DA SSL or not???

D

Daskew

Verified User
Joined
May 25, 2006
Messages
80
Location
Clitheroe, UK
Hi all,
So I run a hosting company which uses DA. Now I have SSL setup on the companies website so I could tell people to login to DA using:

https://www.companyaddress.com:2222

This logs them in no problem as I have a valid certificate. However when I get more than 1 server I cannot give them my companies site to login to their control panel as that wont be on their server. If I want to keep SSL enabled it will report a browser warning to the visitor saying the shared certificate doesnt match the address as they now have to visit their site using etiher:
https://www.theirwebsite.com:2222
or
https://xxx.xxx.xxx.xxx:2222 (xxx = their servers IP)

The problem is that I get a lot of customers complaining about errors and the way the new FireFox3 reports it, it looks like an error so they dont realise they have to add an exception.

So I was wondering what other people do with multiple servers? And would it be that much of a problem to just disable DA on SSL or is this a huge security risk?

I have a login system setup on the website which if they enter their domain name, username and password it will log them into their control panel no matter which server they are on, however the problem remains their URL doesnt have a cert so they will receive errors.

Advise please?
 
The way we handle it is to use subdomains for the server addresses. That way people can access their server via the correct subdomain. For example:

https://login.companyaddress.com:2222 would be one server.
https://login2.companyaddress.com:2222 would be a second server, and so on.

You can use a single wildcard certificate to cover all of your subdomains, or purchase a new certificate for each server.
 
Hi Thanks for your reply.

How do I setup something like that. Would it simply be a CNAME record in my main DNS server which points the subdomain to the IP of each server?

Also how would I be able to get my login form on the website to be able to direct the user to the correct server?

I'm also still interested in knowing how other people deal with this problem.

Thanks again for your reply.
 
The easiest way is to add the subdomain at the user level. When you add a new server use DA's multi server feature. Add a new domain at the user level of your new server that is a subdomain of your site. It will create the record for you on the first server. Here's an example:

You have a server with companyaddress.com on it. You create a subdomain on that server called login.companyaddress.com and set up the SSL login to automatically forward to it (this feature is included in DA).

You add a new server. Set up the multi server option. Add login2.companyaddress.com as a new domain at the user level. The DNS zone file will be sent to the first server. Use login2.companyaddress.com as your SSL login.

There is no easy way to link to the correct login area when you have multiple servers (that I know of).
 
Hi,
Thanks very much again for your reply.

Just a thought, this poses another small problem. I have a billing system which sets up the accounts through DA's API once payment is made.

In the email that is automatically generated I cannot tell it to specify the subdomain their control panel would be located on. I can specify their IP address just not subdomain.

Any idea's around this?

One other question too if you don't mind....
What is the point of linking multiple DA servers together? What does it do?

Thank you again for your help.
 
Dave,

You can get around this by adding a line to the /usr/local/directadmin/conf/directadmin.conf file:

ssl_redirect_host=login.companyaddress.com

This will automatically redirect anyone using the IP address to the proper login area. Here's DA's page about this feature.

Out of curiosity, what billing software are you using?

The DA multi server function sends DNS zone updates to the servers you add whenever a zone is updated. It's useful if you only have one or two DNS servers.
 
Hi Littleoak,

I had a reply from DA support and John suggested I used two ports. 2222 not encrypted and 2223 SSL.

So this way by default people can use un-encrypted by defult and if they want to they can use SSL and an an exception for the invalid SSL certificate.

This way my login form on the website will also work for customers on any server.

Im using AWBS billing software. It needs a lot of customising but is very powerful and works a treat for creating, suspening account etc...

The site is at ApexHosting.co.uk if you fancy a peek, let me know what you think.
 
AWBS should allow you to customize the email that is sent out to new customers.

Also I have found the easiest way to have multiple servers is to make the hostname of each a subdomain of my main domain and then simply add an A record in DNS management. Adding an actual subdomain in DA is not needed since the subdomain is not being hosted on the same server. It clutters up the server with unnecessary files and configurations.

If you want SSL on each without the error then you need a wildcard ssl cert or a ssl cert for each server.
 
Hi Floyd,
Thanks for your reply.

AWBS does allow you to customise the emails however there is no way to tell it to send a different login depending on which server it sets the account up on.

As the welcome email needs to contain the login URL for the control panel and I can specify their domain:2222 in the welcome email I felt setting up the secure and non secure ports would be more appropriate.

What does linking the servers together do though in DA?
 
floyd said:
If you want SSL on each without the error then you need a wildcard ssl cert or a ssl cert for each server.
Click to expand...
Actually even with a wildcard you'd still need to purchase a Certificate for each server; Secure Certificates are only licensed for an individual server. I'd buy a separate Certificate for each server.
Daskew said:
What does linking the servers together do though in DA?
Click to expand...
littleoak already responded; it allows duplication of DNS entries across servers. It's really not necessary if you just create A records for each subdomain in the main domain's zone file. Which is how we do it.

Jeff
 
To be honest im getting confused now but from what I can gather most people are saying to buy an SSL certificate for each server then anyone's domain name will be secure when accessing the control panel if I setup an A record for something like:

https://login.theirdomain.com

Have I got that right?

If so which certificate should I be buying? Couldnt this get very expensive renewing them all if I have several servers?

Thanks again for the help.
 
SSL certificate for each server then anyone's domain name will be secure when accessing the control panel
Click to expand...

NO. The cert will only work for the domain for which it was purchased. Certs are issued to domains not servers.

If you want to use https://login.theirdomain.com the a cert has to be purchased for login.theirdomain.com. That cert will only work for that domain and not any other domain that happens to be on the same server.

And you are not really securing a domain. The https encrypts the transmission. The cert verifies that the domain is who it says it is. Its really 2 different things.
 
littleoak said:
SSL certificates are inexpensive if you purchase them through the proper means.
Click to expand...
This used to be true. It's getting less true almost daily.

Remember when Verisign bought out GeoTrust? At that time I tried to renegotiate our agreement with them for guaranteed pricing for RapidSSL at my then current level for at least several years (at the time we had a multi-year written contract in place with them, soon to expire; written contracts then offered much better pricing than web-based contracts).

They refused, and we canceled our contract. Then they tried to get us to reconsider, and we refused. At that time they told me they'd leave my pricing in place even without the written contract and without our agreement to sell their product exclusively.

They did, for a while, but they've since raised their prices considerably, as have Comodo (and InstantSSL). Also GoDaddy.

Even the ModernDNS (ModernBill eNom account) has doubled their pricing for both Comodo and GeoTrust Certificates.

Hopefully we'll be able to hold our pricing ($45.00 for our co-branded RapidSSL certificate, installed on your server to run with DirectAdmin as littleoak has mentioned); perhaps even offer a lower price for a while as a special.

But there's a lot of (misguided in my opinion) pressure on Certificate Authorities to stop selling low-priced Certificates, all in the name of keeping it hard for phishers to use them. Why do I call this misguided? Because I've never seen a phishing site rely on a Certificate; they generally rely on the fact that most users don't look for the "https".

Comments, anyone?

Jeff
 
Nowhere did I write what I was paying; I only wrote what I was selling for :).

I've sent you an email as well.

And let me clarify, I never wrote anything about what eNom is charging if you have a direct account with them. If you have or are willing to get an eNom account (not free unless you put up a deposit) you can do better. But eNom people cannot guarantee how long they can hold the prices they now charge. They can only say that it's the current price.

Jeff
 
It turns out Jeff is way ahead of me. He also opened my eyes to the pricing increase that Verisign is pushing for. It looks as though $50+ certificates (direct, without any markup) will be the norm soon.
 
You must log in or register to reply here.
Back
Top