DirectAdmin 1.50.0 has been released

Tried this one, still get a 404 on .well-known? I checked /etc/nginx/webapps.conf and the alias seems to be there. I do use custom nginx-templates, but they all include webapps.conf so it should be good?

I get the feeling WordPress is messing things up here, because I tried another site (with a Piwik install) and there were no problems there. Going to investigate this more now.

Make sure you don't have anything like the following in your custom templates, because it'd return 403 error then:
Code:
location ~ /\. { deny  all; }

You get 404, so I think it's still related to the alias thing :) (I can check it directly on your sever if you'd like me to)
 
Can you please tell me the difference between the domain certificate and de server-level certificate ? im confused

I have set up now as:

hostname: srv1.myserver.com
I did generate for this domain (in user mode in DA) myserver.com a SSL certificate is this not sufficient ? the main website myserver.com is working with teh new generated SSL, must i do the server-level certificate as you meant before ?

You shouldn't have your server hostname added as a domain in DirectAdmin. That's why you cannot generate an SSL certificate for your hostname directly in DirectAdmin.
 
If I navigate with my browser to example.com/.well-known/ or example.com/.well-known/acme-challenge/, is it normal it returns a 403 Forbidden? Could that interfere with the process?

(Using letsencrypt=1)

Please read my reply above about the error 403. Any files placed in /var/www/html/.well-known/acme-challenge should be reachable to the world, for example, if you place /var/www/html/.well-known/acme-challenge/test.txt file on the server, you should be able to see it's contents when accessing http://www.domain.com/.well-known/acme-challenge/test.txt.
 
You shouldn't have your server hostname added as a domain in DirectAdmin. That's why you cannot generate an SSL certificate for your hostname directly in DirectAdmin.

So the only option is than create with:
cd /usr/local/directadmin/scripts
./letsencrypt.sh request your.hostname.com 4096

Will it harm the first one ? (one with www.myserver.com ? )
what are my options ?
 
Please read my reply above about the error 403. Any files placed in /var/www/html/.well-known/acme-challenge should be reachable to the world, for example, if you place /var/www/html/.well-known/acme-challenge/test.txt file on the server, you should be able to see it's contents when accessing http://www.domain.com/.well-known/acme-challenge/test.txt.
I don't have /var/www/html/.well-known/acme-challenge, even after doing another rewrite_confs

Code:
root@server:/var/www/html# ls
index.html  phpMyAdmin-4.4.15-all-languages  roundcube
phpMyAdmin  redirect.php                     roundcubemail-1.1.4

Could this be why it's not working? If so, should I make the folders myself and chown them to webapps:webapps?
 
I don't have /var/www/html/.well-known/acme-challenge, even after doing another rewrite_confs

Code:
root@server:/var/www/html# ls
index.html  phpMyAdmin-4.4.15-all-languages  roundcube
phpMyAdmin  redirect.php                     roundcubemail-1.1.4

Could this be why it's not working? If so, should I make the folders myself and chown them to webapps:webapps?

Hm.. DirectAdmin should create the directory for you. Please do "ls -a" instead of just "ls" to list hidden folder as well (folders starting with a dot).
 
So the only option is than create with:


Will it harm the first one ? (one with www.myserver.com ? )
what are my options ?

It won't harm the first one, because they should differ :) For example, your hostname is server1.myserver.com and your domain is myserver.com.
 
It won't harm the first one, because they should differ :) For example, your hostname is server1.myserver.com and your domain is myserver.com.

get a error here:

Account has been registered.
Getting challenge for srv1.myserver.com from acme-server...
Waiting for domain verification...
Challenge is valid.
Getting challenge for www.srv1.myserver.com from acme-server...
Waiting for domain verification...

Challenge is invalid. Details: DNS problem: NXDOMAIN looking up A for www.srv1.myserver.com. Exiting...

Where the hell he find www.srv1 ? i did not have this in my DNS it should be srv1. only that exist in my DNS
 
Last edited:
Hm.. DirectAdmin should create the directory for you. Please do "ls -a" instead of just "ls" to list hidden folder as well (folders starting with a dot).
Oh, the folder does exist. The folder was chmoded to 711 hence the 403 error, setting it to 755 made the test.txt reachable for the world , but it still gives me the same "Could not connect" error when I run letsencrypt.sh.
 
Oh, the folder does exist. The folder was chmoded to 711 hence the 403 error, setting it to 755 made the test.txt reachable for the world , but it still gives me the same "Could not connect" error when I run letsencrypt.sh.
Also the folder and everything underneath is owned by the root owner and group, is that a correct setting?

(Sorry for double post, I don't have an edit button on my posts)
 
i just used 777 and it works now thanks
i was hoping DA script could just chmode those folders correctly though
Also the folder and everything underneath is owned by the root owner and group, is that a correct setting?

(Sorry for double post, I don't have an edit button on my posts)
 
Challenge is invalid. Details: DNS problem: NXDOMAIN looking up A for www.srv1.myserver.com. Exiting...

Where the hell he find www.srv1 ? i did not have this in my DNS it should be srv1. only that exist in my DNS


I faced the same. A cert will be generated for www.srv1.myserver.com and srv1.myserver.com. So just add an A-type record for www in srv1.myserver.com zone on your authoritative NS servers.
 
No, it was added 11 days ago. CB 2.0 rev. 1496.

That's weird, looking through the history I see the steps were correct:

Code:
  824  2016-02-21 18:36:02  /usr/local/directadmin/directadmin c | grep let
  825  2016-02-21 18:36:19  service directadmin restart
 [COLOR=#d3d3d3] 826  2016-02-21 18:36:28  <skipped>[/COLOR]
  827  2016-02-21 18:36:34  ./build rewrite_confs
 [COLOR=#d3d3d3] 828  2016-02-21 18:40:00  host <hostname>
  829  2016-02-21 18:40:04  ifconfig
  830  2016-02-21 18:41:31  touch test.html[/COLOR]
  831  2016-02-21 18:46:53  ps aux | grep nginx
  832  2016-02-21 18:47:12  service nginx restart

I was able to browse the files. And 200 HTTP code in nginx/apache logs... then suddenly is started to work.
 
get a error here:

Account has been registered.
Getting challenge for srv1.myserver.com from acme-server...
Waiting for domain verification...
Challenge is valid.
Getting challenge for www.srv1.myserver.com from acme-server...
Waiting for domain verification...

Challenge is invalid. Details: DNS problem: NXDOMAIN looking up A for www.srv1.myserver.com. Exiting...

Where the hell he find www.srv1 ? i did not have this in my DNS it should be srv1. only that exist in my DNS

DA creates a DNS zone for hostname having www, smtp, mail, pop, ftp A records by default. That's why letsencrypt.sh tries to setup the cert for all of them and assign to appropriate services (dovecot, exim, pureftpd/proftpd, nginx/apache).
 
Let's Encrypt feature conflict with modSecurity feature?

Because I tried use modsecurity and letsencrypt in the same time but it show error "Could not connect to ...".

I disabled modsecurity it work fine.
 
Let's Encrypt feature conflict with modSecurity feature?

Because I tried use modsecurity and letsencrypt in the same time but it show error "Could not connect to ...".

I disabled modsecurity it work fine.

It shouldn't conflict, it's likely that a restart of nginx/apache was enough to solve the issue.
 
Please read my reply above about the error 403. Any files placed in /var/www/html/.well-known/acme-challenge should be reachable to the world

Martynas, I had to figure this out on my own. I had been playing (succesfully) with the standalone LetsEncrypt webroot authentication method earlier on, and there was already a /var/www/html/.well-known directory. I removed that after getting some errors (I had done some manual edits to the httpd configs, and they were conflicting). When I eventually traced the alias in the web-apps include (coincidentally the same method I used myself), I ended up with the 403 error. I noticed that the DA script creates /.well-known/acme-challenge (and the token file, for a short moment) but sets the permissions of all of these to 711, meaning they're not world-readable, hence the 403. I had to change the permissions to 705 to get this working.
This is on a server running nginx BTW (so the ".htaccess" that was created in /.well-known seems a little out of place...). So, is the script setting the wrong permissions on /.well-known? (/var/html has 755, why did the script make /.well-known 711?).
 
zmippie yeah, i had ssl before 1.5 update and had the well known folder too. DA script does create folders but with wrong permission.
i told john about this issue
 
To add SSL to domain pointers i did this to make it work (hope this is the good way):

Thanks for posting this, I was after the same thing (I want to add "mail." and "smtp."). Unfortunately, it doesn't work because strangely enough, "renew" seems to only accept the per-domain webroot authentication method (letsencrypt=2):

Code:
./letsencrypt.sh renew mydomain.com 4096

Results in:

Code:
Cannot find /home/user/domains/mydomain.com/public_html/.well-known/acme-challenge. Create this path, ensure it's chowned to the User.

So, vancanneyt, am I right in assuming you're using "letsencrypt=2"?

If renew isn't working for the server-wide webroot authentication method (letsencrypt=1), then there will be problems in 85 days...

PS. There's a little typo in letsencrypt.sh at the end: "The services will be retarted in about 1 minute via the dataskq." I think it should either be "retarded" or "restarted" ;)

PS2. I see this on line 246: "#For hostname, we add www, mail, ftp, pop, smtp to the SAN". Hmmm... how to trigger that?

PS3. I see that despite the "Usage" comment, the script accepts more parameters, including document root.
 
Last edited:
@zmippie: on my server the directadmin option is letsencrypt=1. Did u Apply the bugfix smtalk posted earlier? That fixes the error u have ;)
 
Back
Top