Issues pertaining to the installation of DirectAdmin and it’s included services. Setting up DA with an SSL certificate,Creating a Self-Signed Certificate
|You can switch the DirectAdmin to use SSL instead of plain text. -> https instead of http on port 2222.
Please Note that this is for the DirectAdmin connection on port 2222, *not* for apache.
Then If you’re trying to setup a certificate for your domain through apache, use Following guide.
Creating a Self-Signed Certificate
If there you do not have your own certificates, you will need to create your own:
/usr/bin/openssl req -x509 -sha256 -newkey rsa:4096 -keyout /usr/local/directadmin/conf/cakey.pem -out /usr/local/directadmin/conf/cacert.pem -days 9000 -nodes
chown diradmin:diradmin /usr/local/directadmin/conf/cakey.pem
Installing a Purchased Certificate
If you already have your own certificate and key, then paste them into the following files:
Edit the /usr/local/directadmin/conf/directadmin.conf and set ssl=1 (default is 0). This tells DA to load the certificate and key and to use an SSL connection.
but can be changed as needed.
DirectAdmin needs to be restarting after any changes to the directadmin.conf.
If you also have a CA Root Certificate, this can be specify by adding:
into the /usr/local/directadmin/conf/directadmin.conf file (won’t exist by default) and by pasting the contents of the caroot cert into that file.
Using the free “Let’s Encrypt” tool to secure 2222
Please Note, as of 1.30.2, you can tune the value of the SSL redirect should a User connect to an https connection with plaintext http.
For 1.33.0, you can force DA for redirect to a specific hostname if you wish the host to match the cert install:
However, if they would connect to https on a different host, they will first get the ssl warning (since ssl is establishing before the host is pass), then they will be redirecting to the correct host, where the error would not appear (assuming you have got a valid cert setup)
As of 1.33.3, you can enable a ssl cipher to force SSLv3, and disable SSLv2:
DA 1.48.4 will support the HTTP Strict Transport Security (HSTS):
But then we recommend you enable both the force_hostname as well as the ssl_redirect_host with a non-apache-using host, like dabox.domain.com, and not www.domain.com, as HSTS does not respect only port 2222, it would bleed over to Apache, after changing http://www.domain.com (80) connections to use https://www.domain.com (443), even though the header is only tune on port 2222.