DirectAdmin SSL Management — Let’s Encrypt and Custom Certs

DirectAdmin’s SSL workflow is straightforward — every domain gets free Let’s Encrypt SSL with one or two clicks, certificates auto-renew, and forcing HTTPS sitewide is a checkbox. This guide covers the common SSL operations: enabling Let’s Encrypt, installing a paid cert if you have one, and the HTTPS redirect setup.

Enabling Let’s Encrypt SSL

1. Log in to DirectAdmin.
2. Account Manager → SSL Certificates (or look for “SSL Certificates” in the main menu).
3. Select the domain to enable SSL for.
4. Choose Free & automatic certificate from ACME provider (Let’s Encrypt).
5. Select coverage:
   • www.yourdomain.com and yourdomain.com — standard.
   • Add subdomains as needed.
6. Key Size: 2048 (default, fine for nearly all use).
7. Email address: your contact email (Let’s Encrypt sends renewal notifications here).
8. Click Save.

DirectAdmin contacts Let’s Encrypt, validates domain ownership (HTTP-01 challenge), issues cert, installs it. Usually takes 30-60 seconds. You’ll see a success message; the SSL Certificates page now shows your domain with a valid cert.

Automatic renewal

Let’s Encrypt certificates expire every 90 days. DirectAdmin auto-renews each cert about 30 days before expiry — no action needed. You’ll get an email notification if a renewal fails (usually due to DNS issues or a recent configuration change).

To manually trigger renewal early: SSL Certificates → click the domain → Renew.

When SSL issuance fails

Common causes and fixes — same as on cPanel, since both use Let’s Encrypt’s HTTP-01 challenge:

• DNS not pointing here yet. Let’s Encrypt verifies by reaching http://yourdomain.com/.well-known/acme-challenge/.... If DNS points elsewhere, validation fails. Wait for propagation.
• Cloudflare proxy enabled. Proxy intercepts the challenge. Solutions:
  • Disable proxy (grey cloud) during issuance, re-enable after.
  • Set Cloudflare SSL to “Full (strict)” — your DA cert serves as the origin cert.
• .htaccess blocking the challenge path. Add to .htaccess: RewriteRule ^.well-known/ - [L]
• Rate limit reached. Let’s Encrypt allows 5 failed challenges per hour per domain. Wait 1 hour, retry.

Installing a paid (third-party) certificate

If you’ve bought a cert from a commercial CA (DigiCert, Sectigo, etc.):

1. SSL Certificates → select domain.
2. Choose Paste a pre-generated certificate and key.
3. Paste the certificate (the .crt content) into the Certificate box.
4. Paste the private key into Private Key.
5. Click Save.
6. Below the cert field, find CA Root Certificate:
   • Click Click Here to view it.
   • Replace with the CA bundle from your certificate provider.
   • Save.

Verify: visit https://yourdomain.com, check the padlock — issuer should match the CA you bought from.

Forcing HTTPS

Two layers — both should be enabled for clean HTTPS-only behavior:

DirectAdmin Force HTTPS toggle

1. SSL Certificates → click domain.
2. Find Force HTTPS via Redirect option.
3. Enable.
4. Save.

.htaccess fallback

For applications where the DA toggle doesn’t apply, or for explicit control, add to public_html/.htaccess:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Application-level (e.g. WordPress)

WordPress: Settings → General → update both URL fields to https://. Without this, even with redirects, WordPress emits mixed-content URLs.

Wildcard SSL on DirectAdmin

Let’s Encrypt issues wildcards via DNS-01 challenge (instead of HTTP-01). DirectAdmin supports this — when selecting hostname coverage in SSL Certificates, you can request *.yourdomain.com.

The DNS-01 challenge requires DirectAdmin to add a TXT record to your domain’s DNS. If DirectAdmin manages your DNS, this is automatic. If DNS is at Cloudflare or another provider, you’ll need to either temporarily switch DNS back to DA for issuance, or contact support to assist with manual DNS-01.

SSL for subdomains

Each subdomain needs its own SSL entry. When you create a subdomain in DirectAdmin, go back to SSL Certificates → select the subdomain → request Let’s Encrypt. Repeat per subdomain unless using a wildcard.

Common DirectAdmin SSL issues

“NET::ERR_CERT_AUTHORITY_INVALID in browser.” CA root cert not installed or wrong. SSL Certificates → click domain → CA Root Certificate field needs the full CA bundle. For Let’s Encrypt, DA usually populates this correctly; for paid certs, you must paste the bundle from your CA.

“Common name mismatch.” Cert is for one hostname but you’re accessing as another. Either reissue covering both, or always access via the correct hostname.

“Mixed content warning.” HTTPS page is loading HTTP resources. Update WordPress URL settings; run a search-replace for http://yourdomain.com → https://yourdomain.com in the database.

“Renewal failed email arrived.” Usually DNS changed (now points to Cloudflare proxy, blocking the HTTP challenge). Check current SSL state in DA; reissue if needed using the workarounds above.

“Want to disable SSL for a domain.” SSL Certificates → click domain → toggle SSL off. Rare reason to do this in 2026, but available.

What’s next

• File-level operations: DirectAdmin File Manager.
• Database tasks: DirectAdmin databases.
• If using Cloudflare in front: Cloudflare + origin protection.

Free SSL via Let’s Encrypt is essentially zero-effort on DirectAdmin. Enable once per domain, auto-renewal handles the rest. Combined with Force HTTPS, every visitor lands on a secure HTTPS connection without ongoing maintenance.