DirectAdmin 1.50.0 has been released

No, I didn't apply the bugfix yet. I have to read further back in this thread I guess. I did manage to get the server-wide authentication to work by providing the 5th parameter "/var/www/html" to the script. A new problem arises though, NGINX barfs "SSL_CTX_use_PrivateKey_file" because apparently the resulting pem file has been messed up (wrong order of key/cert?). I'll have to figure this out, but I'll apply the bug fix first. Thanks!

PS. Darn, I indeed see Martynas mentioning the exact issue I'm reporting here. Duh!
 
Last edited:
To add SSL to domain pointers i did this to make it work (hope this is the good way):

Well... I don't think it's the right way. I end up with NGINX failing to accept the new certificate after adding an extra SAN:

Code:
nginx: [emerg] SSL_CTX_use_PrivateKey_file("/usr/local/directadmin/data/users/user/domains/domain.com.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
nginx: configuration file /etc/nginx/nginx.conf test failed

Key and certs were all updated after manually running the (patched) script, but invalid, it seems. I'd love to hear from Martynas if what we are after is at all provided for in the script.
 
Well... I don't think it's the right way. I end up with NGINX failing to accept the new certificate after adding an extra SAN:

Code:
nginx: [emerg] SSL_CTX_use_PrivateKey_file("/usr/local/directadmin/data/users/user/domains/domain.com.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
nginx: configuration file /etc/nginx/nginx.conf test failed

Key and certs were all updated after manually running the (patched) script, but invalid, it seems. I'd love to hear from Martynas if what we are after is at all provided for in the script.

It's a good way of doing that, but it wasn't planned for 1.5 :) To fix the cert/key mismatch just do:
Code:
cat /usr/local/directadmin/data/users/user/domains/domain.com.key /usr/local/directadmin/data/users/user/domains/domain.com.cert > /usr/local/directadmin/data/users/user/domains/domain.com.cert.combined
service nginx restart

DA 1.50.1 will create domain.com.cert.combined automatically when letsencrypt.sh is manually run from console (DA 1.50.0 creates it only when letsencrypt.sh is ran from DA interface).
 
I played with the let's encrypt feature also. When selecting let's encrypt at SSL management, you need to enter all the company and address info like normal, however that info can't be used to let's encrypt, only the e-mail address field should be left there (and maybe pre-fill in the address belonging to the DA account). That way you can enable it with a few clicks.

Also on http://www.directadmin.com/features.php?id=1828 it lists the rate limits; they are probably based on an outdated article. See a more recent article at https://community.letsencrypt.org/t/rate-limits-for-lets-encrypt/6769
 
The most actual limit seems to still be the same:
http://www.directadmin.com/features.php?id=1828 said:
Rate limit on certificates per Domain is now 5 per 7 days

About the fields in SSL management, I think John left them there in case anyone would like to use the same CSR for normal certs, however, only John knows the real answer :) When called from SSH, letsencrypt.sh doesn't ask you to fill any information.
 
The other limit though: "Rate limit on registrations per IP is now 10 per 3 hours" which is now 500 per 3 hours.

I suppose with a few javascript lines the fields can be hidden when LE is selected.

The filled in e-mail isn't being used either I see: EMAIL="${USER}@${DOMAIN}"
 
Last edited:
Code:
        rm -f "${WELLKNOWN_PATH}/${CHALLENGE_TOKEN}"

        if [ "${CHALLENGE_STATUS}" = "valid" ]; then
                echo "Challenge is valid."
        else
                echo "Challenge is ${CHALLENGE_STATUS}. Details: ${CHALLENGE_DETAIL}. Exiting..."
                exit 1
        fi
I removed the rm part to check if the tokens are even generated in /.well-known/acme-challenge/, they were there as chmoded 644 files with a string of 88 signs. The error makes no sense at all since the file is reachable for the world during the check, after which it gets removed and then it echoes an error about not being able to connect :confused: The error messages aren't helpful enough.
 
It's a good way of doing that, but it wasn't planned for 1.5 :)

OK, got it. It's nice to be ahead of the curve every once in a while ;)

To fix the cert/key mismatch just do:

I only *just* figured that out myself and then read your answer. It seems like today is one of those days that I'm actually not ahead of the curve, rather, slightly behind all the time...

Thanks Martynas.

The filled in e-mail isn't being used either I see: EMAIL="${USER}@${DOMAIN}"

I noticed that too, and was wondering what happens to the email address in the CSR form. I guess it just goes lost.
 
The filled in e-mail isn't being used either I see: EMAIL="${USER}@${DOMAIN}"

Why it isn't? :)

Code:
[FONT=Menlo]if [ "${CSR_CF_FILE}" != "" ] && [ -s ${CSR_CF_FILE} ]; then[/FONT]
[FONT=Menlo]        if grep -q -m1 '^emailAddress' ${CSR_CF_FILE}; then[/FONT]
[FONT=Menlo]                EMAIL="`grep '^emailAddress' ${CSR_CF_FILE} | awk '{print $3}'`"[/FONT]
[FONT=Menlo]        fi[/FONT]
[FONT=Menlo]elif [ "${CSR_CF_FILE}" = "" ] && [ -s ${SAN_CONFIG} ]; then[/FONT]
[FONT=Menlo]        if grep -q -m1 '^emailAddress' ${SAN_CONFIG}; then[/FONT]
[FONT=Menlo]                EMAIL="`grep '^emailAddress' ${SAN_CONFIG} | awk '{print $3}'`"[/FONT]
[FONT=Menlo]        fi[/FONT]
[FONT=Menlo]fi[/FONT]
 
I have enabled the SSL functie (Lets Encrypt), but there is no checkbox on the page with 'Free & automatic certificate from Let's Encrypt'.
In Users\ssl.htm is no text shown.

-----------

|*if LETSENCRYPT="1"|
<br><input type=radio name=request value="letsencrypt" disabled>Free & automatic certificate from <a class='listtitle' target=_blank href="https://letsencrypt.org/">Let's Encrypt</a></td>
|*endif|

Nobody with the same problem?

DA runs version 1.5
Lets Encrypt = 1
No radio button on de SSL page / Template is not updates
 
Why it isn't? :)

Code:
[FONT=Menlo]if [ "${CSR_CF_FILE}" != "" ] && [ -s ${CSR_CF_FILE} ]; then[/FONT]
[FONT=Menlo]        if grep -q -m1 '^emailAddress' ${CSR_CF_FILE}; then[/FONT]
[FONT=Menlo]                EMAIL="`grep '^emailAddress' ${CSR_CF_FILE} | awk '{print $3}'`"[/FONT]
[FONT=Menlo]        fi[/FONT]
[FONT=Menlo]elif [ "${CSR_CF_FILE}" = "" ] && [ -s ${SAN_CONFIG} ]; then[/FONT]
[FONT=Menlo]        if grep -q -m1 '^emailAddress' ${SAN_CONFIG}; then[/FONT]
[FONT=Menlo]                EMAIL="`grep '^emailAddress' ${SAN_CONFIG} | awk '{print $3}'`"[/FONT]
[FONT=Menlo]        fi[/FONT]
[FONT=Menlo]fi[/FONT]

You're right of course. :D

In that case it should hide all other fields except email. And the server-side check modified.
 
Webgangster, have you rewritten your confis?
Code:
./build rewrite_configs

{"type":"http-01","status":"invalid","error":{"type":"urn:acme:error:connection","detail":"Could not connect to http://example.com/.well-known/acme-challenge/FIPXfnUYnP-0dRB9b3x7ayjS1Hrqoupfl2oHpyOClCc"},"uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/7RQNPzjQiks1-DadrPVrP6xQgiXWEcW2zc_VD51Cj8U/18860782","token":"FIPXfnUYnP-0dRB9b3x7ayjS1Hrqoupfl2oHpyOClCc","keyAuthorization":"FIPXfnUYnP-0dRB9b3x7ayjS1Hrqoupfl2oHpyOClCc.5DN7NgwFmPM3Qe94l4n6PFWZoW1Yx3bDH19GIEiGVxA","validationRecord":[{"url":"http://example.com/.well-known/acme-challenge/FIPXfnUYnP-0dRB9b3x7ayjS1Hrqoupfl2oHpyOClCc","hostname":"example.com","port":"80","addressesResolved":["181.xx.278.xxx"],"addressUsed":"181.xx.278.xx"}]}
I'm on a dead end
 
Nobody with the same problem?

DA runs version 1.5
Lets Encrypt = 1
No radio button on de SSL page / Template is not updates

Please change your skin to enhanced if it's set to any other. Please also check:
Code:
/usr/local/directadmin/directadmin c | grep letsencrypt
 
Please change your skin to enhanced if it's set to any other. Please also check:
Code:
/usr/local/directadmin/directadmin c | grep letsencrypt

Thanks, its return a 0.
letsencrypt=1 moved to line 2, DA restarted and it works now! :)
 
In that case it should hide all other fields except email. And the server-side check modified.

+1 for that. I wanted to hide all the other fields in my custom skin under a link by using css, and unless that link is clicked (it could be called "advanced configuration other then letsencrypt") it will only show letsenrypt needed stuff. So to bad all the other fields are still needed, even though they actually are not ...
 
Back
Top