Basics like how to use ssh, how to login to DA etc..Setting up DA with an SSL certificate
Basics like how to use ssh, how to login to DA etc..Setting up DA with an SSL certificate-You can switch DirectAdmin to use SSL instead of plain text.
-> https instead of http on port 2222.
Please Note that this is for the DirectAdmin connection on port 2222, *not* for apache.
If there you are trying to setup a certificate for your domain through Apache,
Creating a Self-Signed Certificate
If there you do not have your own certificates, you will need to create your own:
/usr/bin/openssl req -x509 -sha256 -newkey rsa:4096 -keyout /usr/local/directadmin/conf/cakey.pem -out /usr/local/directadmin/conf/cacert.pem -days 9000 -nodes
chown diradmin:diradmin /usr/local/directadmin/conf/cakey.pem
chmod 400 /usr/local/directadmin/conf/cakey.pem
Installing a Purchased Certificate
If there you already have your own certificate and the key, then paste them into the following files:
certificate: /usr/local/directadmin/conf/cacert.pem
key: /usr/local/directadmin/conf/cakey.pem
Edit the /usr/local/directadmin/conf/directadmin.conf and set ssl=1 (default is 0).
This tells DA to load the certificate and key and to use an SSL connection.
Ensure your directadmin.conf has the values set:
cacert=/usr/local/directadmin/conf/cacert.pem
cakey=/usr/local/directadmin/conf/cakey.pem
but can be changed as needed.
DirectAdmin needs to be restarted after any changes to the directadmin.conf.
If there you also have a CA Root Certificate, this can be specify by adding:
carootcert=/usr/local/directadmin/conf/carootcert.pem
into the /usr/local/directadmin/conf/directadmin.conf file (would not exist by default) and by pasting the contents of the caroot cert into that file.
Using the free “Let’s Encrypt” tool to secure 2222
As of DA 1.50.0, we have added a new feature that allows you to make use of LetsEncrypt, a tool for offering free basic SSL certificates.
- First, enable LetsEncrypt on your system
- Then setup the LetsEncrypt certificate for your hostname.
Please Note, as of 1.30.2, then you can set the value of the SSL redirect should a User connect to an https connection with plaintext http.
For 1.33.0, you can force DA to redirect to a specific host-name if you wish the host to match the cert installed:
However,
if there they connect to https on a different host, they will first get the ssl warning (since ssl is establish before the host is pass),
then they will be redirect to the correct host, where the error would not appear (assuming you have got a valid cert setup)
As of 1.33.3, you can enable a ssl cipher to force SSLv3, and disable SSLv2:
ssh
DA 1.48.4 will support HTTP Strict Transport Security (HSTS):
ssh
But we are recommending you enable both the force_hostname as well as the ssl_redirect_host with a non-apache-used host, like dabox.domain.com, and not www.domain.com, as HSTS does not respect only port 2222, it would bleed over to apache, changing http://www.domain.com (80) connections to use https://www.domain.com (443), even though the header was only set on port 2222.
