3CX Removes Intermediate certificate from SSL

Discussion in '3CX Phone System - General' started by CBUTLER, Jul 6, 2016.

Thread Status:
Not open for further replies.
  1. CBUTLER

    Joined:
    May 11, 2015
    Messages:
    52
    Likes Received:
    1
    When installing 3CX v15 you are asked for a location of the SSL to install to your custom FQDN. When I upload my PFX file (which includes my cert, intermediate cert, and private key) it installs the certificate into nginx WITHOUT the intermediate certificate. Because of this, in some browsers it is not trusted. I was able to verify this using SSL Shopper's SSL Checker and it confirms the intermediate is missing. Why is 3CX removing this? It is the EXACT same certificate that I installed in Abyss on v14! Additionally the nginx logs show "ssl_stapling" ignored, issuer certificate not found.
     
  2. CBUTLER

    Joined:
    May 11, 2015
    Messages:
    52
    Likes Received:
    1
    For those that may have this issue, here is what I did to resolve it:

    1. Go to directory "C:\Program Files\3CX Phone System\Bin\nginx\conf\instance1" and make a backup of your "yourdomain.com-crt.pem"
    2. Open notepad and create a .pem file. Paste the pem contents of your certificate at the top of the notepad.
    3. Paste the pem contents of the intermediate certificate below the content that you pasted from step #2. It should be in the following format:
    -----BEGIN CERTIFICATE-----
    Your certificate
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    Your intermediate certificate
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    your root certificate
    -----END CERTIFICATE-----

    In the case of my GoDaddy certificate, I simply pasted the contents of my .crt file at the top and then below I pasted the contents of my gd_bundle-g2-g1.crt.

    Restart 3cx services from within windows services (because I con't see anywhere within the 3CX management console to restart all services like we had in v14).

    Note: I upload a cert in PEM format instead of PFX on another instance with the private key in a separate PEM format and it worked fine.
     
Thread Status:
Not open for further replies.