DirectAdmin SSL login quirk...

jp001

New Member
Using the built-in Let's Encrypt, my site seems to be all "hooked up" for SSL, but when attempting to log in into DA via https, (https://www.mydomain.com:2222) I get a "This Connection is not private" browser message. HOWEVER... If I try to access via http via (http://www.mydomain.com:222) it redirects to https and I get the normal DA log in page.

Why is the https not working for DA log in?

Thanks!
 

KH-JonathanKW

Technical Assurance Specialist
Staff member
Did you set this up?

https://help.directadmin.com/item.php?id=629
==
cd /usr/local/directadmin
./directadmin set ssl 1
./directadmin set carootcert /usr/local/directadmin/conf/carootcert.pem
./directadmin set ssl_redirect_host your.hostname.com
service directadmin restart
==

If you didn't set this, then accessing over HTTPS:// will still redirect to the IP.
 

jp001

New Member
Hi Jonathan,

I just checked the directadmin.conf file and everything you mention above appears to be set (during install by KH tech).

"./directadmin set ssl_redirect_host" is set to host.mydomain.com Should this be set to www.mydomain.com?

To clarify: Typing http://www.mydomain.com:2222 will redirect to https://host.mydomain.com:2222. Typing https://www.mydomain.com:2222 will result in a browser "connection not private" warning.

Thanks for helping me try to understand this all! :)
 

KH-JonathanKW

Technical Assurance Specialist
Staff member
I apologize. When I initially read this thread, I was pretty sure it said 'host.mydomain.com' which is what you were having issues with.

You're receiving this error because DirectAdmin is tied to the hostname certificate for any :2222 connections over https.

This doesn't allow any other domains to access over :2222 other then the secured hostname.

So when you expand the warning to see whats occurring you get:

"This server could not prove that it is domain.com; its security certificate is from host.domain.com. This may be caused by a misconfiguration or an attacker intercepting your connection."

This is normal and by design.

In order to enable https:// for www.domain.com:2222 or domain.com:2222 -- configuration changes would need to occur to the directadmin.conf file.

==
https://www.directadmin.com/features.php?id=2461
==

Need to disable 'force_hostname='

Need to ensure that 'mail_sni=' is enabled to '1'.

If you haven't had mail sni setup yet: https://www.directadmin.com/features.php?id=2019

Then you need to execute this via cli: echo "action=rewrite&value=mail_sni" >> /usr/local/directadmin/data/task.queue

That tells the system to write all eligible SNI domains(that currently have SSL certificates) to their proper files which will allow for the multiple certificates to work for each individual domain for :2222.
 

jp001

New Member
Great! -Thanks for the detailed info!

Other than overcoming the log-in "quirk" I encountered, is there an advantage to using mail sni for a non-reseller VPS like myself?
 

KH-JonathanKW

Technical Assurance Specialist
Staff member
Depends on how many domains you have and how many emails per each domain.

sni (server name identification) is used to allow multiple certificates to exist on 1 shared/primary IP.

mail sni for Directadmin allows these certificates to be used for exim/dovecot so that you can access your email securely over various secured domains on the same IP address.
 

jp001

New Member
I don't imagine having more than a half-dozen domains. Sounds like I can probably leave things as-is for now...

Thanks for your help, Jonathan!
 
Top