Securing communication and data is increasingly important. After all you don't want the communication between visitors and your website(s) can be viewed by malicious parties. That's why it's very important to encrypt sensitive information such as customer data and payment information using 'https' traffic. In order to do this you'll need an SSL certificate on your VPS.
This guide explains the following parts:
- We try to keep this guide as much up-to-date as possible and applicable for as many different installations as possible. We cannot guarantee however that this guide works for every installation (as it depends on your configuration). Should you encounter a problem, you are welcome to contact our support department.
- For securing your hostname we recommend using Let's Encrypt. Securing your hostname is important for yourself, resellers and users with their own accounts on your DirectAdmin VPS. A paid domain certificate has no additional value as Let's Encrypt is just as secure. The exception to this is if you'd like your company name to be visible behind the green lock. In that case you should use an extended validation certificate.
Used installation:
- DirectAdmin 1.51.4
- CentOS 7.2.1511
Prerequisites for installing your own certificate:
- An (Sectigo) SSL certificate if you don't want to use Let's Encrypt.
- It is vitally important that you've saved the (correct) passphrase for your (Sectigo) SSL certificate.
- A working installation of DirectAdmin. If you'd like to use Let's Encrypt, DirectAdmin should be at least version 1.50.1.
- DirectAdmin has SNI enabled by default, which allows the installation of multiple SSL certificates on 1 IP.
- This guide assumes you already added a domain / website on the user level.
- If you're using a CAA-record in your DNS-settings, make sure that you've added 'Comodo' (for Sectigo certificates) or 'Lets Encrypt' in the record.
Installing your own (Sectigo) SSL certificate in DirectAdmin
Step 1
First enable SSL support for your domain in DirectAdmin. Log in to the 'User Level' as the user under whose name the domain is hosted.
Step 2
Click the name of your domain. If you are currently hosting a single domain you will not see this step and will immediate arrive at Step 3.
Step 3
Make sure 'Secure SSL' is selected and click 'Save'.
If you're only using one folder on your website (and not distinguish between http and https), select the option 'Use a symbolic link from private_html to public_html - allows for same data in http and https'.
Step 4
At the User Level navigate to 'Advanced Features' and click on 'SSL Certificates'.
Step 5
The SSL certificate and the corresponding private key must be provided under 'Paste a pre-generated certificate and key'. Don't use the current server-certificate or CSR.
- Open the private key first (certificate.key) using your favorite text editor and copy all contents (including the part -----BEGIN PRIVATE KEY----- & -----END PRIVATE KEY-----) into the field under 'Paste a pre-generated certificate and key'.
- Open the certificate itself (certificate.crt) using your favorite text editor and copy all contents again (including the part -----BEGIN CERTIFICATE----- & -----END CERTIFICATE-----) directly below the private key part.
Step 6
Click on 'Save'. In the field immediately under the certificate the information from the certificate will be shown.
Step 7
Now you'll need to install the 'root- and intermediate certificate'. These certificates contain all information about the certificates above it and enable a 'Chain of Trust' with the SSL certificate provider. By default many desktop browsers will contain a copy of this 'root- and intermediate certificate', but not all mobile browsers, which is why you should add these certificates.
Click on 'Click Here to paste a CA Root Certificate'.
Step 8
Open the bundle containing the root- and intermediate certificates (cabundle.crt) using your favorite text editor and copy all contents. Next, paste the content into the field below 'Certificate Authority SSL Certificate' and select 'Use a CA Cert'.
Step 9
Click on 'Save' to install these certificates. The SSL certificate is now succesfully installed! If you visit your website you'll now see a green lock indicating it's secure.
Installing a Let's Encrypt SSL certificate in DirectAdmin
Let's Encrypt is a free, automated and open 'Certificate Authority' provided by the non-profit organisation Internet Security Research Group (ISRG). The goal of Let's Encrypt is to help secure the internet by giving everyone the option to use SSL. On the website of DirectAdmin there's a short guide of how to enable Let's Encrypt in DirectAdmin, but we'll delf into the steps in more detail below.
The following steps must be followed using commandline over SSH or our VPS console. (Please note! Let's Encrypt only works in DirectAdmin 1.50.1 or more recent versions):
Step 1
First enable SSL support for your domain in DirectAdmin. Log in to the 'User Level' as the user under whose name the domain is hosted.
Step 2
Click the name of your domain. If you are currently hosting a single domain you will not see this step and will immediate arrive at Step 3.
Step 3
Make sure 'Secure SSL' is selected and click 'Save'.
Step 4
Connect to your VPS using SSH or the VPS console and enter the following command as root user to ensure your VPS has the script required for generating Let's Encrypt certificates.
wget -O /usr/local/directadmin/scripts.letsencrypt.sh http://files.directadmin.com/services/all/letsencrypt/letsencrypt.sh
Step 5
In directadmin.conf you'll instruct DirectAdmin to use Let's Encrypt and force the usage of your hostname (your hostname will be secured with Let's Encrypt using these steps). Open directadmin.conf:
sudo nano /usr/local/directadmin/conf/directadmin.confAdd the contents below / adjust the existing values in the file that opens:
carootcert=/usr/local/directadmin/conf/carootcert.pemenable_ssl_sni=1force_hostname=server.yourdomain.comletsencrypt=1ssl=1 ssl_redirect_host=server.yourdomain.com
Replace server.yourdomain.com again by your actual hostname. When done, close nano and save the changes (ctrl+X > Y > enter)
Step 6
Enter the commands below to process the changes to your configuration and ensure you're using Let's Encrypt's latest version:
cd /usr/local/directadmin/custombuild
./build update
./build letsencrypt
./build rewrite_confs
Step 7
Enter the command below (still as root user) to ensure Let's Encrypt uses your hostname correctly and not 'localhost' (adjust server.yourdomain.com to your actual host name).
cd /usr/local/directadmin/scripts
./letsencrypt.sh request_single server.yourdomain.com
Step 8
Finally, restart DirectAdmin to process all previous changes:
systemctl restart directadmin
Step 9
Log in to DirectAdmin at the 'User Level' and click 'SSL Certificates' under 'Advanced Features'.
Step 10
Select 'Free & automatic certificate from Let's Encrypt' next. Provide your e-mail address and click 'Save'.
When you now open the your website in your browser (using https:// of through a.htaccess redirect to https://) you'll see a green lock in your url indicating your website is now secured with the Let's Encrypt certificate!
Would you like to use Let's Encrypt for more websites? Repeat step 1,2,3, 9 and 10. Don't forget to have your domain point to your VPS in its DNS settings.
@maltacode, while I'm not familiar with running Lego, I suspect that what you're refering to is the regular private key path used by Let's Encrypt, this should be: /etc/letsencrypt/live/yourdomainname.com/privkey.pem