Results 1 to 4 of 4

Thread: Let's Encrypt - special field for additional CA certificates?

  1. #1
    Join Date
    Nov 2017
    Posts
    2

    Let's Encrypt - special field for additional CA certificates?

    Hi all,

    Let's Encrypt free certs is a nice feature, especially because (unlike with CPanel's AutoSSL) I can add also additional CA certificates to those generated by LE. In my case the certs that are needed for Estonian ID-card support.

    Everthing seems to be working well, but there is also one weakness that makes the things not so userfriendly: When LE renews its certs then all CA chain become overwritten and I have to paste the additional CA certs again.

    Would it be possible to consider any solution to prevent such overwriting? Like the following (assuming the rest will stay as is):

    The CA certificates form has 2 or even more fields.

    The first is reserved for LE CA certs. It will be updated every time when LE renews its certs.
    Another one is for additional CA chain. It could be updated only manually, remaining untouched even if both textareas (for LE and for additionals) are writing their contents into one file.

    Another option with 4 fields - one textarea is reserved for LE CA-s and this one will be updated with the rest of LE stuff.
    Another is a subform or file upload field to post custom global CA chains.
    Third is a dropdown field where to choose one from existing chains that are posted earier.4
    And fourth is a textarea for additional custom ca certs.

    Or even something better. As said, the main goal is to prevent updationg non-LE CA certs.

  2. #2
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    11,284
    Hello,

    While you are waiting for a response from Directadmin developers I would suggest that you use this feature: https://www.directadmin.com/features.php?id=1841 it allows to use custom scripts for before and after calls to letsencrypt.sh.

    So you can apply your changes after a renewal to fit your needs.
    With regards, Alex.

    Professional Server Management for web hosting companies and individuals
    Hourly Support, Disaster Recovery, Server Hardening, Monthly Subscription
    Directadmin installation and optimization

    Click here if you need a Linux Admin

  3. #3
    Join Date
    Nov 2017
    Posts
    2
    Quote Originally Posted by zEitEr View Post
    Hello,

    While you are waiting for a response from Directadmin developers I would suggest that you use this feature: https://www.directadmin.com/features.php?id=1841 it allows to use custom scripts for before and after calls to letsencrypt.sh.

    So you can apply your changes after a renewal to fit your needs.
    Thanks for hint! You mean letsencrypt_post.sh and action=request? And where the letsencrypt_post.sh and file with certs should locate then? In .well-known?

  4. #4
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    11,284
    You've got the idea, haven't you? You can use the hook in directadmin.

    Well action is clear enough I'd rather say and there is no need to write what is the difference between request and renew? Right?

    All the individual certs and related files are located under /usr/local/directadmin/data/users/$username/domains/

    - ${domain}.cacert
    - ${domain}.cert
    - ${domain}.cert.bundle (this or next?)
    - ${domain}.cert.combined (this or previous?)
    - ${domain}.key

    So that's up to you to write a script. You can use any programming language: bash, perl , php, python, etc for it.

    So you update cacert and bundle or combined (you need to check which one is used by default on your server) with your custom cert and restart services.
    With regards, Alex.

    Professional Server Management for web hosting companies and individuals
    Hourly Support, Disaster Recovery, Server Hardening, Monthly Subscription
    Directadmin installation and optimization

    Click here if you need a Linux Admin

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •