Hello,

I have a plan mapped out for setting up a shared server certificate on my DirectAdmin server for Apache use. Right now it's going to be a self-signed certificate until I purchase an SSL cert from an authorized root certificate authority. I wanted to run my plan by the more experienced DirectAdmin people out there to see what they thought.

I do not want to use the server's host name (da01.landeserve.com) for the shared certificate, since I do not want users connecting directly to da01.landeserve.com. I want to use secure.landeserve.com for my users to use the shared certificate without having to create a domain or a subdomain within DirectAdmin. Will what I have outlined here work and does anyone see any problems with what I'm about to do?

Login to the server using SSH and switch to the root user.
Generate the certificate files by executing:
# openssl req -new -x509 -keyout /etc/httpd/conf/ssl.key/server.key.tmp -out /etc/httpd/conf/ssl.crt/server.crt -days 3653
# openssl rsa -in /etc/httpd/conf/ssl.key/server.key.tmp -out /etc/httpd/conf/ssl.key/server.key
# rm -f /etc/httpd/conf/ssl.key/server.key.tmp
# chown root:root /etc/httpd/conf/ssl.key/server.key
# chmod 400 /etc/httpd/conf/ssl.key/server.key
In steps #1 and #2 above, I will input secure.landeserve.com as the server name or domain name when asked.
Login to DirectAdmin as the admin user and do the following:
Switch to the Admin Level panel.
Click DNS Administration.
Select the landeserve.com domain.
Add an A record titled secure that points to the server's main IP.
Now, this is the part I'm not 100% sure about. Add the following lines into the server's HTTPD configuration file using the Admin File Editor:
<VirtualHost 72.232.200.170:80>
ServerAdmin admin@landeserve.com
AliasMatch ^/~([^/]+)(/.*)* /home/$1/public_html$2
DocumentRoot /var/www/html
ServerName secure.landeserve.com
ScriptAlias /cgi-bin/ /var/www/cgi-bin/
CustomLog /var/log/httpd/homedir.log homedir
</VirtualHost>

<VirtualHost 72.232.200.170:443>
ServerName secure.landeserve.com
ServerAdmin admin@landeserve.com
AliasMatch ^/~([^/]+)(/.*)* /home/$1/public_html$2
DocumentRoot /var/www/html
ScriptAlias /cgi-bin/ /var/www/cgi-bin/
SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
CustomLog /var/log/httpd/homedir.log homedir
</VirtualHost>
Am I missing anything? Is adding the virtualhost section into the HTTPD configuration necessary? Any suggestions for changes before I do this? :)

Thanks for your time.

Hello,

It's note required to change the ServerName directive in the virtualhost to secure.landeserve.com because it's the first virtualhost for that IP.. and if apache can't find a name, the first one in the list gets to be used. (same as if 72.232.200.170 was accessed). But on the other side, setting the ServerName to secure.landserve.com will also work just fine.. because that is the VH that is supposed to be used anyway.. so it really makes no different either way what the ServerName is set to at all ;)

So really, all you have to do is swap the server.crt and server.key files around... that's about it.

John

Thanks John. :) One other question. if I wanted to have a cert for da01.landeserve.com (the server's hostname) and secure.landeserve.com (for my users to use), which are both on the server's main IP, could I create separate certs for each and have the apache config point to the appropriate cert for each site? I know they would both still point to the same site on the server.

I'm missing how you plan on implementing the shared certificate for your users.

Where are you planning on creating the directory paths for your users?

With your suggested setup above you'll have to put all your user subdirectories under /var/www/html and give them rights there.

And your users will have to use the shared certificate as:

https://secure.landeserve.com/<directoryname>/

Is that what you want to do?

Jeff

No, that's not what I want to do. I'm just trying to figure out the best way to install a shared cert without telling my users they have to use da01.landeserve.com/~username in order to use the cert. Wouldn't it be better to tell them to use secure.landeserve.com/~username? Also, isn't that how a client would use the shared cert?

That'll work as long as the sites are properly designed.

Jeff

How does DirectAdmin normally handle using shared server certificates? What I mean is, what is the normal URL a user would use to use a shared cert? Is it hostname.domain.tld/~username or something else?

I don't think there's any such thing as normal.

Jeff

Okay, how about the default way with a base DirectAdmin install with no customizations or anything? Or, can you make any recommendations?

DA allows you to use the server-cert for any domain on a shared IP# by just turning on SSL and checking the right box. But then there'll always be a domain-name mismatch.

Other than that? I came up with one scenario and you came up with another. All three work. Within their limitations.

Jeff