SSL control panel logins

If i set my cert i bought from GeoTrust to the cp would they have to access it by my domain which is www.prohs.com or would they get a security popup if they didn't access it by my domain name?
 
Hello,

They'd need to access it through the value that's in the certificate. (www.prohs.com). It would still be secure if the didn't, but they'd get the popup. You also might need to set the CA Root Certificate in your directadmin.conf file if you want to completely get rid of the popup:

carootcert=/path/to/carootcert

John
 
DirectAdmin Support said:
Hello,

I'm not getting a popup for https://www.prohs.com:2222 ... maybe close all browsers before trying it again. And if something *was* working, then it probably doesn't need fixing ;)

John

No i mean when accessing it from another domain, sub-domain or the ip address. I have the CA Root Certification setup so it should not popup right?
 
DirectAdmin Support said:
Hello,

A certificate is only valid on the domain you bought it for. Ie: www.prohs.com. You will always get a popup on sub.prohs.com with a standard certificate.

John

Oh ok i thought you said if i enable CA Root certification it would work on any domain or sub-domain but thank you.
 
DirectAdmin Support said:
Hello,

They'd need to access it through the value that's in the certificate. (www.prohs.com). It would still be secure if the didn't, but they'd get the popup. You also might need to set the CA Root Certificate in your directadmin.conf file if you want to completely get rid of the popup:

carootcert=/path/to/carootcert

John

Could you please provide step-by-step instructions on what should be done to use DirectAdmin through SSL?

So far, I have Thawte certificate installed on the server and it works fine, I also managed to get DA working with self signed certificates, but after copying server.crt and server.key files to /usr/local/directadmin/conf and changing "apachecert" and "apachekey" it wont start.
 
They did give step by step instructions on the first page of this thread. If you still did not get it please tell us what you have done so far.
 
So far, I did
# openssl req -new -x509 -keyout /usr/local/directadmin/conf/cakey.pem.tmp \
-out /usr/local/directadmin/conf/cacert.pem
# openssl rsa -in /usr/local/directadmin/conf/cakey.pem.tmp \
-out /usr/local/directadmin/conf/cakey.pem
# rm /usr/local/directadmin/conf/cakey.pem.tmp
# chown diradmin:diradmin /usr/local/directadmin/conf/cakey.pem
# chmod 400 /usr/local/directadmin/conf/cakey.pem

# /usr/local/etc/rc.d/directadmin restart
Stopping DirectAdmin: [ OK ]
Starting DirectAdmin: [ OK ]

and got a pop up with the warning.
I then copied the files /etc/httpd/conf/ssl.crt/server.crt and /etc/httpd/conf/ssl.key/server.key to /usr/local/directadmin/conf and changed ownership/permissions:

# chown diradmin:diradmin server.crt
# chown diradmin:diradmin server.key
# chmod 400 server.crt server.key

and modified /usr/local/directadmin/conf/directadmin.conf accordingly:

apachecert=/usr/local/directadmin/conf/server.crt
apachekey=/usr/local/directadmin/conf/server.key

I still get the same popup window with 3 yellow triangles. When I click View Certificate, it shows me exactly the same info, it looks like setting apachecert and apachekey was completely ignored.

I then tried to comment out the following lines:
cacert=/usr/local/directadmin/conf/cacert.pem
cakey=/usr/local/directadmin/conf/cakey.pem

and this is when DA refused to start.

May be I need to set 'CA Root Certificate', but I don't know where to get one. The only files I have are server.crt and server.key and Apache is fine with that.
 
Last edited:
For now switch SSL=0 then restart DA, if you want PM me the info you are using for cert:

2-Letter Country Code:
State / Country:
City:
Company:
Organisation:
Common name: (www.domain.com)

I will generate the RSA key and cert then PM it to you (if you are loooking for self signed) ;)

Chris
 
Thank you for your replies, but I am not looking for self signed certificate, as a matter of fact, self signed cert is already installed as shown above. Otherwise, I wouldn't get the popup window at all ;)

I have Thawte certificate, which is already installed and works with Apache. All I want is to have it working with DA too, but it seems to be ignored even though it's specified in apachecert and apachekey.
 
Hello,

Just some general guidelines for getting DA to work with SSL:

1) ensure that the paths in the directadmin.conf are correct.
2) ensure that the certificates are readable by the "diradmin" user. So basically chown it to "diradmin:diradmin" and make sure the persmissions are correct.
3) set SSL=1 in the directadmin.conf
4) if you have a CA Root certificate to add ontop of your key and cert, then just do so with the following setting in the directadmin.conf:

carootcert=/path/to/caroot.cert

For many certificates, the CA Root Cert is required to validate the cert/key pair to get rid of the popup. (gets rid of the top yellow triangle: "The security certificate was issued by a company you have not chosen to trust... etc.")

5) Then restart da:
Code:
service directadmin restart
and be sure to use https://domain.com:2222 when accessing the panel. You may need to make adjustments to your welcome emails.

John
 
It seems to always go with
cacert=/usr/local/directadmin/conf/cacert.pem
and cakey=/usr/local/directadmin/conf/cakey.pem

which were generated according to http://www.directadmin.com/installguide.html and are self signed.

Commercial cert specified in apachecert and apachekey is completely ignored.
Removing cacert and cakey shuts DA admin down.

Help?
 
You dont use the key and crt files by directadmin... open up

cacert.pem, enter:

Code:
-----BEGIN CERTIFICATE-----
.
.
.
.
.
-----END CERTIFICATE-----

cakey.pem, enter:

Code:
-----BEGIN RSA PRIVATE KEY-----
.
.
.
.
.
-----END RSA PRIVATE KEY-----


the example shown is for generating these using openssl (enter your own if you want)

Chris
 
Hello,

apachecert and apachekey are used for the virtualhost directives for apaches httpd.conf files.. not DA. Only the cacert and cakey values actually have any merit for SSL connections with DA. You can change the path of the cacert and cakey to match the apache ones if you want, they should also be valid certificates.

John
 
DirectAdmin Support said:
Hello,

apachecert and apachekey are used for the virtualhost directives for apaches httpd.conf files.. not DA. Only the cacert and cakey values actually have any merit for SSL connections with DA. You can change the path of the cacert and cakey to match the apache ones if you want, they should also be valid certificates.

John

Thank you for your reply.
I guess cacert and caykey names were a bit confusing for me, I didn't realize that those define cert used by DA control panel.

I still have a question, though:
Should be cert pair defined for apache virtualhost directives (apachecert and apachekey) be readable by diradmin or it's just a text string that is being copied to httpd.conf file?

For example, if diradmin.conf file contains the following:
apachecert=/etc/httpd/conf/ssl.crt/server.crt
apachekey=/etc/httpd/conf/ssl.key/server.key
cacert=/usr/local/directadmin/conf/cacert.pem
cakey=/usr/local/directadmin/conf/cakey.pem

is it OK to have /usr/local/directadmin/conf/cacert.pem and /usr/local/directadmin/conf/cakey.pem readable by diradmin, but /etc/httpd/conf/ssl.crt/server.crt and /etc/httpd/conf/ssl.key/server.key to be only readable by root?
 
Back
Top