Let's Encrypt for the server hostname?

D

dmtinc

Verified User
Joined
May 10, 2008
Messages
153
Location
Chile
Hi Folks,
it possible generate a LE certificate for the server hostname and use it for DA and other services like ftp/smtp/imap/pop/webmail like its done for the hosting accounts ??


i know this can be done manually but the magic its a automatic by DA or a cron script

any ideas??


Thanks
Regards
 
Just execute the following in SSH:
Code: 
cd /usr/local/directadmin/scripts
./letsencrypt.sh request [B]server.hostname.com [/B]4096
 
The script didn't work for me but after troubleshooting it worked. That's why I would like to share this. Any comments are welcome. :)

In case you got the error:
Cannot find /home/admin/domains/testserver.com/public_html/.well-known/acme-challenge. Create this path, ensure it's chowned to the User.

For me the solution:
Was to remove the line that contained my server hostname domain in /etc/virtual/domainowners

How I found this out
My hostname is for instance testserver.com

While debugging the script I noticed that the script was checking if the certificate request was from the local hostname or a virtual domain.
It does this in the script with:
Code: 
if [ "${HOSTNAME}" -eq 0 ]; then

I noticed that script thought it was a virtual domain instead that of the local hostname. The way the script determined if a domain was virtual or not was to look for this in the /etc/virtual/domainowners

So I checked this file and found that testserver.com was there and deleted the line that contained testserver.com

After that the script worked.
 
Well it worked but my exim then gave this error.
Failed to find user "" from expanded string "${lookup{$domain}lsearch{/etc/virtual/domainowners}{$value}}" for the domain_filter router
So I had to rebuild the virtual domainowners file.
 
The best solution for me (to make this working) to change this:


Code: 
if grep -m1 -q "^${DOMAIN_ESCAPED}:" /etc/virtual/domainowners; then
        USER=`grep -m1 "^${DOMAIN_ESCAPED}:" /etc/virtual/domainowners | cut -d' ' -f2`
        [B]HOSTNAME=0[/B]
elif grep -m1 -q "^${DOMAIN_ESCAPED}$" /etc/virtual/domains; then
        USER="root"

To:

Code: 
if grep -m1 -q "^${DOMAIN_ESCAPED}:" /etc/virtual/domainowners; then
        USER=`grep -m1 "^${DOMAIN_ESCAPED}:" /etc/virtual/domainowners | cut -d' ' -f2`
        [B]HOSTNAME=1[/B]
elif grep -m1 -q "^${DOMAIN_ESCAPED}$" /etc/virtual/domains; then
        USER="root"

And then run:

Code: 
/usr/local/directadmin/scripts/letsencrypt.sh revoke testserver.com 4096

After the succesfull creation of the certificates you change the HOSTNAME back to the default value. Downside is that auto update doesn't working in 90 days but it gets you started until a fix is provided.
 
Hello,

I'm having similar problems with my installation. Prior to the release of LetsEncrypt I've used this guide for port 2222:
http://help.directadmin.com/item.php?id=15 (Creating a Self-Signed Certificate)
To get Exim working I've used: https://forum.directadmin.com/showthread.php?t=44519

Now when using Item 15 (Lets Encrypt) to secure 2222 it fails with the following:
Code: 
$ scripts/letsencrypt.sh request `hostname` 4096

Generating 4096 bit RSA key for srv1.domain.eu...
openssl genrsa 4096 > "/usr/local/directadmin/conf/cakey.pem.new"
Generating RSA private key, 4096 bit long modulus
..............................................................................................................................................................................................................................................................................................................................................................................++
.............................................................................................++
e is 65537 (0x10001)
Error Loading request extension section SAN
/usr/local/directadmin/conf/ca.csr: No such file or directory
139976938325648:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('/usr/local/directadmin/conf/ca.csr','r')
139976938325648:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
Size of certificate response is smaller than 500 characters, it means something went wrong. Printing response...
"detail":"No registration exists matching provided key"

I've thought that I'd link ca.csr to ca.san_config, which results in:
Code: 
openssl genrsa 4096 > "/usr/local/directadmin/conf/cakey.pem.new"
Generating RSA private key, 4096 bit long modulus
..................................................................................................................++
.....................................................................................++
e is 65537 (0x10001)
Error Loading request extension section SAN
unable to load X509 request
140544283059856:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: CERTIFICATE REQUEST
Size of certificate response is smaller than 500 characters, it means something went wrong. Printing response...
"detail":"No registration exists matching provided key"

Relevant settings in directadmin.conf
Code: 
SSL=1
apachecert=/etc/httpd/conf/ssl.crt/server.crt
apachekey=/etc/httpd/conf/ssl.key/server.key
dkim=1
dovecot=1
ns1=ns1.transip.nl
ns2=ns2.transip.eu
port=2222
servername=srv1.domain.eu
enable_ssl_sni=1
letsencrypt=1

Hostname: srv1.domain.eu

I'm also using a cert on the root domain: domain.eu (which validates)
The following files have not been rewritten since the initial self-signed setup:
  • /etc/httpd/conf/ssl.crt/server.crt
  • /etc/httpd/conf/ssl.key/server.key
  • /usr/local/directadmin/conf/cacert.pem
  • /usr/local/directadmin/conf/cakey.pem
The only new file is /usr/local/directadmin/conf/cakey.pem.new

Note: I don't seem to have a san_config for the hostname. Only:
  • /../directadmin/data/users/admin/domains/domain.eu.san_config
  • /../directadmin/conf/ca.san_config
Providing either as a fourth argument to ./letsencrypt.sh doesn't help.

Otherwise I'm very pleased with Lets Encrypt since it works fine on all other domains. I just wish it would work with Exim.

Help would be very much appreciated.
 
For some reason you don't seem to have /usr/local/directadmin/conf/ca.csr generated. I'd suggest opening a ticket in tickets.directadmin.com and attaching your root password there as encrypted data.
 
smtalk said:
For some reason you don't seem to have /usr/local/directadmin/conf/ca.csr generated. I'd suggest opening a ticket in tickets.directadmin.com and attaching your root password there as encrypted data.
Click to expand...

My root password? As encrypted data? :confused:
 
dehare said:
My root password? As encrypted data? :confused:
Click to expand...

I cant seem to edit my reply so just a heads up:
I've opened a ticket and awaiting reply. I haven't sent any login info as my server is only accessible through a defined IP range/port and root can only be achieved through other users. I reckon everyone uses this setup...
 
smtalk said:
For some reason you don't seem to have /usr/local/directadmin/conf/ca.csr generated. I'd suggest opening a ticket in tickets.directadmin.com and attaching your root password there as encrypted data.
Click to expand...

I've solved it with some help of the support.
For anyone interested: /usr/local/directadmin/conf/ca.san_config wasn't setup properly. I have no recollection of how it came to exist though, so I can't point out the culprit. I was missing the section header [ SAN ]
Simply adding this didn't resolve the problem. A quick comparison of another config (e.g. /usr/local/directadmin/data/users/<USER>/domains/domain.x.san_config) revealed a significant difference in setup.
letsencrypt.sh will create a conf/ca.san_config for you if it doesn't exist. So I just backed up and deleted mine and reconfigured the commands outcome.

I've now got myself into a pickle, though. As I've been communicating my users to use mail.yourdomain.com in their clients. The new license is only valid for mail.server.com. Do you reckon I'd have to tell my users to switch or is there a way to get their domains working with the(/a) license as well?
 
smtalk said:
Just execute the following in SSH:
Code: 
cd /usr/local/directadmin/scripts
./letsencrypt.sh request [B]server.hostname.com [/B]4096
Click to expand...

I did but it stiil get error:
[root@demo scripts]# ./letsencrypt.sh request my_hostname_of_vps 4096
Setting up certificate for a hostname: demo.dts.com.vn
Getting challenge for demo.dts.com.vn from acme-server...
./letsencrypt.sh: line 336: [: : integer expression expected
./letsencrypt.sh: line 352: [: : integer expression expected
./letsencrypt.sh: line 376: /var/www/html/.well-known/acme-challenge/: Is a directory
./letsencrypt.sh: line 392: [: -ne: unary operator expected
Waiting for domain verification...
rm: cannot remove `/var/www/html/.well-known/acme-challenge/': Is a directory
Challenge is . Details: . Exiting...
Click to expand...

Kindly show me how to fix it.
Thank u.
 
You must log in or register to reply here.
Back
Top