Setting up DA with an SSL certificate


Enter Your Query:
Use '%' for wildcards and quotes for "exact phrases"


Top Level » Install Issues
Top Level » General Usage

Setting up DA with an SSL certificateLast Modified: Dec 4, 2012, 1:01 am
You can switch DirectAdmin to use SSL instead of plain text. -> https instead of http on port 2222.
Note that this is for the DirectAdmin connection on port 2222, *not* for apache.
If you're tryting to setup a certificate for your domain through apache, use this guide.

If you do not have your own certificates, you'll need to create your own:

/usr/bin/openssl req -x509 -newkey rsa:2048 -keyout /usr/local/directadmin/conf/cakey.pem -out /usr/local/directadmin/conf/cacert.pem -days 9000 -nodes

chown diradmin:diradmin /usr/local/directadmin/conf/cakey.pem
chmod 400 /usr/local/directadmin/conf/cakey.pem



This is the old method, use either the one above, or this one.  The end result is the same, but takes more steps.

openssl req -new -x509 -keyout /usr/local/directadmin/conf/cakey.pem.tmp -out /usr/local/directadmin/conf/cacert.pem -days 3653

openssl rsa -in /usr/local/directadmin/conf/cakey.pem.tmp -out /usr/local/directadmin/conf/cakey.pem

rm -f /usr/local/directadmin/conf/cakey.pem.tmp
chown diradmin:diradmin /usr/local/directadmin/conf/cakey.pem
chmod 400 /usr/local/directadmin/conf/cakey.pem

(Paste these one at a time as the first 2 require user input)



If you already have your own certificate and key, then paste them into the following files:

certificate:  /usr/local/directadmin/conf/cacert.pem
key: /usr/local/directadmin/conf/cakey.pem

Edit the /usr/local/directadmin/conf/directadmin.conf and set SSL=1  (default is 0).  This tells DA to load the certificate and key and to use an SSL connection.
Ensure your directadmin.conf has the values set:

cacert=/usr/local/directadmin/conf/cacert.pem
cakey=/usr/local/directadmin/conf/cakey.pem

but can be changed as needed.

DirectAdmin needs to be restarted after any changes to the directadmin.conf.

If you also have a CA Root Certificate, this can be specified by adding:

carootcert=/usr/local/directadmin/conf/carootcert.pem

into the /usr/local/directadmin/conf/directadmin.conf file (won't exist by default) and by pasting the contents of the caroot cert into that file.

Note, as of 1.30.2, you can set the value of the SSL redirect should a User connect to an https connection with plaintext http.
http://www.directadmin.com/features.php?id=801

For 1.33.0, you can force DA to redirect to a specific hostname if you wish the host to match the cert installed:
http://www.directadmin.com/features.php?id=917
However, if they connect to https on a different host, they'll first get the ssl warning (since ssl is established before the host is passed), then they'll be redirected to the correct host, where the error would not appear (assuming you've got a valid cert setup)

As of 1.33.3, you can enable a ssl cipher to force SSLv3, and disable SSLv2:
http://www.directadmin.com/features.php?id=957
 
Related Helpfiles
How to manually create a certificate request (CSR)

2003 JBMC Software, Suite 173  3-11 Bellerose Drive, St Albert, AB  T8N 1P7  Canada.  Mon-Fri 9AM-5PM MST