If your DirectAdmin server is showing a "Not Secure" warning in browsers, your visitors are already second-guessing your site. SSL certificates protect your users, boost your search rankings, and are now a baseline requirement for any hosted domain. This guide covers every method to install SSL in DirectAdmin — free Let's Encrypt, paid third-party certificates, and wildcard SSL — plus a full troubleshooting checklist so you don't have to search a second time.
Why SSL Matters on a DirectAdmin Server (and What Breaks Without It)
Without a valid SSL certificate, browsers display a "Not Secure" warning in the address bar. Chrome blocks form submissions on HTTP pages. Search engines penalise unencrypted sites. Payment processors refuse to load. A missing or expired certificate can drop your traffic overnight.
On DirectAdmin, SSL is managed per-domain. Each domain on your server must have its own certificate — or share one wildcard cert. Let's Encrypt is free and renews automatically every 90 days. Paid certificates from DigiCert, Comodo, or Sectigo add organisation validation (OV/EV) and extended validation (EV). Both work inside the same DirectAdmin panel.
Before you begin, confirm all of the following:
- You have admin, reseller, or user-level access to the DirectAdmin panel for the target domain
- The domain's DNS A record points to your server's IP address (use
dig yourdomain.com Ato verify) - Port 80 (HTTP) and port 443 (HTTPS) are open in your firewall — Let's Encrypt needs port 80 for ACME validation
- If using Evolution Skin: navigate via Domain Setup → SSL Certificates. If using Classic Skin: click SSL Certificates from the user dashboard
- The domain is active in DirectAdmin — not suspended or deleted from Domain Setup
If DNS has just been updated, wait for propagation (usually 5–30 minutes) before requesting a certificate. Let's Encrypt will fail if its validation server cannot reach your domain.
💡 None of these worked? Skip the guesswork.
Get Expert Help →Method 1: Install a Free Let's Encrypt SSL in DirectAdmin
Let's Encrypt is the fastest way to secure a domain on DirectAdmin. The process takes under two minutes when DNS is correctly configured.
Log into your DirectAdmin panel as the domain owner. Navigate to Domain Setup, select the domain you want to secure, check the Secure SSL checkbox, and click Save. This creates the SSL-ready virtual host entry for the domain. Without this step, DirectAdmin will not serve HTTPS traffic even after a certificate is installed.
Go to SSL Certificates. In Evolution Skin, this is under Domain Setup → SSL Certificates. In Classic Skin, it is accessible from the main user dashboard. You will see three tabs: Free & automatic certificate from Let's Encrypt, Paste a pre-generated certificate, and Generate a certificate request.
Select the Free & automatic certificate from Let's Encrypt tab. Tick the checkbox for the domain (and www.yourdomain.com if you want both covered). Click Save. DirectAdmin contacts the Let's Encrypt ACME server, completes the HTTP-01 challenge on port 80, and installs the certificate automatically within seconds.
Reload the SSL Certificates page. The screen should now show the certificate expiry date (roughly 90 days from today). Visit your domain in a browser — the padlock should appear. If it does not, proceed to the troubleshooting section below.
Auto-renewal: DirectAdmin schedules Let's Encrypt renewals automatically at day 85 of the 90-day certificate lifecycle. If renewal fails (DNS change, port 80 blocked, domain suspended), you will receive an email alert. Trigger a manual renewal by returning to the SSL Certificates page and clicking Save again. To enable Let's Encrypt globally at the admin level, confirm letsencrypt=1 is set in /usr/local/directadmin/conf/directadmin.conf and restart DirectAdmin:
service directadmin restartIn the SSL Certificates panel, click Generate a certificate request. Fill in your domain name (Common Name), organisation name, city, state, and two-letter country code. Click Save. DirectAdmin generates a 2048-bit or 4096-bit RSA private key (stored on the server) and a CSR text block that starts with -----BEGIN CERTIFICATE REQUEST-----.
Copy the full CSR text and paste it into your CA's order form (DigiCert, Comodo, Sectigo, GlobalSign, etc.). Complete domain validation — typically a verification email to [email protected] or a DNS CNAME record. The CA will issue a certificate file (usually .crt) and may include an intermediate or chain file (.ca-bundle or .chain.crt). Download all files.
Back in SSL Certificates, click the Paste a pre-generated certificate and key tab. In the Certificate field, paste the contents of your .crt file. In the Key field, paste the private key that was generated during the CSR step (it begins with -----BEGIN PRIVATE KEY----- or -----BEGIN RSA PRIVATE KEY-----). Click Save.
If your CA provided a bundle or chain file, scroll down to CA Root Certificate and paste the chain contents there. This step is critical. Incomplete chains cause "Invalid security certificate" errors in mobile browsers and automated tools. The chain should include your intermediate CA cert(s) between your end-entity cert and the root. When in doubt, paste all CA certs in the bundle file.
Test your certificate at SSL Labs (ssllabs.com/ssltest). An A or A+ rating confirms the chain is complete and your cipher configuration is strong. An A- or B rating usually indicates TLS 1.0/1.1 is still enabled — disable those in your Apache or Nginx config.
On the server as root, open /usr/local/directadmin/conf/directadmin.conf and confirm these two lines exist and are set to 1:
letsencrypt=1
dns_ttl=1The dns_ttl=1 setting tells DirectAdmin to use a 1-second TTL for the DNS-01 TXT record, which speeds up ACME validation significantly. After editing, restart DirectAdmin:
service directadmin restartDirectAdmin uses the acme.sh client internally. For Cloudflare DNS, export your API token before requesting the cert:
export CF_Token="your_cloudflare_api_token"
export CF_Account_ID="your_cloudflare_account_id"
export CF_Zone_ID="your_cloudflare_zone_id"Then issue the wildcard certificate from the command line as root:
/usr/local/directadmin/scripts/letsencrypt.sh request_single yourdomain.com 4096 wildcardDirectAdmin will create a _acme-challenge.yourdomain.com TXT record via the Cloudflare API, wait for DNS propagation, and complete the ACME challenge. The certificate is installed automatically.
Return to SSL Certificates for your domain. The active certificate should now show *.yourdomain.com as the common name. All subdomains that resolve to the same server IP will now be secured by this single certificate without additional configuration.
You attempted to request a certificate but DirectAdmin returned this error. The fix is simple: go to Domain Setup, select the domain, tick the Secure SSL checkbox, and click Save. The HTTPS virtual host must exist before any certificate can be assigned. This step is often skipped when domains are added quickly.
The padlock appears broken or your browser console shows mixed content errors. This happens when the page loads over HTTPS but some resources (images, stylesheets, scripts) are still referenced with http:// URLs. Fix all hardcoded URLs in your CMS settings or database. Also add this HTTPS redirect to your .htaccess file in the domain's public_html directory:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]Let's Encrypt renews at day 85. Renewal will fail if: port 80 is blocked by your firewall or hosting provider, the domain's A record has changed and no longer points to this server, or the server's web service is not running and cannot serve the ACME challenge file. Confirm port 80 is open from the internet, then return to the SSL Certificates panel and click Save to manually trigger a renewal attempt.
Desktop browsers cache intermediate certificates and often succeed even with an incomplete chain. Mobile browsers do not. If mobile devices show a certificate error while desktop works fine, your chain is missing an intermediate. Return to the SSL Certificates panel and paste the full bundle (your end-entity cert + all intermediate CA certs) into the Certificate field. Verify the complete chain at SSL Labs.
DirectAdmin's own admin panel also uses SSL. If the panel SSL cert is expired or mis-configured, you may lose access to the control panel itself. As root via SSH, re-issue the service SSL certificate:
cd /usr/local/directadmin/scripts
./build update_sslThen restart DirectAdmin: service directadmin restart.
Managing SSL across dozens of domains and panels — especially with Let's Encrypt renewals, wildcard DNS hooks, and mixed-content remediation — adds up to significant administrative overhead. CloudHouse's managed server team handles SSL installation, renewal monitoring, and post-install troubleshooting as part of ongoing server management, so you never face an unexpected certificate expiry.
Post-Install SSL Checklist
After installing any SSL certificate in DirectAdmin, run through this checklist before closing the ticket:
- Domain resolves over HTTPS without any browser warning
- HTTP (port 80) redirects to HTTPS with a 301 status code
- SSL Labs test returns an A or A+ rating with no chain errors
- No mixed content warnings appear in the browser developer console
- Let's Encrypt auto-renewal cron is active (check DirectAdmin task queue)
- Wildcard cert covers all subdomains you intend to serve from this server
- Certificate expiry date is visible in the DirectAdmin SSL Certificates panel
SSL installation on DirectAdmin is straightforward once you know which method fits your situation. Use Let's Encrypt for standard domains — it's free, automatic, and takes two minutes. Use a paid certificate when OV or EV validation is required by compliance or organisational policy. Configure the DNS-01 API flow for wildcards when you manage many subdomains. Keep port 80 open for renewals, always include the full certificate chain, and run an SSL Labs check after every installation to catch cipher or chain issues before your visitors do.