thoroughfare
Verified User
- Joined
- Aug 11, 2003
- Messages
- 575
Still not working 
Matt
Matt
SSL control panel logins
- Thread starter ProWebUK
- Start date
ProHS
Verified User
If i set my cert i bought from GeoTrust to the cp would they have to access it by my domain which is www.prohs.com or would they get a security popup if they didn't access it by my domain name?
- Joined
- Feb 27, 2003
- Messages
- 9,158
Hello,
They'd need to access it through the value that's in the certificate. (www.prohs.com). It would still be secure if the didn't, but they'd get the popup. You also might need to set the CA Root Certificate in your directadmin.conf file if you want to completely get rid of the popup:
carootcert=/path/to/carootcert
John
They'd need to access it through the value that's in the certificate. (www.prohs.com). It would still be secure if the didn't, but they'd get the popup. You also might need to set the CA Root Certificate in your directadmin.conf file if you want to completely get rid of the popup:
carootcert=/path/to/carootcert
John
ProHS
Verified User
Now i am getting a popup again when i am not on www.prohs.com on the control panel and i have the CA Root Certification setup. It was working, hmm.
- Joined
- Feb 27, 2003
- Messages
- 9,158
Hello,
I'm not getting a popup for https://www.prohs.com:2222 ... maybe close all browsers before trying it again. And if something *was* working, then it probably doesn't need fixing
John
I'm not getting a popup for https://www.prohs.com:2222 ... maybe close all browsers before trying it again. And if something *was* working, then it probably doesn't need fixing
John
ProHS
Verified User
DirectAdmin Support said:Hello,
I'm not getting a popup for https://www.prohs.com:2222 ... maybe close all browsers before trying it again. And if something *was* working, then it probably doesn't need fixing
John
No i mean when accessing it from another domain, sub-domain or the ip address. I have the CA Root Certification setup so it should not popup right?
- Joined
- Feb 27, 2003
- Messages
- 9,158
Hello,
A certificate is only valid on the domain you bought it for. Ie: www.prohs.com. You will always get a popup on sub.prohs.com with a standard certificate.
John
A certificate is only valid on the domain you bought it for. Ie: www.prohs.com. You will always get a popup on sub.prohs.com with a standard certificate.
John
ProHS
Verified User
DirectAdmin Support said:
Oh ok i thought you said if i enable CA Root certification it would work on any domain or sub-domain but thank you.
DirectAdmin Support said:
Could you please provide step-by-step instructions on what should be done to use DirectAdmin through SSL?
So far, I have Thawte certificate installed on the server and it works fine, I also managed to get DA working with self signed certificates, but after copying server.crt and server.key files to /usr/local/directadmin/conf and changing "apachecert" and "apachekey" it wont start.
ProHS
Verified User
They did give step by step instructions on the first page of this thread. If you still did not get it please tell us what you have done so far.
So far, I did
and got a pop up with the warning.
I then copied the files /etc/httpd/conf/ssl.crt/server.crt and /etc/httpd/conf/ssl.key/server.key to /usr/local/directadmin/conf and changed ownership/permissions:
and modified /usr/local/directadmin/conf/directadmin.conf accordingly:
apachecert=/usr/local/directadmin/conf/server.crt
apachekey=/usr/local/directadmin/conf/server.key
I still get the same popup window with 3 yellow triangles. When I click View Certificate, it shows me exactly the same info, it looks like setting apachecert and apachekey was completely ignored.
I then tried to comment out the following lines:
cacert=/usr/local/directadmin/conf/cacert.pem
cakey=/usr/local/directadmin/conf/cakey.pem
and this is when DA refused to start.
May be I need to set 'CA Root Certificate', but I don't know where to get one. The only files I have are server.crt and server.key and Apache is fine with that.
and got a pop up with the warning.
I then copied the files /etc/httpd/conf/ssl.crt/server.crt and /etc/httpd/conf/ssl.key/server.key to /usr/local/directadmin/conf and changed ownership/permissions:
and modified /usr/local/directadmin/conf/directadmin.conf accordingly:
apachecert=/usr/local/directadmin/conf/server.crt
apachekey=/usr/local/directadmin/conf/server.key
I still get the same popup window with 3 yellow triangles. When I click View Certificate, it shows me exactly the same info, it looks like setting apachecert and apachekey was completely ignored.
I then tried to comment out the following lines:
cacert=/usr/local/directadmin/conf/cacert.pem
cakey=/usr/local/directadmin/conf/cakey.pem
and this is when DA refused to start.
May be I need to set 'CA Root Certificate', but I don't know where to get one. The only files I have are server.crt and server.key and Apache is fine with that.
Last edited:
ProHS
Verified User
Did you buy a vaild certification from GeoTrust or someone like them?
For now switch SSL=0 then restart DA, if you want PM me the info you are using for cert:
2-Letter Country Code:
State / Country:
City:
Company:
Organisation:
Common name: (www.domain.com)
I will generate the RSA key and cert then PM it to you (if you are loooking for self signed)
Chris
2-Letter Country Code:
State / Country:
City:
Company:
Organisation:
Common name: (www.domain.com)
I will generate the RSA key and cert then PM it to you (if you are loooking for self signed)
Chris
Thank you for your replies, but I am not looking for self signed certificate, as a matter of fact, self signed cert is already installed as shown above. Otherwise, I wouldn't get the popup window at all
I have Thawte certificate, which is already installed and works with Apache. All I want is to have it working with DA too, but it seems to be ignored even though it's specified in apachecert and apachekey.
I have Thawte certificate, which is already installed and works with Apache. All I want is to have it working with DA too, but it seems to be ignored even though it's specified in apachecert and apachekey.
- Joined
- Feb 27, 2003
- Messages
- 9,158
Hello,
Just some general guidelines for getting DA to work with SSL:
1) ensure that the paths in the directadmin.conf are correct.
2) ensure that the certificates are readable by the "diradmin" user. So basically chown it to "diradmin:diradmin" and make sure the persmissions are correct.
3) set SSL=1 in the directadmin.conf
4) if you have a CA Root certificate to add ontop of your key and cert, then just do so with the following setting in the directadmin.conf:
carootcert=/path/to/caroot.cert
For many certificates, the CA Root Cert is required to validate the cert/key pair to get rid of the popup. (gets rid of the top yellow triangle: "The security certificate was issued by a company you have not chosen to trust... etc.")
5) Then restart da:
and be sure to use https://domain.com:2222 when accessing the panel. You may need to make adjustments to your welcome emails.
John
Just some general guidelines for getting DA to work with SSL:
1) ensure that the paths in the directadmin.conf are correct.
2) ensure that the certificates are readable by the "diradmin" user. So basically chown it to "diradmin:diradmin" and make sure the persmissions are correct.
3) set SSL=1 in the directadmin.conf
4) if you have a CA Root certificate to add ontop of your key and cert, then just do so with the following setting in the directadmin.conf:
carootcert=/path/to/caroot.cert
For many certificates, the CA Root Cert is required to validate the cert/key pair to get rid of the popup. (gets rid of the top yellow triangle: "The security certificate was issued by a company you have not chosen to trust... etc.")
5) Then restart da:
Code:
service directadmin restartJohn
It seems to always go with
cacert=/usr/local/directadmin/conf/cacert.pem
and cakey=/usr/local/directadmin/conf/cakey.pem
which were generated according to http://www.directadmin.com/installguide.html and are self signed.
Commercial cert specified in apachecert and apachekey is completely ignored.
Removing cacert and cakey shuts DA admin down.
Help?
cacert=/usr/local/directadmin/conf/cacert.pem
and cakey=/usr/local/directadmin/conf/cakey.pem
which were generated according to http://www.directadmin.com/installguide.html and are self signed.
Commercial cert specified in apachecert and apachekey is completely ignored.
Removing cacert and cakey shuts DA admin down.
Help?
You dont use the key and crt files by directadmin... open up
cacert.pem, enter:
cakey.pem, enter:
the example shown is for generating these using openssl (enter your own if you want)
Chris
cacert.pem, enter:
Code:
-----BEGIN CERTIFICATE-----
.
.
.
.
.
-----END CERTIFICATE-----cakey.pem, enter:
Code:
-----BEGIN RSA PRIVATE KEY-----
.
.
.
.
.
-----END RSA PRIVATE KEY-----the example shown is for generating these using openssl (enter your own if you want)
Chris
- Joined
- Feb 27, 2003
- Messages
- 9,158
Hello,
apachecert and apachekey are used for the virtualhost directives for apaches httpd.conf files.. not DA. Only the cacert and cakey values actually have any merit for SSL connections with DA. You can change the path of the cacert and cakey to match the apache ones if you want, they should also be valid certificates.
John
apachecert and apachekey are used for the virtualhost directives for apaches httpd.conf files.. not DA. Only the cacert and cakey values actually have any merit for SSL connections with DA. You can change the path of the cacert and cakey to match the apache ones if you want, they should also be valid certificates.
John
DirectAdmin Support said:
Thank you for your reply.
I guess cacert and caykey names were a bit confusing for me, I didn't realize that those define cert used by DA control panel.
I still have a question, though:
Should be cert pair defined for apache virtualhost directives (apachecert and apachekey) be readable by diradmin or it's just a text string that is being copied to httpd.conf file?
For example, if diradmin.conf file contains the following:
is it OK to have /usr/local/directadmin/conf/cacert.pem and /usr/local/directadmin/conf/cakey.pem readable by diradmin, but /etc/httpd/conf/ssl.crt/server.crt and /etc/httpd/conf/ssl.key/server.key to be only readable by root?