SSL : always a warning, what's wrong ?

pppplus

pppplus

Verified User
Joined
Dec 19, 2008
Messages
526
Hi everybody.

I read a lot of post about SSL, and I have always a problem to connect to directadmin ! I receive always a warning !

1- I take a free SSL certificate in startssl.com
2- certificate is OK for domain https://3go.fr and subdomain https://serveur6.3go.fr
OK => I have no warning.

But I want to use it to connect to directadmin, for all my users.

If I run : https://serveur6.3go.fr:2222, I receive a warning.

What I have done :

in directadmin.conf
Code: 
SSL=1
ssl_redirect_host=serveur6.3go.fr
force_hostname=serveur6.3go.fr

I restart directadmin

I copy certificate on
certificate: /usr/local/directadmin/conf/cacert.pem
key: /usr/local/directadmin/conf/cakey.pem

(like it written here : http://help.directadmin.com/item.php?id=15)

So /usr/local/directadmin/conf/cacert.pem is like :
Code: 
-----BEGIN CERTIFICATE-----
MIIHETCCB
............
/xIM/CA==
-----END CERTIFICATE-----
And : /usr/local/directadmin/conf/cakey.pem is like :
Code: 
-----BEGIN RSA PRIVATE KEY-----
MIIEowIB
...............
qOker/KXRI
-----END RSA PRIVATE KEY-----


What is wrong ??
 
serveur6.3go.fr:2222 uses an invalid security certificate.

The certificate is not trusted because it is self-signed.

You are using a self signed certificate. You need to buy one from some company.
 
I do not understand why.

https://serveur6.3go.fr has no warning about certificate.

I have problem, only if I put :2222

So it is something with root certificat or DirectAdmin certificat.

I use a certificate signed by startssl.com
 
I use a certificate signed by startssl.com
Click to expand...

The same here. I use startssl.com certs, and they give the error with directadmin, nevertheless they work OK with Apache:

Code: 
Initiating SSL handshake.
Handshake successful; connected socket 4 to SSL handle 0x09a156a8
certificate:
  subject: /description=396386-2C12I5ifoLQQAkwl/C=RU/O=Persona Not Validated/OU=StartCom Free Certificate Member/CN=server.*****.ru/emailAddress=alexey@*****.ru
  issuer:  /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
ERROR: cannot verify server.*****.ru's certificate, issued by `/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA':
  Unable to locally verify the issuer's authority.


But in your case, it seems to be a self-signed cert:

Code: 
Initiating SSL handshake.
Handshake successful; connected socket 4 to SSL handle 0x095909e8
certificate:
  subject: /C=FR/ST=BNO/L=MEAUFFE/O=DreamHosting/CN=serveur6.3go.fr/[email protected]
  issuer:  /C=FR/ST=BNO/L=MEAUFFE/O=DreamHosting/CN=serveur6.3go.fr/[email protected]
ERROR: cannot verify serveur6.3go.fr's certificate, issued by `/C=FR/ST=BNO/L=MEAUFFE/O=DreamHosting/CN=serveur6.3go.fr/[email protected]':
  Self-signed certificate encountered.
 
So I miss something...

zEiter, do you mean, with startssl.com, I can't have https with :2222 without warning ?

So what sort of SSL can I buy to have no warning ?


SSL is a little complicated... So much price form 0$ to 1500$
And I find it a little hard to configure in directadmin.

Maybe a clear HOWTO is missing (or I do not understand what is already done)
 
I'm not a big expert in SSL certs. Jeff knows much more...

According to StartSSL.COM documentation I add SSLCertificateChainFile for every domain with those certs

Code: 
SSLCertificateChainFile `HOME`/sub.class1.server.ca.pem

I did not find a way to determine SSLCertificateChainFile in directadmin.conf (at least when I tried). Thus I've got the error shown above.
 
You need to put the Cert in the right place, and if you've got A chain file or root CA file you need to put it in th right place, where DirectAdmin can find it (DirectAdmin has it's own webserver; it doesn't use Apache). If you set it up right it should work unless there truly is some incompatibility with the Cert you've installed.

If you're seeing the self-signed cert then you haven't put your Cert into the right place, where DirectAdmin expects to find it.

Other than that I can only offer to install a Certificate for you, and we charge less to sell you a new Certificate and install it than we do to troubleshoot your installation, because it takes less time.

Look in the Advertising section starting tomorrow for a new offer from me to install a Certificate into DirectAdmin.

Jeff
 
Thanks for your replies.
I have not time before to test a new time.

I have always the same problem.

@ jlasman : I understand you propose to install it for me. But I want to do it myself, because I want to understand why it doesn't work.

I try on a new server, and follow exactly this how-to : http://help.directadmin.com/item.php?id=15

I use a certificate generated by startssl. And I have always the warning, because I use a self_signe certificate

Here what I do :
1- I create file /usr/local/directadmin/conf/cacert.pem and copy certificat given by startssl
2- I create file /usr/local/directadmin/conf/cakey.pem and copy key given by startssl
3- I change permission in files cakey
4- I put SSL=1 in directadmin.conf
5- I restart directadmin
=> oups, impossible to connect to server... with http or https
6- I generate self certificate with
Code: 
/usr/bin/openssl req -x509 -newkey rsa:1024 -keyout /usr/local/directadmin/conf/cakey.pem -out /usr/local/directadmin/conf/cacert.pem -days 9000 -nodes
7- I copy again cacert.pem and cakey.pem from startssl
8- I restart directadmin
Ok, I can connect, but with the warning !

What is missing, what is wrong, I want to understand.

@jlasman : you write in a post, price you sell your certificate. I do not find it again. Can you PM me, your price, and confirm your certificates will work with connection on port 2222 ?
 
If you're sure you're doing everything correctly, the Certificate will work unless there's some error or misconfiguration in your DirectAdmin setup. If the StartSSL Certificate won't work, then it's likely mine won't either if you install it.

While I can't take the time to troubleshoot your installation unless you pay for that time, I'm happy to install one of our Certificates for you and then tell you exactly what I did.

No need to PM you; the information is public on DirectAdmin Fourms, in the Advertising section, here.

Note, however, that we won't be able to sell/install any Certificates until Monday; though GlobalSign has not yet found any evidence they've been hacked, they're taking steps to make sure they've not been, and they won't be creating Certificates again until then. More information here (globalsign.com).

Jeff
 
You must log in or register to reply here.
Back
Top