![\"\"](\"https:\/\/www.jgt.me.uk\/wp-content\/uploads\/2025\/08\/image-5.png\")
<\/p>\n\n\n\n
When checking my SSL certs, I discovered that with chromium based browsers this site worked. But Firefox decided that the certificate was not secure. It then gave you no options to, ‘I know what I’m doing please let me go there’. That would have then allowed me to check the certificate in Firefox to tell you what was wrong with it. Doesn’t this sound like something Microsoft would do as well?<\/p>\n\n\n\n
So, i had to get the details from my CA server:<\/p>\n\n\n
\n curl failed to verify the legitimacy of the server and therefore could not <\/p>\n\n\n\n So, there’s a problem.<\/strong><\/p>\n\n\n\n I then had to log onto my plesk instance and the WordPress section, which told me nothing. Going to the ‘domains’ section allowed me to get to the server hosting it. Via the “SSL \/TLS Certificates” button, I could finally see that… …There was no issue!<\/p>\n\n\n\n Well, at least as far as plesk was concerned.<\/p>\n\n\n\n It turns out that the The leaf certificate<\/strong> was ok. But the intermediate certificate<\/strong> from ” GeoTrust TLS RSA CA G1″ was not included.<\/p>\n\n\n\n Therefore, So, I needed to regenerate the Could I find it on the 1&1 IONOS site? Could I heck! This is despite using them last time to generate it. <\/p>\n\n\n\n Ok, so I used one of the spare ones in my “Geotrust QuickSSL Premium”. IONOS seem to be really focused on trying to make me spend more money with them. Almost every time i click on something it results in a “Do you want to buy this”:<\/p>\n\n\n\n Note that the “Recommended” is the one that asks you to shell out more cash to them.<\/p>\n\n\n\n So when you ‘Activate’ you get the choice to download the private key. <\/p>\n\n\n\n You’re then taken to the SSL Certificates page to download your crt and intermediate certs. No problem there either.<\/p>\n\n\n\n The fun starts when you try to use this certificate in plesk after removing the old one:<\/p>\n\n\n\n What the Heck?<\/p>\n\n\n\n You used to be able to chose something from the SSL Cert store in Plesk from that screen but now all you get is “buy something!”<\/p>\n\n\n\n The observant among you probably are saying, ‘but there’s a “Upload Already Purchased Certificate” ‘ option. Correct:<\/p>\n\n\n\n A After a bit of trial and error, you need to use:<\/p>\n\n\n\n All mashed up together and that’s your After you have done this, and no got a working certificate, you then<\/strong> <\/em>can use the ‘Advanced’ button to add that certificate to the site’s SSL store. <\/p>\n\n\n\n I suppose its my fault for assuming I needed to remove the cert before I could add a new one. <\/p>\n\n\n\n Anyways, its all working again. <\/p>\n\n\n\n ‘Til next year.<\/p>\n\n\n\n This was written to vent a little over how annoyingly difficult something seemingly simple like renewing your own certificate can be. If it’d used “Let’s Encrypt” (like I do for many of my other hosted sites), I would not be writing this!<\/p>\n\n\n\n <\/p>\n","protected":false},"excerpt":{"rendered":" Well that was… …fun? TL;DR; Updating SSL certs is a pain. When checking my SSL certs, I discovered that with chromium based browsers this site worked. But Firefox decided that the certificate was not secure. It then gave you no Continue reading SSL Stuff<\/span>
\ncurl -vI https:\/\/jgt.me.uk
\n* Host jgt.me.uk:443 was resolved.
\n* IPv6: (none)
\n* IPv4: 194.164.95.67
\n* Trying 194.164.95.67:443...
\n* Connected to jgt.me.uk (194.164.95.67) port 443
\n* ALPN: curl offers h2,http\/1.1
\n* TLSv1.3 (OUT), TLS handshake, Client hello (1):
\n* CAfile: \/etc\/ssl\/certs\/ca-certificates.crt
\n* CApath: \/etc\/ssl\/certs
\n* TLSv1.3 (IN), TLS handshake, Server hello (2):
\n* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
\n* TLSv1.3 (IN), TLS handshake, Certificate (11):
\n* TLSv1.3 (OUT), TLS alert, unknown CA (560):
\n* SSL certificate problem: unable to get local issuer certificate
\n* Closing connection
\ncurl: (60) SSL certificate problem: unable to get local issuer certificate
\nMore details here: https:\/\/curl.se\/docs\/sslcerts.html<\/p>\n
\nestablish a secure connection to it. To learn more about this situation and
\nhow to fix it, please visit the web page mentioned above.
\n<\/code>\n<\/p>\n\n\ncurl<\/code> cannot validate the trust chain even though chromium based browsers like Chrome might<\/em> accept it by filling in missing intermediates from their own stores.<\/p>\n\n\n\njgt.me.uk<\/code> cert. <\/p>\n\n\n\n![\"\"](\"https:\/\/www.jgt.me.uk\/wp-content\/uploads\/2025\/08\/image-1-1024x656.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/www.jgt.me.uk\/wp-content\/uploads\/2025\/08\/image-2-1024x191.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/www.jgt.me.uk\/wp-content\/uploads\/2025\/08\/image-3-1024x356.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/www.jgt.me.uk\/wp-content\/uploads\/2025\/08\/image-4.png\")
<\/figure>\n\n\n\n.pem<\/code> file, really? They don’t even tell you what’s expected in the file. <\/p>\n\n\n\n\n
.key<\/code><\/li>\n\n\n\n.cer<\/code><\/li>\n\n\n\nintermediate1.cer<\/code><\/li>\n\n\n\nintermediate1.cer<\/code><\/li>\n<\/ul>\n\n\n\n.pem<\/code> file. I suppose if you’re doing this all the time you should probably know this, but I only do this once a year. (see: https:\/\/docs.progress.com\/bundle\/datadirect-hybrid-data-pipeline-installation-46\/page\/PEM-file-format.html<\/a> ) for an example.<\/p>\n\n\n\n