Solved [Bug but have workaround] API http protocol is not working after requesting certificate when ssl=1

MaXi32

Verified User
Joined
Jul 25, 2016
Messages
461
Location
The Earth
So here is the problem after we have requested SSL certificate, we cannot use http anymore (must use https). If I try to use http I will get the following error:

Code:
<script>location.protocol = "https:";</script></html>

For scripting, the reason why I use http (not https), because directadmin recommends to use non-ssl in this documentation (see the bold part): https://www.directadmin.com/api.php

" ... DirectAdmin Uses port 2222 which may or may not be secure (SSL). The default is not, so if you need to chose one, chose non SSL. .."

The second reason for using http is, you probably understand because after directadmin installation, it does not automatically request SSL certificate for host domain (server.test.com) for us. If we try to use API with https, on the host server without SSL (server.test.com), then we will still got error.

I consider this might be 99% bug in API because directadmin should not force https when the http is available to use. Even this documentation said about this here : https://www.directadmin.com/features.php?id=1022

"... since the API usually isn't worried about valid certificates."

For your information I don't even have this setting enabled (even I have it, directadmin said this won't affect the API call)

Code:
force_hostname=server.test.com

@smtalk

Now, I'm not sure if I have to write a script to handle whether the host domain is SSL ready then use https, else use http. Or I need to wait for the bug fixed? Thanks

Is there any environment variable that directadmin store to tell that the host domain is https ready ?
 
Last edited:

MaXi32

Verified User
Joined
Jul 25, 2016
Messages
461
Location
The Earth
I disabled ssl =1 after requesting SSL certificate and it works. I think this issue might came from this changes: on v1.60+ https://www.directadmin.com/features.php?id=3008. So, temporary work around is to disable ssl = 0 in order to use API with http protocol. ( I will reconfirm this, now got rate limit to test another call for certificate)
 

MaXi32

Verified User
Joined
Jul 25, 2016
Messages
461
Location
The Earth
I want to confirm this. After a host domain test.server.com certificate has been requested, the ssl option in directadmin.conf must be in disabled mode (ssl=0) to use http protocol in API. This should not happen so I have to write an extra function to do this check in script to dynamically choose whether to use http or https (based on site ssl is available) to avoid error (done this).


EDIT (WORKAROUND):

So, when ssl = 1 directadmin automatically force https for connection including the API. So for those who still need ssl =1, and you are working with script, you might facing similar problem like this. So, you can do check like this using curl (I provided a workaround if you use bash, can be applied to PHP because it's using a universal curl method)


Code:
#!/bin/bash

hostname="test.server.com"
# This is just incase if ur hostname has redirect URL. We need the final hostname
final_hostname=$(timeout 3 curl "${hostname}" -s -L -I -o /dev/null -w '%{url_effective}' | awk -F[/:] '{print $4}')

status=$(curl --cert-status -v https://${final_hostname} 2>&1 | awk 'BEGIN { cert=0 } /^\* Server certificate:/ { cert=1 } /^\*/ { if (cert) print }' | grep "*  SSL certificate verify ok.")

if [ -n "${status}" ]; then

  ssl_protocol="https"
else
   ssl_protocol="http"

fi

Now you can use the variable ${ssl_protocol} in your API call
 
Last edited:

lordlex

Verified User
Joined
Aug 17, 2008
Messages
43
Location
Romania
Hi. Not sure why your thread have no reaction from DA or any other user... but I think it's essentially wrong not to use https for any page where you send credentials and confidential informations.

First, that is not an error, but a javascript code that should redirect a browser to use https instead of http. A script usually don't know to run such script, and will just drop an error or, like in your case, will just print the DA output.

The documentation you are pointing to is old, so don't take those recommendations for granted. IMO a server that was just been installed and have no SSL for for hostname and DA yet, it's not a production system ready to get API calls.
If your scripts complain about a non-valid SSL on the API endpoint, then you can just give cURL the location of the root certificate, or you can just tell it to skip the SSL validation. I point this out because I'm not use why you don't want to use https for your API calls, but many others do it because of this problem.

Also, setting ssl=0 in directadmin.conf could be a bad idea... not sure if DA will renew that certificate your requested and you could end up with an expired certificate and anyway, running DA interface over http is a bad idea for obvious reasons...

Regards,
Dan
 
Last edited:

MaXi32

Verified User
Joined
Jul 25, 2016
Messages
461
Location
The Earth
First, that is not an error, but a javascript code that should redirect a browser to use https instead of http. A script usually don't know to run such script, and will just drop an error or, like in your case, will just print the DA output.

Yes, I knew that is a javascript code redirection. However, DirectAdmin API returns an exit code of 1 when it displays this 'error message'. So this is actually an unclear error message from Directadmin API. For example, if you create a domain with API, the option ssl=1, but it doesn't have valid ssl certificate, then you will end up with an error code status of 1 that will not create the domain.

I'm not use why you don't want to use https for your API calls, but many others do it because of this problem.

One reason is I'm doing a DirectAdmin automation installation that will create a server from scratch (install OS via Debian preseed), install DirectAdmin with custom options, create all usernames, domains, security options, and more until I got live websites .... and this is all done 1 time from onescript.sh WITHOUT INTERACTION. So, during the process of this automation installation, DirectAdmin by default is installed without SSL and I must use non-HTTPS for API temporarily until the automation script requested the SSL certificate automatically. Currently, the workaround that I posted above is 99% working to detect whether directadmin is accessible via SSL or not.

I actually have sent a ticket regarding this issue and they replied


After enabling SSL for directadmin it is expected that it requires SSL. So if you want to have a plain text protocol, you need to disable it.

Meaning when I put ssl=1, DirectAdmin will automatically redirect the host to use HTTPS even though I don't want to.

running DA interface over http is a bad idea for obvious reasons...

Yes, using HTTP is a bad idea I only run this script in localhost. The script that I created will block all other ports during installation, when it has requested a host certificate, it will use https.. So it only use http for a while and will use https forever.
 
Last edited:
Top