SSL control panel logins

ProWebUK

Verified User
Joined
Jun 9, 2003
Messages
2,326
Location
UK
after looking at the API,

DirectAdmin Uses port 2222 which may or may not be secure (SSL). The default is not, so if you need to choose one, choose non SSL. Authentication is basic web authentication using base64 encryption of "username:password"

How easy is it to put the logins under SSL?

I would personally prefer logging in under secure space, even it it wasn't with a trusted cert.

Chris
 
Hi Chris,

To enable SSL, edit the directadmin.conf file located it /usr/local/directadmin/conf/directadmin.conf and change the value SSL=0 to SSL=1. You need to make sure you've created the certificates as described at the bottom of the install guide http://www.directadmin.com/installguide.html under "Setup SSL Certificates"

Then restart DirectAdmin:
service directadmin restart

John
 
it hasnt stopped yet!

evertime i ask a new question it makes me want it even more. (and the secrets are still being revealed ;) )

Chris
 
I might add, that at this time, our autoupdate feature will try to connect to DirectAdmin using a regular connection, meaning non-https, so if you have it enabled, your panel will never know that it should go update. You can just keep an eye on the current available version # and click "update" from the licensing screen... that is, until we get the updater to also try https when http fails.

John
 
Hi,

Is it possible to use https://IPADDRESSHERE:2222 to access the control panel using SSL?

When I goto https://IPADDRESSHERE/ I get the 'apache functioning normally' and the SSL cert works fine (although it does show as being registered by the 'Snake Oil Company' oddily enough.

When I try https://IPADDRESSHERE:2222 I get 'error loading certificate' on the page.

I followed your instructions on the installation page to the letter, I've checked over them and tried them again and it's still not working. I also edited directadmin.conf and restarted DA.

Any ideas?

Thanks,
Matt :D
 
Hello,

It should be working. Check the DA error log for possible clues:
/var/log/directadmin/error.log

generally, it's either incorrect permissions, filenames or certificates.

John
 
Tried it again, and it worked! I think the problem was that when it was asking for details (like organisation, address etc) I'd set most of them to blank. When I tried it again, I filled the fields :)

Thanks! :D

Matt
 
Jason: No... just tried it :D

Matt

P.S. When I get a secure cert from GeoTrust, will it work ok with the DirectAdmin cp too?

Anything particular I need to do to make it work with :2222?

Cheers,
Matt
 
to replace your default cert with a genuine one (from geotrust) look for the crt and key files currently used by DA then replace with your new ones........... should work.... make sure you make backups :D

/etc/httpd/conf/ssl.crt/server.crt
/etc/httpd/conf/ssl.key/server.key

Chris
 
Sorry I'm not clear on what a CA root cert is - does this only apply for people who have purchased a proper cert? Or is this for anyone who uses a self-signed cert for DA?

Cheers,
M :D
 
Hello,

Yes, it only applies for valid purchased certificates. It's the additional certificate that works with the regular cert to convince a browser that the site it legit, thus preventing the certificate popup window when accesing an https site for the first time.

John
 
Hi John,

When DA uses a secure cert for the control panel interface, is it picky about the key used?

Just because I've gotten my cert to work fine with normal http addresses, but when I use it with DA it comes up 'error loading key'.

I was wondering if this is because my key is encrypted. When I restart httpd, it asks for my passphrase. I was thinking maybe DA is trying to use the key but can't because of the encryption.

Any ideas?

Thanks :)
Matt
 
As long as the key/cert pair are valid, just make sure that DA has read permissions on them. They both have to be readable by user "diradmin". If you've pointed the path to your apache key/certs, then you might have to either set it world readable, or set the group (or owner even) on the cert to diradmin. (apache uses root, so it won't care). If you using the cert/key in the conf directory, then it's probably just a simple "chown diradmin:diradmin keyfile; chmod 600 keyfile" issue.

John
 
Hi,

I've tried using copies of the key and crt in the DA conf directory, and I've tried pointing the directadmin.conf path to the main server cert and key files under the /etc/httpd/conf/ssl.*/ directories.

In both cases I chowned them to DA and set chmod 600.

Still not working. :(

Matt
 
Ok, just make sure that the paths that lead down to the cert and key are all at least chmod 711, if in doubt, you can just test it with:

chmod -R 755 /etc/httpd

that might open it up more than you need to, but it will gurantee the permissions will work. :) Then just secure it back up after you know it works.

John
 
I think the only file you *need* to lock back up is your key, so
/etc/httpd/conf/ssl.key/server.key
should be only readable by root and diradmin

John
 
Back
Top