DirectAdmin Serving Wrong SSL Certificate on Port 2222 Despite Correct Config and Certs

Z

ZorzStudios

New member
Joined
Apr 24, 2025
Messages
1
I'm experiencing an issue where my server is persistently serving an outdated Cloudflare Origin Certificate on port 2222, even after replacing it with a valid Let’s Encrypt certificate.

Here’s what I’ve done so far:

  • Verified that DirectAdmin is listening on port 2222 (PID 438) via /usr/local/directadmin/directadmin
  • Replaced all cert files in /usr/local/directadmin/conf/:
    • server.crt, server.key, and server.ca are now from a valid Let’s Encrypt chain
  • Verified correct permissions and ownership (600, diradmin:diradmin)
  • Updated both config files:
    • /usr/local/directadmin/conf/directadmin.conf
    • /usr/local/directadmin/data/admin/runtime.directadmin.conf
  • Commented out legacy carootcert= lines
  • Restarted DirectAdmin via systemctl, and also fully rebooted the server
  • Confirmed runtime config is being used via ps -ef | grep directadmin
  • Verified through openssl that the cert served is still the Cloudflare Origin Certificate, not the Let’s Encrypt one
Despite all of this, the old certificate remains active.

Could someone please advise:
  1. Is there any compiled-in fallback certificate path?
  2. Is there another override location or bootstrap mechanism I should clear?
  3. Is there a caching layer in DA that would require a deeper reload or flag?
I’d appreciate any insights or steps to resolve this. Happy to provide logs or config snapshots if needed.

Thanks so much for your help!
 
Do you have a correct FQDN hostname of yourself? So not the ip-ad-res-here.da.direct hostname?

Try ilke this.
Remove these files (as far as present) if the Cloudflare certificate stays working and rest of the setup is done correctly:
  • /usr/local/directadmin/conf/ca.csr
  • /usr/local/directadmin/conf/ca.san_config
  • /usr/local/directadmin/conf/cacert.pem
  • /usr/local/directadmin/conf/cacert.pem.combined
  • /usr/local/directadmin/conf/cacert.pem.creation_time
  • /usr/local/directadmin/conf/cakey.pem
  • /usr/local/directadmin/conf/carootcert.pem
  • /usr/local/directadmin/conf/letsencrypt.key
  • /usr/local/directadmin/conf/letsencrypt.key.json
once deleted, issue this command:
/usr/local/directadmin/scripts/letsencrypt.sh server_cert

This should force DA to create new and now correct hostname certificates for your hostname.

However, this would only work for the hostname. You wrote the issue is occuring by DA listening to port 2222. So if the issue also is the case when using https://somecustomerdomain.com:2222 then this might not be the solution. However, it can't hurt trying.
 
You must log in or register to reply here.
Back
Top