How to install EV SSL Comodo with Directadmin

[divinelighting]

Unable to find a good how-to anywhere. This is what worked for me:


SSL EV certificates must be processed and approved by the issuer. If it is renewed (with no changes) it may take up to 12 hours to complete. If it is a new issue, it could take days due to the validation process because a real person checks out the site and interviews the owner by phone. Regardless, during this time the certificate will not be available for use. If uninterrupted ssl is required, a possible workaround is to utilize a shared SSL certificate for the whole server.

This is the process I used with Namecheap and Comodo. The process may differ slightly for other providers.

1. Go in Directadmin User control panel, SSL, and "Create a Certificate Request"
2. Go to your SSL reseller and paste the certificate.
3. 10-30 minutes later, a verification email will come to [email protected]. Follow instructions.
4. Hours to days later, the site will be approved by commodo and the certificates will be emailed to the technical contact for the site.
5. All of the required certificates are in the attached zip file. These are the files:

a» Root: AddTrustExternalCARoot.crt
b» Intermediate 1: COMODOAddTrustServerCA.crt
c» Intermediate 2: COMODOExtendedValidationSecureServerCA.crt
d» End-Entity/Domain Certificate (www_yourdomain_com.crt)
(Note: you can view the certificates by renaming to .txt files)

6. Under Directadmin SSL, paste 'd' under the RSA PRIVATE KEY and hit "Save"
7. At the bottom of that page, click "CLICK HERE to paste a CA root certificate.
8. On this page, paste 'a', 'b', and 'c' sequentially and click "Save"

Validate that everything is working correctly at:
http://www.networking4all.com/en/support/tools/site+check/

 

[scsi]

Im sure its the same as any other ssl.

 

[divinelighting]

Yes, the part that was unclear to me was how to get all the certificates chained in the root.

I still have a problem though:

imap, pop3, smtp for this domain all are still pointing to old expired certificates. I could edit dovecot.conf if I knew where to point for the updated certificates. It seems like DA should have taken care of this.

Any ideas?

 

[scsi]

It should list the files in /etc/dovecot.conf

egrep -i 'ssl_cert|ssl_key' /etc/dovecot.conf | cut -d= -f2

This is what I have:

ssl_cert = </etc/httpd/conf/ssl.crt/server.crt
ssl_key = </etc/httpd/conf/ssl.key/server.key

Which means it is using the apache default ssl cert that you have set for your shared main ip.

That would cover you for imap and pop3.

For smtp this should be the files:

tls_certificate = /etc/exim.cert
tls_privatekey = /etc/exim.key

 

[divinelighting]

That is what I have in dovecot.conf, and I confirmed that those certs are current, and they cover all of my users that are on the shared ssl.

However, the problem is with the one user that I just installed this EV SSL. When I installed the cert on DA, it took care of httpd but not pop3/imap. When I check the certificate for pop3/imap it still shows it is using a certificate that expired last year. Not the shared cert, not the EV cert, but one from last year. How can this be fixed?

 

[scsi]

Did you try to restart dovecot?

You could try testing imap ssl:

http://blas.phemo.us/2008/02/27/connect-to-imap-ssl-for-telnet-style-testing

 

[divinelighting]

That was it. Apparently dovecot needed to be restarted. I actually just did that after adding this to dovecot.conf to increase cipher:

ssl_cipher_list = ALL:!LOW:!MEDIUM:!MD5:!SSL2:!EXP-ADH-DES-CBC-SHA:!EXP-EDH-RSA-DES-CBC-SHA:!EXP-DES-CBC-SHA:!EXP-EDH-RSA-DES-CBC-SHA:!EXP-ADH-DES-CBC-SHA:!EXP-DES-CBC-SHA:!ADH-AES256-SHA:!ADH-AES128-SHA:!ADH-DES-CBC3-SHA:!EXP-ADH-DES-CBC-SHA:!EXP-ADH-DES-CBC-SHA:!ADH-DES-CBC3-SHA

All seems to work now. Thanks.