after looking at the API,

DirectAdmin Uses port 2222 which may or may not be secure (SSL). The default is not, so if you need to choose one, choose non SSL. Authentication is basic web authentication using base64 encryption of "username:password"

How easy is it to put the logins under SSL?

I would personally prefer logging in under secure space, even it it wasn't with a trusted cert.

Chris

Hi Chris,

To enable SSL, edit the directadmin.conf file located it /usr/local/directadmin/conf/directadmin.conf and change the value SSL=0 to SSL=1. You need to make sure you've created the certificates as described at the bottom of the install guide http://www.directadmin.com/installguide.html under "Setup SSL Certificates"

Then restart DirectAdmin:
service directadmin restart

John

it hasnt stopped yet!

evertime i ask a new question it makes me want it even more. (and the secrets are still being revealed ;) )

Chris

I might add, that at this time, our autoupdate feature will try to connect to DirectAdmin using a regular connection, meaning non-https, so if you have it enabled, your panel will never know that it should go update. You can just keep an eye on the current available version # and click "update" from the licensing screen... that is, until we get the updater to also try https when http fails.

John

Hi,

Is it possible to use https://IPADDRESSHERE:2222 to access the control panel using SSL?

When I goto https://IPADDRESSHERE/ I get the 'apache functioning normally' and the SSL cert works fine (although it does show as being registered by the 'Snake Oil Company' oddily enough.

When I try https://IPADDRESSHERE:2222 I get 'error loading certificate' on the page.

I followed your instructions on the installation page to the letter, I've checked over them and tried them again and it's still not working. I also edited directadmin.conf and restarted DA.

Any ideas?

Thanks,
Matt :D

Hello,

It should be working. Check the DA error log for possible clues:
/var/log/directadmin/error.log

generally, it's either incorrect permissions, filenames or certificates.

John

can u still use the http:// login when you have https:// enabled?

Tried it again, and it worked! I think the problem was that when it was asking for details (like organisation, address etc) I'd set most of them to blank. When I tried it again, I filled the fields :)

Thanks! :D

Matt

Jason: No... just tried it :D

Matt

P.S. When I get a secure cert from GeoTrust, will it work ok with the DirectAdmin cp too?

Anything particular I need to do to make it work with :2222?

Cheers,
Matt

to replace your default cert with a genuine one (from geotrust) look for the crt and key files currently used by DA then replace with your new ones........... should work.... make sure you make backups :D

/etc/httpd/conf/ssl.crt/server.crt
/etc/httpd/conf/ssl.key/server.key

Chris

Thanks Chris :D

We need more smilies on here :p

Matt

Hi guys :)

Just to let you know that I've figured out CA Root Certificates, so we can all get rid of that darn SSL popup window in our browsers :D

http://www.directadmin.com/features.php?id=198

just add:
carootcert=/path/to/carootcert

in your directadmin.conf (if you use ssl)

John

Sorry I'm not clear on what a CA root cert is - does this only apply for people who have purchased a proper cert? Or is this for anyone who uses a self-signed cert for DA?

Cheers,
M :D

Hello,

Yes, it only applies for valid purchased certificates. It's the additional certificate that works with the regular cert to convince a browser that the site it legit, thus preventing the certificate popup window when accesing an https site for the first time.

John

Hi John,

When DA uses a secure cert for the control panel interface, is it picky about the key used?

Just because I've gotten my cert to work fine with normal http addresses, but when I use it with DA it comes up 'error loading key'.

I was wondering if this is because my key is encrypted. When I restart httpd, it asks for my passphrase. I was thinking maybe DA is trying to use the key but can't because of the encryption.

Any ideas?

Thanks :)
Matt

As long as the key/cert pair are valid, just make sure that DA has read permissions on them. They both have to be readable by user "diradmin". If you've pointed the path to your apache key/certs, then you might have to either set it world readable, or set the group (or owner even) on the cert to diradmin. (apache uses root, so it won't care). If you using the cert/key in the conf directory, then it's probably just a simple "chown diradmin:diradmin keyfile; chmod 600 keyfile" issue.

John

Hi,

I've tried using copies of the key and crt in the DA conf directory, and I've tried pointing the directadmin.conf path to the main server cert and key files under the /etc/httpd/conf/ssl.*/ directories.

In both cases I chowned them to DA and set chmod 600.

Still not working. :(

Matt

Ok, just make sure that the paths that lead down to the cert and key are all at least chmod 711, if in doubt, you can just test it with:

chmod -R 755 /etc/httpd

that might open it up more than you need to, but it will gurantee the permissions will work. :) Then just secure it back up after you know it works.

John

What permissions should I change it back to once I've sorted it?

Cheers,
Matt

I think the only file you *need* to lock back up is your key, so
/etc/httpd/conf/ssl.key/server.key
should be only readable by root and diradmin

John

Still not working :confused:

Matt

If i set my cert i bought from GeoTrust to the cp would they have to access it by my domain which is www.prohs.com or would they get a security popup if they didn't access it by my domain name?

Hello,

They'd need to access it through the value that's in the certificate. (www.prohs.com). It would still be secure if the didn't, but they'd get the popup. You also might need to set the CA Root Certificate in your directadmin.conf file if you want to completely get rid of the popup:

carootcert=/path/to/carootcert

John

Now i am getting a popup again when i am not on www.prohs.com on the control panel and i have the CA Root Certification setup. It was working, hmm.

Hello,

I'm not getting a popup for https://www.prohs.com:2222 ... maybe close all browsers before trying it again. And if something *was* working, then it probably doesn't need fixing ;)

John

Originally posted by DirectAdmin Support
Hello,

I'm not getting a popup for https://www.prohs.com:2222 ... maybe close all browsers before trying it again. And if something *was* working, then it probably doesn't need fixing ;)

John

No i mean when accessing it from another domain, sub-domain or the ip address. I have the CA Root Certification setup so it should not popup right?

Hello,

A certificate is only valid on the domain you bought it for. Ie: www.prohs.com. You will always get a popup on sub.prohs.com with a standard certificate.

John

Originally posted by DirectAdmin Support
Hello,

A certificate is only valid on the domain you bought it for. Ie: www.prohs.com. You will always get a popup on sub.prohs.com with a standard certificate.

John

Oh ok i thought you said if i enable CA Root certification it would work on any domain or sub-domain but thank you.

Originally posted by DirectAdmin Support
Hello,

They'd need to access it through the value that's in the certificate. (www.prohs.com). It would still be secure if the didn't, but they'd get the popup. You also might need to set the CA Root Certificate in your directadmin.conf file if you want to completely get rid of the popup:

carootcert=/path/to/carootcert

John

Could you please provide step-by-step instructions on what should be done to use DirectAdmin through SSL?

So far, I have Thawte certificate installed on the server and it works fine, I also managed to get DA working with self signed certificates, but after copying server.crt and server.key files to /usr/local/directadmin/conf and changing "apachecert" and "apachekey" it wont start.

They did give step by step instructions on the first page of this thread. If you still did not get it please tell us what you have done so far.

So far, I did

# openssl req -new -x509 -keyout /usr/local/directadmin/conf/cakey.pem.tmp \
-out /usr/local/directadmin/conf/cacert.pem
# openssl rsa -in /usr/local/directadmin/conf/cakey.pem.tmp \
-out /usr/local/directadmin/conf/cakey.pem
# rm /usr/local/directadmin/conf/cakey.pem.tmp
# chown diradmin:diradmin /usr/local/directadmin/conf/cakey.pem
# chmod 400 /usr/local/directadmin/conf/cakey.pem

# /usr/local/etc/rc.d/directadmin restart
Stopping DirectAdmin: [ OK ]
Starting DirectAdmin: [ OK ]



and got a pop up with the warning.
I then copied the files /etc/httpd/conf/ssl.crt/server.crt and /etc/httpd/conf/ssl.key/server.key to /usr/local/directadmin/conf and changed ownership/permissions:


# chown diradmin:diradmin server.crt
# chown diradmin:diradmin server.key
# chmod 400 server.crt server.key


and modified /usr/local/directadmin/conf/directadmin.conf accordingly:

apachecert=/usr/local/directadmin/conf/server.crt
apachekey=/usr/local/directadmin/conf/server.key

I still get the same popup window with 3 yellow triangles. When I click View Certificate, it shows me exactly the same info, it looks like setting apachecert and apachekey was completely ignored.

I then tried to comment out the following lines:
cacert=/usr/local/directadmin/conf/cacert.pem
cakey=/usr/local/directadmin/conf/cakey.pem

and this is when DA refused to start.

May be I need to set 'CA Root Certificate', but I don't know where to get one. The only files I have are server.crt and server.key and Apache is fine with that.

Did you buy a vaild certification from GeoTrust or someone like them?

For now switch SSL=0 then restart DA, if you want PM me the info you are using for cert:

2-Letter Country Code:
State / Country:
City:
Company:
Organisation:
Common name: (www.domain.com)

I will generate the RSA key and cert then PM it to you (if you are loooking for self signed) ;)

Chris

Thank you for your replies, but I am not looking for self signed certificate, as a matter of fact, self signed cert is already installed as shown above. Otherwise, I wouldn't get the popup window at all ;)

I have Thawte certificate, which is already installed and works with Apache. All I want is to have it working with DA too, but it seems to be ignored even though it's specified in apachecert and apachekey.

Originally posted by ProHS
Did you buy a vaild certification from GeoTrust or someone like them?

That's right. It's from Thawte (http://www.thawte.com/).

Hello,

Just some general guidelines for getting DA to work with SSL:

1) ensure that the paths in the directadmin.conf are correct.
2) ensure that the certificates are readable by the "diradmin" user. So basically chown it to "diradmin:diradmin" and make sure the persmissions are correct.
3) set SSL=1 in the directadmin.conf
4) if you have a CA Root certificate to add ontop of your key and cert, then just do so with the following setting in the directadmin.conf:

carootcert=/path/to/caroot.cert

For many certificates, the CA Root Cert is required to validate the cert/key pair to get rid of the popup. (gets rid of the top yellow triangle: "The security certificate was issued by a company you have not chosen to trust... etc.")

5) Then restart da:service directadmin restart and be sure to use https://domain.com:2222 when accessing the panel. You may need to make adjustments to your welcome emails.

John

It seems to always go with
cacert=/usr/local/directadmin/conf/cacert.pem
and cakey=/usr/local/directadmin/conf/cakey.pem

which were generated according to http://www.directadmin.com/installguide.html and are self signed.

Commercial cert specified in apachecert and apachekey is completely ignored.
Removing cacert[i] and [i]cakey shuts DA admin down.

Help?

You dont use the key and crt files by directadmin... open up

cacert.pem, enter:


-----BEGIN CERTIFICATE-----
.
.
.
.
.
-----END CERTIFICATE-----


cakey.pem, enter:


-----BEGIN RSA PRIVATE KEY-----
.
.
.
.
.
-----END RSA PRIVATE KEY-----



the example shown is for generating these using openssl (enter your own if you want)

Chris

Hello,

apachecert and apachekey are used for the virtualhost directives for apaches httpd.conf files.. not DA. Only the cacert and cakey values actually have any merit for SSL connections with DA. You can change the path of the cacert and cakey to match the apache ones if you want, they should also be valid certificates.

John

Originally posted by DirectAdmin Support
Hello,

apachecert and apachekey are used for the virtualhost directives for apaches httpd.conf files.. not DA. Only the cacert and cakey values actually have any merit for SSL connections with DA. You can change the path of the cacert and cakey to match the apache ones if you want, they should also be valid certificates.

John

Thank you for your reply.
I guess cacert and caykey names were a bit confusing for me, I didn't realize that those define cert used by DA control panel.

I still have a question, though:
Should be cert pair defined for apache virtualhost directives (apachecert and apachekey) be readable by diradmin or it's just a text string that is being copied to httpd.conf file?

For example, if diradmin.conf file contains the following:

apachecert=/etc/httpd/conf/ssl.crt/server.crt
apachekey=/etc/httpd/conf/ssl.key/server.key
cacert=/usr/local/directadmin/conf/cacert.pem
cakey=/usr/local/directadmin/conf/cakey.pem


is it OK to have /usr/local/directadmin/conf/cacert.pem and /usr/local/directadmin/conf/cakey.pem readable by diradmin, but /etc/httpd/conf/ssl.crt/server.crt and /etc/httpd/conf/ssl.key/server.key to be only readable by root?

Hello,

The permission can be whatever you want as long as the cert/keys for directadmin are readable by "diradmin" and the apache cert/key are readable by "root".

John

Originally posted by DirectAdmin Support
Hello,

The permission can be whatever you want as long as the cert/keys for directadmin are readable by "diradmin" and the apache cert/key are readable by "root".

John

Ok, that makes sense. Thank you.

Couldn't DA be setup so that ssl access goes through the main server domain? If a user can access there cp via the main server domain, why couldn't ssl be added for this? This is how I did it in capnel.

delete the index files in /var/www/html and insert your own index there... the hostname and the system IP should open that page (which can be a login form, or a redirect to da)

Chris

I know this thread is old, but this pertains I think...

Is their a way to get the self signed cert generated with the process on the 2nd post of this thread to last longer then 1 month? For some reason it only shows for 1 month. The HTTP ones it creates are for 1 year??

You should be able to set the default number of days in the openssl configuration file.
I think its: /etc/ssl/openssl.cnf

Thanks, that's not the exact location for CentOS, but that's what I needed to find the file. So thanks.

Looks like the default_days = 365, but the default_crl_days = 30

I'm guessing this is what's making it only last 30 days...

Thanks again. If that doesn't work, I'll let you know.

I had to recreate the cert, but it WORKED!!! Thank you jmstacey