san_config automatically overwritten all the time (letsencrypt)

Paul K

Verified User
Joined
Dec 1, 2011
Messages
22
I have a domain, say example.com. I have not configured subdomains because the website uses a multi subdomain by DNS in which all domains are routed to the same public directory.

As such, I altered the example.com.san_config in the /usr/local/directadmin/data/users/<user>/domains/ directory, and appended multiple sub entries as the following:
subjectAltName = DNS:example.com, DNS: sub1.example.com, DNS: sub2.example.com

If I manually renew this works fine and all the subdomains get a Letsencrypt certificate for all of them. The .san_config file is also not modified after this operation.

However, when the automatic renewal occurs, the .san_config is overwritten and my custom added entries are gone. I have no clue why this happens and have not found any other file where the specific changes are defined.

Which other scripts/sources are used to construct this file (specially: overwriting the subjectAltName line)?

Thanks a lot for the insights!
 
Hello,

I don't recall seeing anything of this kind before... in my understanding all the SANs should stay untouched with a renewal process from Directadmin. Are you sure that you did not set non-standard permissions on the files?

And /usr/local/directadmin/data/users/*/domains/*.cert.creation_time exist?
 
Thanks for your reply! Yes the .cert.creation_time exists. The timestamp matches the time modified of the file. The .san_config file also has the exact same modified date as the other cert files. I did not change any permissions. Very strange.
 
Any chance you have custom scripts under /usr/local/directadmin/scripts/custom/ ? Could they interfere the process of renewal? Other scripts from crontab?
 
Any chance you have custom scripts under /usr/local/directadmin/scripts/custom/ ? Could they interfere the process of renewal? Other scripts from crontab?

Nope, nothing related (only subdomain_create_post and destroy_post) which have no influence on certificates. There are also no other crontab items that remotely touch certificates or services. It's very odd. Even the certificate hosts on the SSL page showed the different hosts.

With the new DA update I've now set a wildcard certificate which I guess should also solve my problem.
 
Back
Top