Directadmin saves SSL cert and key into server's ones with enable_ssl_sni=1

[zEitEr]

Hello,

Having enabled SNI support:

[root@shared ssl.crt]# /usr/local/directadmin/directadmin c | grep snienable_ssl_sni=1

we've got an issue when saving certs for admin user (admin user has several domains on his user level with SSL enabled):

NOTE: You are using the server IP, so your certificate and key have been saved to:
/etc/httpd/conf/ssl.crt/server.crt
/etc/httpd/conf/ssl.key/server.key

Please check it and fix it. We expect them to be saved into a domain specific location.


p.s. And even though Directadmin saved them in to /etc/httpd/conf/ssl.crt/server.crt and /etc/httpd/ssl.key/server.key with nginx_proxy=1 it did not update /etc/nginx/ssl.crt/server.crt and /etc/nginx/conf/ssl.key/server.key

Thus two issues found here.

 

[DirectAdmin Support]

Hello,

Thanks for the reports.

1) By design, if the Admin is on the Server IP, then the account will always save to the server.crt/key files, and not to the domain.
If you need per-domain setups, then either change the Admin IP, or put the domains on a Reseller or User account.
This is to give a means to control the server's shared cert/key pairs.

2) Looking at the code for how we've done it, with the proxy setup both Apache and Nginx will both use the Apache cert/key files, and the server.crt/key in /etc/nginx should be ignored.
The bug is that /etc/nginx/nginx-vhosts.conf is still pointing to the nginx server.crt, so we'll need to change that so nginx uses the apache crt/key/caroot in nginx-vhosts.conf.

John

 

[Arieh]

Could it be an idea to make the Admin<>server.crt thing optional? My topic about another issue related to this also causes inconvenience for me: http://forum.directadmin.com/showthread.php?t=50102

In the past there have also been people having issues or losing certificates because it's a bit unexpected that it works like this.