fbpx

DirectAdmin backend beveiligen met een SSL-certificaat

You can switch DirectAdmin to use SSL instead of plain text. -> https instead of http on port 2222.
Note that this is for the DirectAdmin connection on port 2222, *not* for apache.
If you’re tryting to setup a certificate for your domain through apache, use this guide.

Creating a Self-Signed Certificate
If you do not have your own certificates, you’ll need to create your own:

/usr/bin/openssl req -x509 -sha256 -newkey rsa:4096 -keyout /usr/local/directadmin/conf/cakey.pem -out /usr/local/directadmin/conf/cacert.pem -days 9000 -nodes

chown diradmin:diradmin /usr/local/directadmin/conf/cakey.pem
chmod 400 /usr/local/directadmin/conf/cakey.pem

 


 

Installing a Purchased Certificate

If you already have your own certificate and key, then paste them into the following files:

certificate:  /usr/local/directadmin/conf/cacert.pem
key: /usr/local/directadmin/conf/cakey.pem

Edit the /usr/local/directadmin/conf/directadmin.conf and set SSL=1  (default is 0).  This tells DA to load the certificate and key and to use an SSL connection.
Ensure your directadmin.conf has the values set:

cacert=/usr/local/directadmin/conf/cacert.pem
cakey=/usr/local/directadmin/conf/cakey.pem

but can be changed as needed.

DirectAdmin needs to be restarted after any changes to the directadmin.conf.

If you also have a CA Root Certificate, this can be specified by adding:

carootcert=/usr/local/directadmin/conf/carootcert.pem

into the /usr/local/directadmin/conf/directadmin.conf file (won’t exist by default) and by pasting the contents of the caroot cert into that file.


 

Using the free “Let’s Encrypt” tool to secure 2222

As of DA 1.50.0, we’ve added a new feature that allows you to make use of LetsEncrypt, a tool offering free basic SSL certificates.
We’ve written the script in such a manner that you can also setup SSL for your hostname and all services in one simple command for your hostname: 
eg:

cd /usr/local/directadmin/scripts
./letsencrypt.sh request your.hostname.com 4096

which will also install the new cert/key/ca files in all respective global places for apache, dovecot, exim, ftp, and DirectAdmin.
NOTE The hostname value, eg: your.hostname.com must match the “servername” value set in the directadmin.conf, or it will not be in hostname mode, but User domain mode instead.

You must then turn on SSL in DA and tell DA to use the carootcert, as well as force the hostname for SSL:

cd /usr/local/directadmin/conf
perl -pi -e ‘s/SSL=0/SSL=1/’ directadmin.conf
echo “carootcert=/usr/local/directadmin/conf/carootcert.pem” >> directadmin.conf
echo “force_hostname=your.hostname.com” >> directadmin.conf
echo “ssl_redirect_host=your.hostname.com” >> directadmin.conf
/etc/init.d/directadmin restart

 


Note, as of 1.30.2, you can set the value of the SSL redirect should a User connect to an https connection with plaintext http.
http://www.directadmin.com/features.php?id=801

For 1.33.0, you can force DA to redirect to a specific hostname if you wish the host to match the cert installed:
http://www.directadmin.com/features.php?id=917
However, if they connect to https on a different host, they’ll first get the ssl warning (since ssl is established before the host is passed), then they’ll be redirected to the correct host, where the error would not appear (assuming you’ve got a valid cert setup)

As of 1.33.3, you can enable a ssl cipher to force SSLv3, and disable SSLv2:
http://www.directadmin.com/features.php?id=957

DA 1.48.4 will support HTTP Strict Transport Security (HSTS):
https://www.directadmin.com/features.php?id=1776
But we recommend you enable both the force_hostname as well as the ssl_redirect_host with a non-apache-used host, like dabox.domain.com, and not www.domain.com, as HSTS doesn’t respect only port 2222, it would bleed over to apache, changing http://www.domain.com (80) connections to use https://www.domain.com (443), even though the header was only set on port 2222.

Dit bericht is gepost in VPS. Bookmark de link.

Geef een reactie

Je e-mailadres wordt niet gepubliceerd. Vereiste velden zijn gemarkeerd met *