How to install an SSL for hostname in DirectAdmin

It’s always a good choice to install an SSL certificate for the DirectAdmin server’s hostname. Doing so, you and your clients will have a secure connection to the DirectAdmin control panel.

The command that should be run to request and install an SSL certificate on the hostname is:

# /usr/local/directadmin/scripts/letsencrypt.sh request_single web21.plothost.com 4096

Example for our case, where the hostname is web21.plothost.com:

[root@web21 custombuild]# /usr/local/directadmin/scripts/letsencrypt.sh request web21.plothost.com 4096
Setting up certificate for a hostname: web21.plothost.com
2020/12/20 10:41:08 No key found for account admin@web21.plothost.com. Generating a 4096 key.
2020/12/20 10:41:10 Saved key to /usr/local/directadmin/data/.lego/accounts/acme-v02.api.letsencrypt.org/admin@web21.plothost.com/keys/admin@web21.plothost.com.key
2020/12/20 10:41:11 [INFO] acme: Registering account for admin@web21.plothost.com
!!!! HEADS UP !!!!

Your account credentials have been saved in your Let's Encrypt
configuration directory at "/usr/local/directadmin/data/.lego/accounts".

You should make a secure backup of this folder now. This
configuration directory will also contain certificates and
private keys obtained from Let's Encrypt so making regular
backups of this folder is ideal.
2020/12/20 10:41:11 [INFO] [web21.plothost.com] acme: Obtaining SAN certificate
2020/12/20 10:41:11 [INFO] [web21.plothost.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/9459003612
2020/12/20 10:41:11 [INFO] [web21.plothost.com] acme: Could not find solver for: tls-alpn-01
2020/12/20 10:41:11 [INFO] [web21.plothost.com] acme: use http-01 solver
2020/12/20 10:41:11 [INFO] [web21.plothost.com] acme: Trying to solve HTTP-01
2020/12/20 10:41:17 [INFO] [web21.plothost.com] The server validated our request
2020/12/20 10:41:17 [INFO] [web21.plothost.com] acme: Validations succeeded; requesting certificates
2020/12/20 10:41:24 [INFO] [web21.plothost.com] Server responded with a certificate.
Certificate for web21.plothost.com has been created successfully!
DirectAdmin certificate has been setup.
carootcert=/usr/local/directadmin/conf/carootcert.pem
ssl=1
Setting up cert for Exim...
Setting up cert for WWW server...
Setting up cert for FTP server...
The services will be restarted in about 1 minute via the dataskq.
[root@web21 custombuild]#

To check the certification status, use:

# openssl x509 -in /etc/httpd/conf/ssl.crt/server.crt -text -noout | grep "Issuer"
[root@web21 ~]# openssl x509 -in /etc/httpd/conf/ssl.crt/server.crt -text -noout | grep "Issuer"
        Issuer: C = US, O = Let's Encrypt, CN = R3
                CA Issuers - URI:http://r3.i.lencr.org/
[root@web21 ~]#

For this command to work you must have the servername value set the actual hostname in the directadmin.conf file. Otherwise, you will get an error message when trying to run the command:

[root@web21 ~]# /usr/local/directadmin/scripts/letsencrypt.sh request_single web21.plothost.com 4096
Domain does not exist on the system. Unable to find web21.plothost.com in /etc/virtual/domainowners, and domain is not set as hostname (servername) in DirectAdmin configuration. Exiting...
no valid domain found - exiting
[root@web21 ~]# 

You can also get an error message if you are using a CAA record on the main domain DNS zone.

[root@web21 ~]# /usr/local/directadmin/scripts/letsencrypt.sh request_single web21.plothost.com 4096
Setting up certificate for a hostname: web21.plothost.com
CAA record prevents issuing the certificate: "sectigo.com"
[root@web21 ~]# 

In our case, the CAA record was set to “sectigo.com”. DirectAdmin uses Let’s Encrypt certificates so the CAA record should be:

CAA   plothost.com.   0   issue   letsencrypt.org

Resources:
DirectAdmin SSL on hostname
DirectAdmin check SSL

Leave a Reply