Details for a Let’s Encrypt plugin [ open source idea ]

Arieh

Verified User
Joined
May 27, 2008
Messages
1,308
Location
The Netherlands
Update (last edit at 25-01-2016)

Most recent update (25-01-2016): development is suspended due to the official DA integration: https://www.directadmin.com/features.php?id=1828 - it's assigned to DA version 1.492 which isn't released just yet.

About the plugin:

Multiple developers are working on this project, feel free to join!

Project page: https://github.com/Petertjuh360/da-letsencrypt

Progress page: https://github.com/Petertjuh360/da-letsencrypt/milestones

Known issues: https://github.com/Petertjuh360/da-letsencrypt/issues

Can I use it?
At this moment (20-01-2016), there isn't a stable release just yet. A few people are using this plugin in production, however this is not recommended. Many things may change and the plugin has not been checked for security issues. If you do use it, it's up to you. You will need git and composer (they are developer tools, see README). In the first stable release git and composer will not be needed, all the vendor files that the tools gather will be included in the plugin package.



-----------------
Original post:

Since today the Let's encrypt went to public beta, and no one (publicly) has stated to work on a plugin I thought to take this initiative.

I've worked out the commands that need to be done in order to get the certificate and how to get it in DA.

I'm hoping together we can make this into a plugin or DA could ingegrate this so that on user level this can be done fully automatically.

Requirements:
Code:
git

When running ./letsencrypt-auto, it will install python

In my case, Debian the following packages were installed (without asking anything)
Code:
augeas-lenses dialog libaugeas0 libffi-dev libpython2.7 python-dev python-pkg-resources python-setuptools python-virtualenv python2.7-dev
Code:
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt

./letsencrypt-auto

The letsencrypt binary came in to /root/.local/share/letsencrypt/bin/letsencrypt for me, so I created a symlink:
Code:
ln -s /root/.local/share/letsencrypt/bin/letsencrypt /usr/sbin/letsencrypt


Then using it to create the certificate files, actually very easy; I'm using example.tld as example domain under the user admin.

Code:
letsencrypt certonly --webroot -w /home/admin/domains/example.tld/public_html -d example.tld --email [email protected] --agree-tos

Certificate files are now in:
Code:
/etc/letsencrypt/live/example.tld/

Then we need to get these files into DA:

Code:
/etc/letsencrypt/live/example.tld/privkey.pem ->
  /usr/local/directadmin/data/users/admin/domains/example.tld.key

/etc/letsencrypt/live/example.tld/chain.pem -> 
  /usr/local/directadmin/data/users/admin/domains/example.tld.cacert

/etc/letsencrypt/live/example.tld/cert.pem -> 
  /usr/local/directadmin/data/users/admin/domains/example.tld.cert

Specify these files in DA conf:

Code:
/usr/local/directadmin/data/users/admin/domains/example.tld.conf
Code:
SSLCACertificateFile=/usr/local/directadmin/data/users/admin/domains/example.tld.cacert
SSLCertificateFile=/usr/local/directadmin/data/users/admin/domains/example.tld.cert
SSLCertificateKeyFile=/usr/local/directadmin/data/users/admin/domains/example.tld.key
ssl=ON

So ssl needs to be changed to ON and SSLCACertificateFile etc need to be inserted or changed, the files themselves need to be created if they don't exist; chowned to diradmin:diradmin

Finally rewrite of httpd.conf's, I'm not sure if this is the only way possible
Code:
/usr/local/directadmin/custombuild/build rewrite_confs

And that's it. I was a bit surprised that this all just worked without problem.


Personally I don't have the time to create the plugin fully; so again I'm hoping that someone else can take it from here. Please keep it open source and free; the whole idea of let's encrypt is that it's free.
 
Last edited:
And that's it. I was a bit surprised that this all just worked without problem.

That's good news Arieh. What you're doing here, was actually what I was planning to do: just overwrite the certs and keys at the appropriate places without adding DirectAdmin directly in the mix. I was surprised that raymii went to install the certificate "by hand" at the end of his article.

For the people who are firing up their engines to create a LetsEncrypt-DA plugin: please try to collaborate, don't reinvent the wheel. That would be a waste of your time. And keep us posted!
 
A little update; in my initial try I only supplied example.tld, but you can add www. or any other subdomain as well; I've tried the following: example.tld, www.example.tld, test.example.tld:

Code:
letsencrypt certonly --webroot -w /home/admin/domains/example.tld/public_html -d example.tld -d www.example.tld -d test.example.tld --email [email protected] --agree-tos

Where test.example.tld is an alias pointer so that they all point to the same public_html.

It's also possible to supply multiple domains and paths in 1 command, details at https://letsencrypt.readthedocs.org/en/latest/using.html#webroot

But for default I would say example.tld plus www.example.tld would be a good start as that's a default setup in DA.


Some other things to consider:
- if a user package doesn't allow SSL, or SNI isn't enabled; things might don't work?
- If the letsencrypt tool reports an error, it needs to be handled
- Possible, an option to revoke the cert
 
Here is a different repository: https://github.com/sjerdo/letsencrypt-directadmin

Perhaps you guys can work together? Would love a UI option, eg. just a checkbox 'Enable Lets Encrypt Certificate' and let DA handle the requesting, installing and renewing.

Hello Barry,

Thank you for sharing the repo. I also saw the repo this morning posted by an user on Tweakers.net.

I do not have any python skills, unfortunately but I will see if we can work together.

I will create an UI like CustomBuild where you can enable Let's Encrypt per DA user. The plugin will count days and you can enable/disable auto renew of the certificates. There will also be an option to request/install and renew a certificate manually.
 
I will create an UI like CustomBuild where you can enable Let's Encrypt per DA user. The plugin will count days and you can enable/disable auto renew of the certificates. There will also be an option to request/install and renew a certificate manually.

So only Petertjuh360 is targeting at building also a user-interface so one can install LE certificates from the DA gui?
 
We could split these tasks indeed to speed up the plugin development.

If you look into the repo right now at /actions/request.php. Shall we use these functions or go with a library like mentioned here: https://github.com/Petertjuh360/da-letsencrypt/issues/2#issuecomment-162100677 ?

In the case we aren't using any php library, the plugin needs to have some system dependencies (the Let's Encrypt Python client), and I think it would get fast to complicated. Isn't it?
 
That's great, I didn't think to search for a PHP client :)

The python client will install all dependencies itself, but of course a library within the plugin itself is a much better choice.
 
thanks alot of the tutorial
and also thanks alot for the automation plugin, look forward when you two guys release it :)
 
There has been a lot of progress at https://github.com/Petertjuh360/da-letsencrypt - especially Wouter0100 is doing a lot of work and others have joined in as well. The plugin now uses a php library so the python client is not needed.

The basics are working, but it's not ready to be used for production at this moment.

I estimate the plugin to be at 80% done for that but that's just me.
 
great to hear but i get an error when i install it

git: /usr/local/lib/libz.so.1: no version information available (required by git )

DA dont recommend updating :/ http://help.directadmin.com/item.php?id=372

I recommend you to wait for the first release (1.0). It will not be necessary to use Git anymore. It is only useful when you want to try out the current version (master).

We expect to release 1.0 soon but there are a few issues which need to be fixed first.

When 1.0 is released you won't need Git and we will deliver the vendor files within the package. You will get a download link from us so you can install the plugin directly via DirectAdmin without any command line tools!
 
The plugin is nearly done for the first release, but there is a blocker issue which holds us back from releasing the first version. Subdomains aren't working properly, see this issue. I currently don't have the time to investigate this, at earliest next weekend.
 
Hmmm... I thought I had succesfully created SAN certificates with 5 (sub) domains using the LE command line tools and the webroot authentication method. No error was returned, I got the "congratulations!" message back. But you're right, only the first domain actually ended up in resulting cert. Is this a beta limitation perhaps?
 
only the first domain actually ended up in resulting cert. Is this a beta limitation perhaps?

I must be sleeping. I checked the cert again, and it definitely contains multiple subject alternative names. Sorry for the false report. It seems to work.

Code:
/root/.local/share/letsencrypt/bin/letsencrypt certonly --webroot --webroot-path /etc/letsencrypt/webrootauth/ --renew-by-default --email [email protected] --text --agree-tos -d mail.mydomain.com -d mydomain.com -d www.mydomain.com -d smtp.mydomain.com

Note that I have webroot authentication set up on my nginx server.
 
Last edited:
Back
Top