression that Let’s Encrypt provided a lower confidence rating than Comodo.

Maybe that impression is mistaken.

For some reason my staging > wordpress-sites.yml is set to self-signed, but will change to letsencrypt, re-provision and and report back.

Do browsers raise flags when certificate providers change for a site?

I had forgotten about the acme challenge that Let’s Encrypt uses. This site is still live on a different server, so only my own local host’s file is associating the domain name with the server I am installing the certificate on.

I’ll try one of these workarounds like putting a 301 redirect on the current server pointing to the location of .well-known/acme-challenge/ on the new server, but is that something Trellis supports in letsencrypt : Test Acme Challenges]?

I’m not sure what you mean by the part of the error message saying:

If you don't want these domains in your SSL certificate, then remove them from `site_hosts`.

Does that mean the Config Files with [web], [staging] and IP addresses that reside in the hosts directory?

There’s a /srv/www/letsencrypt/ping.txt file, owned by root, that appears to be empty.

I wonder if, if I were more experienced with this I would just put in the ones I already bought, but I also want to learn as much about Trellis, Roots and Sage as I can.

Like you say, @swalkinshaw, no harm in seeing what happens if I install them.

The first thing I’ll try is putting them in the staging/wordpress_sites.yml file:

ssl:
  enabled: true
  cert: ~/ssl/example_com.crt
  key: ~/ssl/example_com.key 

Also, I’m having trouble figuring out what that fourth, AddTrustExternalCARoot section of the crt recommended by my new friend at Comodo is so if anyone knows, please share. Otherwise I’ll aim to call them up and report back. If Scott recommends installing without it, that’s my starting point for sure.

You already have the Comodo one so just try it first :slight_smile:

Ignore the “AddTrustExternalCARoot” part for now and use ssllabs.com to test your site once it’s up. It will tell you if someone is missing or not.

Looking happy in terms of Trellis provisioning output and there’s a little green lock in the URL bar, but I imagine that I’ll need to wait until DNS is proper before ssllabs.com can give me the seal of approval, no?

correct, it would only work if the DNS record exists. But if it’s working for you via hosts file, then it’s likely fine. You just need to adjust the cert chain after but that’s easy and SSL Labs will help.

1 Like