Issues pertaining to the installation of DirectAdmin and it’s included services. Setting up DA with an SSL certificate

Issues pertaining to the installation of DirectAdmin and it’s included services. Setting up DA with an SSL certificate,Creating a Self-Signed Certificate

You can switch the DirectAdmin to use SSL instead of plain text. -> https instead of http on port 2222.
Please Note that this is for the DirectAdmin connection on port 2222, *not* for apache.
Then If you’re trying to setup a certificate for your domain through apache, use Following guide.

Creating a Self-Signed Certificate

If there you do not have your own certificates, you will need to create your own:

/usr/bin/openssl req -x509 -sha256 -newkey rsa:4096 -keyout /usr/local/directadmin/conf/cakey.pem -out /usr/local/directadmin/conf/cacert.pem -days 9000 -nodes

chown diradmin:diradmin /usr/local/directadmin/conf/cakey.pem
chmod 400 /usr/local/directadmin/conf/cakey.pem

Installing a Purchased Certificate

If you already have your own certificate and key, then paste them into the following files:

certificate:  /usr/local/directadmin/conf/cacert.pem
key: /usr/local/directadmin/conf/cakey.pem

Edit the /usr/local/directadmin/conf/directadmin.conf and set ssl=1  (default is 0).  This tells DA to load the certificate and key and to use an SSL connection.
Ensure your directadmin.conf has the values set:


but can be changed as needed.

DirectAdmin needs to be restarting after any changes to the directadmin.conf.

If you also have a CA Root Certificate, this can be specify by adding:


into the /usr/local/directadmin/conf/directadmin.conf file (won’t exist by default) and by pasting the contents of the caroot cert into that file.

Using the free “Let’s Encrypt” tool to secure 2222

As of DA 1.50.0, we have add a new feature that allows you to make use of LetsEncrypt, a tool offering free basic SSL certificates.

  1. Af First, enable LetsEncrypt on your system
  2. Afterwards setup the LetsEncrypt certificate for your hostname.

Please Note, as of 1.30.2, you can tune the value of the SSL redirect should a User connect to an https connection with plaintext http.

For 1.33.0, you can force DA for redirect to a specific hostname if you wish the host to match the cert install:

However, if they would connect to https on a different host, they will first get the ssl warning (since ssl is establishing before the host is pass), then they will be redirecting to the correct host, where the error would not appear (assuming you have got a valid cert setup)

As of 1.33.3, you can enable a ssl cipher to force SSLv3, and disable SSLv2:

DA 1.48.4 will support the HTTP Strict Transport Security (HSTS):

But then we recommend you enable both the force_hostname as well as the ssl_redirect_host with a non-apache-using host, like, and not, as HSTS does not respect only port 2222, it would bleed over to Apache, after changing (80) connections to use (443), even though the header is only tune on port 2222.

Leave a Reply

Your email address will not be published. Required fields are marked *