HOW TO: Install GoDaddy SSL Certificates Successfully in Direct Admin

ZATZAi

Verified User
Joined
Dec 13, 2005
Messages
17
I've been perusing the forums here for years, as a user and occasional commentator. There have been a number of great contributions from various people over the years, and I've found a number of them to be quite helpful. It's time for me to give one back myself, one area that is sorely lacking is a good SSL Certificate installation guide for Direct Admin, particularly for GoDaddy. The official guide is wholefully lacking, I spent hours figuring out and then writing how to make it work, I hope some of you fine this guide useful if your banging your head on the desk trying to get your GoDaddy certs to install on DA.

This is not a definitive guide, nor is it likely to be the "correct" way to do it. But I will tell you this, they way explained in the Site Helper guide alone does not work. Yes for good measure you should start with that guide, and I will repeat much of it here, but I will go beyond that guide. Note, my system runs CentOS 4.x (I know I should upgrade already) and the latest version of Direct Admin with Apache 2.x (Hopefully it works fine on other OSes just as well).

What you need:

  • Chrome works best
  • A text editor
  • root access
  • Filezilla

Step One:

Buy a Standard SSL Certificate from GoDaddy (Or an EV Certificate, but then you'll have to prove your a real business in a real place, and I can't help you there). These steps may work for other providers just as well, but it was written specifically for GoDaddy (Why? Because I use GoDaddy).

Go into your account and click on the SSL Certificates link on the left, then you will come to a page with a little highlighted section in the middle that says you have 1 or more vouchers (Or something akin to that). Click on it and then when the page refreshes, click the green continue button on the right (If you see an option to buy more SSL certificates, ignore it). Your new certificate should now show up in the middle of the page (Though it may take a refresh or two

Step Two:

Click on the certificate link for the certificate you wish to manage, a new window will open up. Your, as yet to be supplied certificate should be under the folder labeled credits, click on request certificate next to it.

Step Three:

Open Direct Admin and login to the user account that controls the domain you want to set up the SSL certificate for, getting down to the user level. Go to SSL Certificates on the bottom left. In the SSL Certificates menu, check the second radio dial and then Create a Certificate Request in the same row. Enter your info like so...

2 Letter Country Code: US
State/Province: CA
City: Los Angeles
Company: Gizmo Inc
Company Division: Adminstration
Common Name: domain.com
Key Size (bits): 2048

Note that the common name should be whatever url visitors most often use to visit the site. If that includes a www. put it in there, if not, leave it out. Unless you purchased an SSL Certificated that covers wildecard domains, it will only cover whatever you put in, either with the www. or without, but not both. Also, GoDaddy will most likely want a Key Size of 2048, but check what they say (Its what they wanted from me), it's in nice red text on the GoDaddy page. Don't touch the big text field below if you have any.

Step Four:

Click the Save button further down and you'll get a new page that has a big block of text that looks like this (And no this is not my code but just garbage text). Now copy this block of text, including the -----BEGIN and the REQUEST------ lines at the top and bottom and paste them into the GoDaddy page. Make sure the third option on the GoDaddy radio dial is checked, the one that says Third Party, or Dedicated Server or Virtual Dedicated Server, without Simple Control Panel and I'd go ahead and choose Go Daddy as your certificate provider[/b] and unless you know otherwise choose No for the [/b]Intel vPro[/b] prompt.

Code:
-----BEGIN CERTIFICATE REQUEST-----
SDJHSDMCMSKCKSCMCLSLCLSADPSMSSMCSDLKSDLCMSDLSDMCLSDMCLSCSMLSCLSD
UEWJDSJKDSIWEDKDSLSDOSDKFGLSFDLSDPOSDLADSMVCVMNFSDWEWRJKFDOSKDSA
SDJHSDMCMSKCKSCMCLSLCLSADPSMSSMCSDLKSDLCMSDLSDMCLSDMCLSCSMLSCLSD
EWHJFIFDNSDASMVCBVJFOWJMDODSJWEMFDFDFDMCDSOW<SDLDSOJRTMFVFDOEWKW
UEWJDSJKDSIWEDKDSLSDOSDKFGLSFDLSDPOSDLADSMVCVMNFSDWEWRJKFDOSKDSA
SDJHSDMCMSKCKSCMCLSLCLSADPSMSSMCSDLKSDLCMSDLSDMCLSDMCLSCSMLSCLSD
UEWJDSJKDSIWEDKDSLSDOSDKFGLSFDLSDPOSDLADSMVCVMNFSDWEWRJKFDOSKDSA
SDJHSDMCMSKCKSCMCLSLCLSADPSMSSMCSDLKSDLCMSDLSDMCLSDMCLSCSMLSCLSD
EWHJFIFDNSDASMVCBVJFOWJMDODSJWEMFDFDFDMCDSOW<SDLDSOJRTMFVFDOEWKW
SDJHSDMCMSKCKSCMCLSLCLSADPSMSSMCSDLKSDLCMSDLSDMCLSDMCLSCSMLSCLSD
UEWJDSJKDSIWEDKDSLSDOSDKFGLSFDLSDPOSDLADSMVCVMNFSDWEWRJKFDOSKDSA
SDJHSDMCMSKCKSCMCLSLCLSADPSMSSMCSDLKSDLCMSDLSDMCLSDMCLSCSMLSCLSD
UEWJDSJKDSIWEDKDSLSDOSDKFGLSFDLSDPOSDLADSMVCVMNFSDWEWRJKFDOSKDSA
SDJHSDMCMSKCKSCMCLSLCLSADPSMSSMCSDLKSDLCMSDLSDMCLSDMCLSCSMLSCLSD
EWHJFIFDNSDASMVCBVJFOWJMDODSJWEMFDFDFDMCDSOW<SDLDSOJRTMFVFDOEWKW
UEWJDSJKDSIWEDKDSLSDOSDKFGLSFDLSDPOSDLADSMVCVMNFSDWEWRJKFDOSKDSA
SDvHSDMCM+2D
-----END CERTIFICATE REQUEST-----

Now make sure there are no extra lines that made it in from the copy and paste, then click Next. On the following page, make sure all the information is correct and if it is, click Next. Then finally click Finished. Once this is done you'll be returned to the Secure Certificate Services page (The one with the folders), your newly issued certificate will be in a folder on the left labelled certificates where you will have to download it and then install it to your server.

What, did you think GoDaddy would send it to your server where your server would install it yourself, like this was some sort of magically sysatem of networked thinking machines working together towards a common cooperative goal?!

Step Five:

Click on the certificates folder and you'll see your certificate, it'll list the domain, the date it expires, its' current states and what type of SSL certificate it is. Click the radio dial next to it, and then the big green arrow above it to download the zip file. When the download pop up comes on screen, sigh at the lack of a Direct Admin option (Hence the need for this guide), and choose other from the list and click Download.

Save the ZIP file somewhere accessible that you wont lose it, you're going to need it momentarily. For now though, we're done with GoDaddy, so you can go ahead and log out, and close out the window.

Step Six:

Now we need to harken back to those Site Helper instructions (Even though they don't seem to work), just to be throughough. In Direct Admin, go down to the user level for the domain you want to install the certificate to, then on the bottom left click on the SSL Certificates link. You should be back at the SSL Certificates page from before (If you were already here, or near here from before then you just saved yourself a few steps).

This time you need to check the third radio dial, the one that says Paste a pre-generated certificate and key. Now before you go and do anything you need to understand something. This field should have content in it already, and it should look like this.

Code:
-----BEGIN RSA PRIVATE KEY-----
SDJHSDMCMSKCKSCMCLSLCLSADPSMSSMCSDLKSDLCMSDLSDMCLSDMCLSCSMLSCLSD
UEWJDSJKDSIWEDKDSLSDOSDKFGLSFDLSDPOSDLADSMVCVMNFSDWEWRJKFDOSKDSA
SDJHSDMCMSKCKSCMCLSLCLSADPSMSSMCSDLKSDLCMSDLSDMCLSDMCLSCSMLSCLSD
EWHJFIFDNSDASMVCBVJFOWJMDODSJWEMFDFDFDMCDSOW<SDLDSOJRTMFVFDOEWKW
UEWJDSJKDSIWEDKDSLSDOSDKFGLSFDLSDPOSDLADSMVCVMNFSDWEWRJKFDOSKDSA
SDJHSDMCMSKCKSCMCLSLCLSADPSMSSMCSDLKSDLCMSDLSDMCLSDMCLSCSMLSCLSD
UEWJDSJKDSIWEDKDSLSDOSDKFGLSFDLSDPOSDLADSMVCVMNFSDWEWRJKFDOSKDSA
SDJHSDMCMSKCKSCMCLSLCLSADPSMSSMCSDLKSDLCMSDLSDMCLSDMCLSCSMLSCLSD
EWHJFIFDNSDASMVCBVJFOWJMDODSJWEMFDFDFDMCDSOW<SDLDSOJRTMFVFDOEWKW
UEWJDSJKDSIWEDKDSLSDOSDKFGLSFDLSDPOSDLADSMVCVMNFSDWEWRJKFDOSKDSA
SDJHSDMCMSKCKSCMCLSLCLSADPSMSSMCSDLKSDLCMSDLSDMCLSDMCLSCSMLSCLSD
UEWJDSJKDSIWEDKDSLSDOSDKFGLSFDLSDPOSDLADSMVCVMNFSDWEWRJKFDOSKDSA
SDJHSDMCMSKCKSCMCLSLCLSADPSMSSMCSDLKSDLCMSDLSDMCLSDMCLSCSMLSCLSD
EWHJFIFDNSDASMVCBVJFOWJMDODSJWEMFDFDFDMCDSOW<SDLDSOJRTMFVFDOEWKW
UEWJDSJKDSIWEDKDSLSDOSDKFGLSFDLSDPOSDLADSMVCVMNFSDWEWRJKFDOSKDSA
SDJHSDMCMSKCKSCMCLSLCLSADPSMSSMCSDLKSDLCMSDLSDMCLSDMCLSCSMLSCLSD
UEWJDSJKDSIWEDKDSLSDOSDKFGLSFDLSDPOSDLADSMVCVMNFSDWEWRJKFDOSKDSA
SDJHSDMCMSKCKSCMCLSLCLSADPSMSSMCSDLKSDLCMSDLSDMCLSDMCLSCSMLSCLSD
EWHJFIFDNSDASMVCBVJFOWJMDODSJWEMFDFDFDMCDSOW<SDLDSOJRTMFVFDOEWKW
UEWJDSJKDSIWEDKDSLSDOSDKFGLSFDLSDPOSDLADSMVCVMNFSDWEWRJKFDOSKDSA
SDJHSDMCMSKCKSCMCLSLCLSADPSMSSMCSDLKSDLCMSDLSDMCLSDMCLSCSMLSCLSD
UEWJDSJKDSIWEDKDSLSDOSDKFGLSFDLSDPOSDLADSMVCVMNFSDWEWRJKFDOSKDSA
SDJHSDMCMSKCKSCMCLSLCLSADPSMSSMCSDLKSDLCMSDLSDMCLSDMCLSCSMLSCLSD
EWHJFIFDNSDASMVCBVJFOWJMDODSJWEMFDFDFDMCDSOW<SDLDSOJRTMFVFDOEWKW
UEWJDSJKDSIWEDKDSLSDOSDKFGLSFDLSDPOSDLADSMVCVMNFSDWEWRJKFDOSKDSA
SDJHSDMCMSKCKSCMCLSLCLSADPSMSSMCSDLKSDLCMSDLSDMCLSDMCLSCSMLSCLSD
UEWJDSJKDSIWEDKDSLSDOSDKFGLSFDLSDPOSDLADSMVCVMNFSDWEWRJKFDOSKDSA
SDJHSDMCMSKCKSCMCLSLCLSADPSMSSMCSDLKSDLCMSDLSDMCLSDMCLSCSMLSCLSD
EWHJFIFDNSDASMVCBVJFOWJMDODSJWEMFDFDFDMCDSOW<SDLDSOJRTMFVFDOEWKW
UEWJDSJKDSIWEDKDSLSDOSDKFGLSFDLSDPOSDLADSM
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
SDJHSDMCMSKCKSCMCLSLCLSADPSMSSMCSDLKSDLCMSDLSDMCLSDMCLSCSMLSCLSD
UEWJDSJKDSIWEDKDSLSDOSDKFGLSFDLSDPOSDLADSMVCVMNFSDWEWRJKFDOSKDSA
SDJHSDMCMSKCKSCMCLSLCLSADPSMSSMCSDLKSDLCMSDLSDMCLSDMCLSCSMLSCLSD
EWHJFIFDNSDASMVCBVJFOWJMDODSJWEMFDFDFDMCDSOW<SDLDSOJRTMFVFDOEWKW
UEWJDSJKDSIWEDKDSLSDOSDKFGLSFDLSDPOSDLADSMVCVMNFSDWEWRJKFDOSKDSA
SDJHSDMCMSKCKSCMCLSLCLSADPSMSSMCSDLKSDLCMSDLSDMCLSDMCLSCSMLSCLSD
UEWJDSJKDSIWEDKDSLSDOSDKFGLSFDLSDPOSDLADSMVCVMNFSDWEWRJKFDOSKDSA
SDJHSDMCMSKCKSCMCLSLCLSADPSMSSMCSDLKSDLCMSDLSDMCLSDMCLSCSMLSCLSD
EWHJFIFDNSDASMVCBVJFOWJMDODSJWEMFDFDFDMCDSOW<SDLDSOJRTMFVFDOEWKW
UEWJDSJKDSIWEDKDSLSDOSDKFGLSFDLSDPOSDLADSMVCVMNFSDWEWRJKFDOSKDSA
SDJHSDMCMSKCKSCMCLSLCLSADPSMSSMCSDLKSDLCMSDLSDMCLSDMCLSCSMLSCLSD
UEWJDSJKDSIWEDKDSLSDOSDKFGLSFDLSDPOSDLADSMVCVMNFSDWEWRJKFDOSKDSA
SDJHSDMCMSKCKSCMCLSLCLSADPSMSSMCSDLKSDLCMSDLSDMCLSDMCLSCSMLSCLSD
EWHJFIFDNSDASMVCBVJFOWJMDODSJWEMFDFDFDMCDSOW<SDLDSOJRTMFVFDOEWKW
UEWJDSJKDSIWEDKDSLSDOSDKFGLSFDLSDPOSDLADSMVCVMNFSDWEWRJKFDOSKDSA
SDJHSDMCMSKCKSCMCLSLCLSADPSMSSMCSDLKSDLCMSDLSDMCLSDMCLSCSMLSCLSD
UEWJDSJKDSIWEDKDSLSDOSDKFGLSFDLSDPOSDLADSMVCVMNFSDWEWRJKFDOSKDSA
SDJHSDMCMSKCKSCMCLSLCLSADPSMSSMCSDLKSDLCMSDLSDMCLSDMCLSCSMLSCLSD
EWHJFIFDNSDASMVCBVJFOWJMDODSJWEMFDFDFDMCDSOW<SDLDSOJRTMFVFDOEWKW
UEWJDSJKDSIWEDKDSLSDOSDKFGLSFDLSDPOSDLADS=
-----END CERTIFICATE-----

Notice how the content is divided into two blocks of code, one of them is labelled BEGIN RSA PRIVATE KEY on top. It's very important you leave this part intact. You only want to replace the second, lower piece of content with your SSL certificate. Now, with your UTF-8 compliant text editor of choice (Such as Komodo or perhaps Notepad in a pinch), unzip the GoDaddy zip file and open the domain.com.crt file and copy and past its' contents replacings the secons block of text in the Direct Admin field.

Again, be careful to replace only the second block of text, and leave the first block intact. Once done, click Save, you should get a message saying Certificate Key Saved. Go back and then click Here where it says Click here to paste a CA Root Certificate.

You'll find an empty field and a single checkbox that reads Use a CA Cert., check it, then open the gd_bundle.crt file in your text editor and copy and paste all of its contents into the empty field and click save. You should get a message that says Success if you did this correctly.

Step Seven:

Back out to the admin level of Direct Admin and take a look down under Extra Features, hopefully like me you have a handy dandy little feature called Custom HTTPD Configurations. What this feature does is show you the custom httpd.conf files that Direct Admin creates that makes it difficult to configure SSL certificates for Direct Admin. Normally with Apacher you would install the certificate somewhere and write a reference into httpd.conf, but since Direct Admin uses its own httpd.conf for each user and updates them dynamically, they'd get overwritten who knows how often. So rather than write into the Direct Admin httpd.conf files, what we're going to do is use the Custom HTTPD Configurations memu to see what files Direct Admin is references for its SSL Certificates, then rename the ones we got from GoDaddy to match that, and replace the files currently on the server with those. This is what we'll need Filezilla with root access for (Filezilla is capable of Secure File Transfer Protocal or FTP over SSH).

So find Filezilla on Google, download and install it, open it up. Enter your server IP into your Host field, your username into the username field, the password into the password field, and port 22 into the port field, then click quick connect. Once your connected with whatever account you use to initially use to login to your server, you can right click on the top portion of Filezilla that has all the text scrolling by and choose enter custom command, to /su over to root.

Now turn your attention back over to Direct Admin and the Custom HTTPD Configurations, click on the link and then the domain in question. Look through the Contents of the httpd.conf for these lines...

Code:
	SSLCertificateFile /usr/local/directadmin/data/users/username/domains/domain.com.cert
	SSLCertificateKeyFile /usr/local/directadmin/data/users/username/domains/domain.com.key
	SSLCACertificateFile /usr/local/directadmin/data/users/username/domains/domain.com.cacert

Those are the files you want to replace, specifically the first one, with domain.com.crt and the third with gd_bundle.crt. You'll leave the one in the middle alone. Of course you'll rename the files from GoDaddy to match the files on your server.

Step Eight:

Once again go the main Admin page in your Direct Admin control panel, this time go to the Service Monitor and restart the httpd service. Once this is done you should be up and running, though it's possible it could take a few minutes to take effect, be patient.

...

Questions:

Why won't my site stay on encrypted mode?

Does the software on your site support SSL? Is it programmed to prefer https urls over http?

Why does it say my site is only partially encrytped?

YouTube, Flickr, Tracking APIs, anything not SSL encoded from your server outside will do it

Why does it say this site does not supply ownership information?

Only more expensive EV SSL Certs where people prove they exist etc supply such info

What's the difference between the types of SSL certificates?

Well there's the basic SSL Certs that require almost nothing to get, the EV Certs that you have to prove yours a real business to get. The Wilecard Certs for if you have a lot of sub-domains, and theres even ones for if you have a bunch of primary domains. They all cost loads and loads more than the ones prior of course.

Why is my site so slow?

SSL, because its encrypted, is just slower.

Will this work for other cert providers?

There's a lot of specific instruction about the GoDaddy UI, but the basic idea of what to put where should work with other providers, so it could yah.

Should I get SSL Cert?

SSL is good if you want to run a commerce site, or secure your logins and transactions/communications (Lookup Firesheep to know what I mean by that). You don't haev to get a certificate to do this, you can run SSL without a cert, but if you want other people to use your site they might not be thrilled about the idea of you using an untrusted certificate.

Can you help me install my cert?

If this extensive guide wasn't enough for you, and you still need help, assuming the help you need isn't beyond my ability I'd be willing to talk with ya. I would have to ask a fee of course, but I would be fare about it.

Note, I'll check back here, sporadically, but I'll also be posting this article on my blog on Tuesday at http://zatzai.com. If you have a question for me, it'll be easy for me to keep track if you post a comment there than here, once it goes up, as I don't check this forum every day.
 
Step Seven:

Back out to the admin level of Direct Admin and take a look down under Extra Features, hopefully like me you have a handy dandy little feature called Custom HTTPD Configurations. What this feature does is show you the custom httpd.conf files that Direct Admin creates that makes it difficult to configure SSL certificates for Direct Admin. Normally with Apacher you would install the certificate somewhere and write a reference into httpd.conf, but since Direct Admin uses its own httpd.conf for each user and updates them dynamically, they'd get overwritten who knows how often. So rather than write into the Direct Admin httpd.conf files, what we're going to do is use the Custom HTTPD Configurations memu to see what files Direct Admin is references for its SSL Certificates, then rename the ones we got from GoDaddy to match that, and replace the files currently on the server with those. This is what we'll need Filezilla with root access for (Filezilla is capable of Secure File Transfer Protocal or FTP over SSH).
If you've installed the Certificate and the CA_bundle as you say you have, you shouldn't need to do any of this, because once they're saved by DirectAdmin they're in the location where DirectAdmin expects to find them.

With the one special case exception: if you're installing a Certificate on the server's main site, then the CA_bundle needs to be installed elsewhere; see my post here.

Also see this section of the DirectAdmin Technical Notes; search for SSL on the server's main domain.

Jeff
 
Thanks a lot ZATZAi - it really helped me out.

Note: step 7 and 8 seem to be un-necessary. Check your https connection after step 6 and it should be working.
 
I am sure it is saved somewhere on the server, but you should copy it after you create it and save it somewhere anyways.
 
Thx alot nobaloney you helped me to find the answer after somedays of hard working & getting confused :)

Also see this section of the DirectAdmin Technical Notes; search for SSL on the server's main domain.
 
Back
Top