Directadmin web panel failed after update

M

max008

New member
Joined
Aug 27, 2021
Messages
3
Hi everybody,

After updating to the latest version of Directadmin (1.62.7), the web control panel stop working!
so I ran following commands to find the problem:

cd /usr/local/directadmin
killall -9 directadmin
./directadmin b2000

I see following error in the output:

2021/08/28 09:13:14 error licence: unable to create session error=request failed: Post "https://licensing.directadmin.com/start": x509: certificate is not valid for any names, but wanted to match licensing.directadmin.com

I am using the following guide because of a problem with the SSL connection

https://help.directadmin.com/item.php?id=2124

"echo 1 > /root/.insecure_download"

it seems Directadmin technical team forgot to check the insecure_download option in the new version.

How can I fix this problem?
 
Have you tried creating a new certificate for the hostname? Try like this from SSH as root.
Code: 
cd /usr/local/directadmin/custombuild
./build update
./build letsencrypt
cd ../scripts
./letsencrypt.sh revoke server.domain.com
replace server.domain.com with your hostname (not domain name but hostname)!

Then after that is finished, request a new certificate from the same directory:
./letsencrypt.sh request_single server.domain.com 4096
again replace sever.domain.com with your fqdn hostname of the server and don't forget the 4096 at the end.

After the certificate is applied, try to start DA again, hopefully it will work then.
 
Hello.

I presume you also tried this?

If that also not works, you could try sending in a ticket. However, if you send a ticket as guest over here:

DirectAdmin Tickets - Ticket Login

tickets.directadmin.com tickets.directadmin.com
then note down your ticket id and check regularly, because there is a bug in the system. Guest tickets don't get a email confirmation and no email on updates.
Even if you do not have ticket support, it is allowed to send in a ticket this way if it's a bug.
 
Hi max008,

I think the problem is being caused by some middle-box intercepting/hijacking SSL traffic or invalid global CA list. Directadmin service tries to connect to https://licensing.directadmin.com but fails because it receives invalid certificate. Directadmin server has a good certificate it is easy to check by just visiting https://licensing.directadmin.com using browser and checking TLS details.

To double check if that is the case try using any other HTTP client on the server for example curl:

Bash: 
$ curl -v https://licensing.directadmin.com
*   Trying 172.67.162.151:443...
* Connected to licensing.directadmin.com (172.67.162.151) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=sni.cloudflaressl.com
*  start date: Jun 23 00:00:00 2021 GMT
*  expire date: Jun 22 23:59:59 2022 GMT
*  subjectAltName: host "licensing.directadmin.com" matched cert's "*.directadmin.com"
*  issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc ECC CA-3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x56334b6ef560)
> GET / HTTP/2
> Host: licensing.directadmin.com
> user-agent: curl/7.74.0
> accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
< HTTP/2 200 
< date: Mon, 30 Aug 2021 17:09:00 GMT
< content-type: text/plain; charset=utf-8
< vary: Accept-Encoding
< cf-cache-status: DYNAMIC
< expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
< report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=L%2FoLweMzCXRRFOH5heUyfV5TY8CK%2BOmReIMK7EZbCv6l4JmfA77KRMUnCdlenM41LyZQs%2BmgY6cyfFTQRk8lyJmKOB9%2BxAgSUEvwr759CVEEG17AGQaXdzzP%2B7QOhYXtNJyRC9iEqDzQEVBc"}],"group":"cf-nel","max_age":604800}
< nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
< server: cloudflare
< cf-ray: 686f9fd6af6916a5-ARN
< alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400
< 
Hello!
* Connection #0 to host licensing.directadmin.com left intact

If everything works fine you should receive a Hello! message back from the server. If curl fails the request you should check if you outgoing internet connection goes through firewall, IPS, or other networking equipment that performs TLS connection hijacking. Using curl -v you can actually see what certificate you get when try to connect to https://licensing.directadmin.com. There is also a possibility that the system has invalid (or old) global CA bundle. For example curl tries to load global CA list from /etc/ssl/certs/ca-certificates.crt.
 
Can you tell me, where is my email details? [Like- SMTP host, SMTP Port, SMTP user name & Password etc.]
 
Hi fln,

As I said in the first post, I use an old OS and have problems with SSL.
I expect the solution mentioned in the following link to be observed in all sections where the license is checked by Directadmin service.

https://help.directadmin.com/item.php?id=2124

you said:
Directadmin service tries to connect to https://licensing.directadmin.com but fails because it receives invalid certificate

and I say why Directadmin try to validating certificate, when I enable insecure_download option according to Directadmin Help portal.

Thanks,
 
Thanks for clarification.

Unfortunately we can not disable SSL for licensing related communications. Running a server that can not ensure SSL/TSL connections are not being tampered with is a big risk for a server in general.

If upgrading the whole OS is not an option I would recommend updating just the server root SSL/TLS certificate list. This will allow all applications on a server (not only DA) to use safe and encrypted communications. Could you give us more details what OS are you using? Different OS uses different location for certificate bundle files. Here are some examples:
  • /etc/ssl/certs/ca-certificates.crt - Debian/Ubuntu/Gentoo etc.
  • /etc/pki/tls/certs/ca-bundle.crt - Fedora/RHEL 6
  • /etc/ssl/ca-bundle.pem - OpenSUSE
  • /etc/pki/tls/cacert.pem - OpenELEC
  • /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem - CentOS/RHEL 7
  • /etc/ssl/cert.pem - Alpine Linux
You can grab latest CA bundle from here https://curl.se/docs/caextract.html (source is Mozilla CA list)
 
My admine penel not open, 503 server is unavailable..
How can I solve it?
Please help me...
 
@ganadama

After a UPDATE if yes which?
Can you login with ssh?

Then look in error logs and see for example if httpd is started.

Test also if server is online for mail if working test , and ftp .

Verions of Operating system and directadmin maybe more info is needed for support here in forum.

I can't help but start there

Also have you DA license or is it with hosting company, if so ask them also for support
 
You must log in or register to reply here.
Back
Top