System Shared Certificates

nobaloney

nobaloney

NoBaloney Internet Svcs - In Memoriam †
Joined
Jun 16, 2003
Messages
26,113
Location
California
Installing System Shared Secure Certificate on DirectAdmin Mini How-To
Jeff Lasman, [email protected] 07/04/04 23:29
======================================
DirectAdmin will allow you to install a system-wide shared certificate for use by all your users and resellers to log-in, and which users and resellers may also use for their own directories inside a secure server setup, so they can run eCommerce and other secure services without having to purchase their own secure certificate.

We installed this on one server by taking the following steps, which will result in a secure server at, for example, secure.example.com (in all cases below be sure to replace the "example.com" with the name of your domain):

1) Logged in to the DA control panel as admin, we set up a domain in the user control panel, using the main server IP#. We named the domain
"secure.example.com".

2) Continuing in the user control panel for that domain, we entered the SSL Certificates area and proceeded to create a Certificate Request (CSR). You may wish to create your own self-signed certificate instead.

If you're using a self-signed certificate, you may skip the following steps concerning ordering and installing a certificate signed by a Certificate Authority, and continue to step 8.

3) When we created the CSR the DA control panel also created a Private Key, which we saved in the event of the unlikely scenario that it would somehow become overwritten. We then logged out of DirectAdmin.

4) We ordered a certificate from a Certificate Authority. Because we're Comodo resellers we ordered an InstantSSL certificate from Comodo. Because Comodo certificates are not recognized by all browsers, Comodo also issues a "CA" (chain) certificate issued for them by GTE Corporation, and recognized by most browsers.

5) When the cert arrived we logged back into the DirectAdmin control panel as admin, and again went to the user control panel, and we again entered the SSL Certificate area. We pasted the certificate that Comodo sent us immediately below the Private Key, clicked on "Paste a pre-generated certificate and key", and then clicked below, the certificate window, on "Save".

If you ordered your Certificate from a vendor that does not issue a "CA" (chain) certificate, you may skip the following steps concerning installing and linking the chain certificate, and continue to step 8.

6) Then we clicked on "Click Here to paste a CA Root Certificate", then on the next screen clicked on "Use a CA Cert" to create a checkmark, and pasted the chain certificate into the Certificate window, and clicked on "Save".

7) Because DirectAdmin doesn't make any changes to the systemwide httpd.conf file (the one found at /etc/httpd/conf/httpd.conf, we made the following changes to that file:

a) In the first secure virtual host container, the one named
"<VirtualHost _default_:443>, we searched for the line:

#SSLCACertificateFile /etc/httpd/conf/ssl.crt/ca-bundle.crt

and made sure that all the SSLCACertificate directives were commented
out (preceeded by a # character). The underneath the line as shown
above, we added the line:

SSLCACertificateFile
/usr/local/directadmin/data/users/admin/domains/example.com.cacert

b) In the second secure virtual host container, the one named
"<VirtualHost 67.19.117.218:443>", we searched for the line:

SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key

and added immediately below it (without commenting anything out) the
line:

SSLCACertificateFile
/usr/local/directadmin/data/users/admin/domains/example.com.cacert

8) Then as root, we restarted the httpd server, making sure there were no errors. (Warnings of nonexistent NameVirtualHosts are acceptable.)

9) To enable DirectAdministration logins using the secure server we edited the file /usr/local/directadmin/conf/directadmin.conf as follows:

a) First we edited the line "SSL=0" so it would read "SSL=1" (without
the quotes).

b) Second we edited the line beginning with "cacert=" to read the
following:

cacert=/etc/httpd/conf/ssl.crt/server.crt

c) Third we edited the line beginning with "cakey=" to read the
following:

cakey=/etc/httpd/conf/ssl.key/server.key

d) Fourth, immediately under the line beginning with "cakey=" we added
the following line:
carootcert=/usr/local/directadmin/data/users/admin/domains/example.com.cacert

10) To allow the directadmin server to read the key to secure port 2222, we changed the ownership and permissions of the server.crt, the ssl.key directory and the server.key, as follows:

chmod 644 /etc/httpd/conf/ssl.crt/server.crt
chmod 750 /etc/httpd/conf/ssl.key
chgrp diradmin /etc/httpd/conf/ssl.key
chmod 640 /etc/httpd/conf/ssl.key/server.key
chgrp diradmin /etc/httpd/conf/ssl.key/server.key

11) Finally we restarted directadmin:

/etc/rc.d/init.d/directadmin restart
 
Last edited:
Jeff

Thanks for the instructions.I've tried the above but I still get the "snake oil" certificate after installing my comodo certificate, and making the changes to httpd.conf and directadmin.conf.

regards

Jon
 
Sounds similar to a problem I was having. The ips.conf file has the virtualhost directive in there for the entire server it seems. I commented out the virtualhost in there and now all of my certs are working.

Big Wil
 
Have to ask the silly question.... did you restart the Apache daemon?

Big Wil
 
Still unable to get this server wide certificate to work which is holding up my development of DA as I go around and round in circles.

Even after rebooting, deleting the ssl.key ssl.prm ssl.crt ssl.crl and recreating them with only the server.crt and server.key files, creating a new certificate for the domain I am using to share the server ip with, installing the root certificate, changing pathe in httpd.conf and directadminl.conf I still get the snakeoil.dom!!!

What gives!

Jon
 
This is great tutorial - Thank you!

I do have a question though (due to my inexperience :D ). I have set up my website as a RESELLER (e.g. www.mydomain.com) with a dedicated IP other than the host/server IP. Does it make a difference if I set up secure.mydomain.com as the ADMIN with the server/host IP?

From my understanding of your tutorial I believe the following would be correct (for my own situation):

hostserver.mydomain.com - IP #1
secure.mydomain.com - IP #1 (created by ADMIN)
www.mydomain.com - IP #2 (created by RESELLER)

My question is that I would like to have secure.mydomain.com for any https connections to www.mydomain.com. Will this be the case or will secure.mydomain.com/mydomain.com be the end result?

*** Updated Question ***

I found the DA template fix that allows both http and https to point to the public_html directory vs. using both the public_html & private_html directories (GREAT!!!).

Is is possible to set up secure.mydomain.com to point to the same public_html directory as www.mydomain.com *AND* have secure.domain.com be the server's shared SSL for all sites being hosted?

Thank you tremendously for any assistance!
 
Last edited:
Only if they're all in the subdirectory path as mentioned in my previous post to another thread.

Jeff
 
Hi Jeff,

Thank you again for the information. I have read the other thread and have a better idea about how DA handles the shared SSL cert. (For anyone that is interested, the post is HERE).

Take care!

Michael
 
I'm not sure of your question :( .

http://secure.example.com/~username works on one of our servers; I haven't tested it on all.

I recall that at one time DA made some changes to prevent domains from "stealing" bandwidth this way, so I'm not sure if it works on all servers or not.

It requires no linking of any kind.

To use the second example you could set up an ftp account for each user on secure.example.com, with a home page in that directory.

Jeff
 
I have installed the System Shared certificate succesfully and used the above information from the postings.

I can now access all my domains using the https://... it show the correct certificate and not the default one.

Next I have tried to use https:// too for the Directadmin control panel (port 2222). This failed.
The permissions are set right but the restart of the Directadmin fails. It gives the following message in the error log.
......
2006:02:22-21:00:21: error loading certificate
2006:02:22-21:01:01: error loading certificate
2006:02:22-21:01:11: error loading certificate
2006:02:22-21:01:19: error loading certificate


from /usr/local/directadmin/conf/directadmin.conf:
......
SSL=1
cacert=/etc/httpd/conf/ssl.crt/server.crt
cakey=/etc/httpd/conf/ssl.key/server.key
caroot=/usr/local/directadmin/data/users/admin/domains/secure.xxxxxx.nl.cacert
(the xxx = mydomainname)

The permissions and new files (22 febr)

ssl.crt:
total 448
lrwxrwxrwx 1 root root 19 Feb 13 19:30 0cf14d7d.0 -> snakeoil-ca-dsa.crt
lrwxrwxrwx 1 root root 16 Feb 13 19:30 5d8360e1.0 -> snakeoil-dsa.crt
lrwxrwxrwx 1 root root 10 Feb 13 19:30 82ab5372.0 -> server.crt
lrwxrwxrwx 1 root root 16 Feb 13 19:30 82ab5372.1 -> snakeoil-rsa.crt
-r-------- 1 root root 418567 Feb 12 14:16 ca-bundle.crt
lrwxrwxrwx 1 root root 19 Feb 13 19:30 e52d41d0.0 -> snakeoil-ca-rsa.crt
-rw-r--r-- 1 root root 1522 Feb 12 14:16 Makefile
-rw-r--r-- 1 root root 1386 Feb 12 14:16 README.CRT
-rw-r--r-- 1 root root 1619 Feb 22 20:30 server.crt
-r-------- 1 root root 1176 Feb 13 19:30 server.crt.backup
-r-------- 1 root root 1472 Feb 12 14:16 snakeoil-ca-dsa.crt
-r-------- 1 root root 1192 Feb 12 14:16 snakeoil-ca-rsa.crt
-r-------- 1 root root 1452 Feb 12 14:16 snakeoil-dsa.crt
-r-------- 1 root root 1176 Feb 12 14:16 snakeoil-rsa.crt

ssl.csr:
total 8
-rw-r--r-- 1 root root 926 Feb 12 14:16 README.CSR
-r-------- 1 root root 84 Feb 12 14:16 server.csr

ssl.key:
total 28
-rw-r--r-- 1 root root 1207 Feb 12 14:16 README.KEY
-rw-r----- 1 root diradmin 901 Feb 22 20:30 server.key
-r-------- 1 root root 891 Feb 13 19:30 server.key.backup
-r-------- 1 root root 668 Feb 12 14:16 snakeoil-ca-dsa.key
-r-------- 1 root root 887 Feb 12 14:16 snakeoil-ca-rsa.key
-r-------- 1 root root 668 Feb 12 14:16 snakeoil-dsa.key
-r-------- 1 root root 891 Feb 12 14:16 snakeoil-rsa.key

ssl.prm:
total 12
-rw-r--r-- 1 root root 516 Feb 12 14:16 README.PRM
-r-------- 1 root root 455 Feb 12 14:16 snakeoil-ca-dsa.prm
-r-------- 1 root root 455 Feb 12 14:16 snakeoil-dsa.prm

The effect is that DA does not run anymore, I have to change the "SSL=0" again in the configuration file and restart DA to recover.


Any ideas?
 
Ximmer said:
from /usr/local/directadmin/conf/directadmin.conf:
......
SSL=1
cacert=/etc/httpd/conf/ssl.crt/server.crt
cakey=/etc/httpd/conf/ssl.key/server.key
caroot=/usr/local/directadmin/data/users/admin/domains/secure.xxxxxx.nl.cacert
(the xxx = mydomainname)
Click to expand...
It's been a long time since I wrote the How-To and we do it a bit differently now.

We use these paths:
Code: 
SSL=1
cacert=/usr/local/directadmin/conf/cacert.pem
cakey=/usr/local/directadmin/conf/cakey.pem
caroot=/usr/local/directadmin/conf/caroot.pem
and we copy the certificate files as shown here:
Code: 
cd /etc/httpd/conf/
cp ssl.crt/server.crt /usr/local/directadmin/conf/cacert.pem
cp ssl.key/server.key /usr/local/directadmin/conf/cakey.pem
cp /usr/local/directadmin/data/users/admin/domains/secure.xxxxxx.nl.cacert  /usr/local/directadmin/conf/caroot.pem
cd /usr/local/directadmin/conf
chown root:root cacert.pem
chmod 644 cacert.pem
chown diradmin:diradmin cakey.pem
chmod 400 cakey.pem
chown root:root caroot.pem
chmod 644 caroot.pem

If you'd like, try that both the changes above to the directadmin.conf file and then the commands I've posted above. Then restart directadmin and let me know if that works.

If that doesn't work please contact me privately via email (my address is below in my sig) if you'd like me to log into your server to figure it all out.

Please do NOT ever send a server password in an email.

Jeff
 
Great info Jeff!

That does solve the problem.
I do get the https control panel website now even if I start with the normal http on port 2222.
That is good.
Logging in works fine too.

There is an error in the error.log now (I was monitoring this file for errors....)
The IP address affected is the one from which I am logged in. Not the server.

Code: 
2006:02:23-19:11:57: Can't connect to ssl!
2006:02:23-19:11:57: ->error ssl
2006:02:23-19:11:58: Didn't find two eols on the header from 82.xxx.xxx.xxx

2006:02:23-19:11:58: Error reading from 82.xxx.xxx.xxx:
 
Years ago when I was in Air Force basic training (in the mid 1960s, btw), whenever one of us had a problem we brought it to our Training Instructor.

Invariably, he'd tell us "Sounds like you've got a personal problem. Tell it to the chaplain."

:)

In this case, ask your browser manufacturer.

Jeff
 
Dumb question. What's the difference in SSL certificates? I realize there is 128 and 256 and whatever. I know that you need to have one recognized by the browsers, but some sites have different ones and they say if you you do a lot of volume then buy this one instead of that one etc. Why would that be? What's the diff between $400 at Verisign and $49 or less other places as long as the browsers recognize it?
 
The difference between 128 and 256 is how easily it can be cracked. We probably don't have to worry much about that, and anyway most browsers today don't support 256 so the cert falls back to 128 anyway.

Why do you think they want you to buy a more expensive cert?

Because that way they can make more money.

Really.

There is a warranty, and often the higher priced the cert the greater the warranty.

But keep in mind that the warranty doesn't protect you, or anyone who uses your cert to protect their connection to your site.

The cert onlly protects a user of a counterfeit site if the browser company with the guarantee issued the cert to the counterfeit site.

Really. again.

As my 8th-grade civics teacher used to say:
"Look that up in your Funk & Wagnalls".

:)

Jeff
 
Got it!. So then as far as I'm concerned, the only thing that matters to me is to get a cert that is recognized by all of the common browsers.

Thanks!
 
You must log in or register to reply here.
Back
Top