Directadmin added domain site ends up using main hostname's Letsencrypt SSL cert?

eva2000

Verified User
Joined
Jul 1, 2019
Messages
122
DirectAdmin noob adding his first domain setup via DirectAdmin User control panel :)

Background
  • Directadmin was installed with hostname configured as hostname.domain.com with letsencrypt SSL cert setup as outlined here. Specifically
    Code:
    cd /usr/local/directadmin/scripts
    dahostname=hostname.yourdomain.com
    ./letsencrypt.sh request_single $dahostname 4096
  • New domain added was a subdomain name as subdomain1.domain.com via User level access via Account Manager > Domain Setup with SSL checkbox enabled.
Problem
  • The new subdomain1.domain.com ends up using the Letsencrypt SSL certificate issued to the hostname.domain.com and not as subdomain1.domain.com ? Am I meant to also manually run
    Code:
    cd /usr/local/directadmin/scripts
    vhostname=subdomain1.yourdomain.com
    ./letsencrypt.sh request_single $vhostname 2048
    I thought if I enabled Letsencrypt it would automatically do this step if SSL is checked ?
    Code:
    egrep 'enable_ssl_sni=|letsencrypt=' /usr/local/directadmin/conf/directadmin.conf
    letsencrypt=1

directadmin-users-domain-setup-01.png

And resulting vhost below see it's using the main hostname's SSL certs ?
Code:
        SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
        SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
        SSLCACertificateFile /etc/httpd/conf/ssl.crt/server.ca
        ServerName www.subdomain.domain.com

Code:
# Auto generated apache config file by DirectAdmin version 1.57.5
# Modifying this file is not recommended as any changes you make will be
# overwritten when the user makes any changes to their website

# For global config changes that affect all Users, see this guide:
# http://help.directadmin.com/item.php?id=2
# For local config changes that only affect one User, see this guide:
# http://help.directadmin.com/item.php?id=3


<Directory "/home/admin/public_html">
                <FilesMatch "\.(inc|php|phtml|phps|php73)$">
                        AddHandler "proxy:unix:/usr/local/php73/sockets/admin.sock|fcgi://localhost" .inc .php .phtml .php73
                </FilesMatch> 
        <IfModule mod_fcgid.c>
                SuexecUserGroup admin admin
        </IfModule>
</Directory>

<VirtualHost SERVERIP:80 >
        ServerName www.subdomain.domain.com
        ServerAlias www.subdomain.domain.com subdomain.domain.com 
        ServerAdmin [email protected]
        DocumentRoot /home/admin/domains/subdomain.domain.com/public_html
        UseCanonicalName OFF
        <IfModule !mod_ruid2.c>
                SuexecUserGroup admin admin
        </IfModule>
        CustomLog /var/log/httpd/domains/subdomain.domain.com.bytes bytes
        CustomLog /var/log/httpd/domains/subdomain.domain.com.log combined
        ErrorLog /var/log/httpd/domains/subdomain.domain.com.error.log
        <Directory /home/admin/domains/subdomain.domain.com/public_html>
                AllowOverride AuthConfig FileInfo Indexes Limit Options=Indexes,IncludesNOEXEC,MultiViews,SymLinksIfOwnerMatch,FollowSymLinks,None
                Options -ExecCGI -Includes +IncludesNOEXEC
                <FilesMatch "\.(inc|php|phtml|phps|php73)$">
                        <If "-f %{REQUEST_FILENAME}">
                                #ProxyErrorOverride on
                                AddHandler "proxy:unix:/usr/local/php73/sockets/admin.sock|fcgi://localhost" .inc .php .phtml .php73
                        </If>
                </FilesMatch>
        </Directory>
</VirtualHost>

<VirtualHost SERVERIP:443 >
        SSLEngine on
        SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
        SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
        SSLCACertificateFile /etc/httpd/conf/ssl.crt/server.ca
        ServerName www.subdomain.domain.com
        ServerAlias www.subdomain.domain.com subdomain.domain.com 
        ServerAdmin [email protected]
        DocumentRoot /home/admin/domains/subdomain.domain.com/private_html
        UseCanonicalName OFF
        <IfModule !mod_ruid2.c>
                SuexecUserGroup admin admin
        </IfModule>
        CustomLog /var/log/httpd/domains/subdomain.domain.com.bytes bytes
        CustomLog /var/log/httpd/domains/subdomain.domain.com.log combined
        ErrorLog /var/log/httpd/domains/subdomain.domain.com.error.log
        <Directory /home/admin/domains/subdomain.domain.com/private_html>
                AllowOverride AuthConfig FileInfo Indexes Limit Options=Indexes,IncludesNOEXEC,MultiViews,SymLinksIfOwnerMatch,FollowSymLinks,None
                Options -ExecCGI -Includes +IncludesNOEXEC
                <FilesMatch "\.(inc|php|phtml|phps|php73)$">
                        <If "-f %{REQUEST_FILENAME}">
                                #ProxyErrorOverride on
                                AddHandler "proxy:unix:/usr/local/php73/sockets/admin.sock|fcgi://localhost" .inc .php .phtml .php73
                        </If>
                </FilesMatch> 
        </Directory>
</VirtualHost>
 
letsencrypt.sh just generates the cert, it does not change user settings to enable ssl or use it. When done from interface, or new SSL administration page (not finished yet) - it turna it on too. Autoletsencypt.sh is a good example of how to automate it. Of course, if there is a neeed, we could modify that script to affect configs too :)
 
letsencrypt.sh just generates the cert, it does not change user settings to enable ssl or use it. When done from interface, or new SSL administration page (not finished yet) - it turna it on too. Autoletsencypt.sh is a good example of how to automate it. Of course, if there is a neeed, we could modify that script to affect configs too :)
so for my subdomain1.domain.com to have it's letsencrypt ssl cert I still need to run the below ?
Code:
cd /usr/local/directadmin/scripts
vhostname=subdomain1.yourdomain.com
./letsencrypt.sh request_single $vhostname 2048
 
It should not be needed to run the code manually. At least in Enhanced skin it would not be needed. Hopfully Martynas can clarify, or guess what is special in your settings that can cause this behaviour.
 
It should not be needed to run the code manually. At least in Enhanced skin it would not be needed. Hopfully Martynas can clarify, or guess what is special in your settings that can cause this behaviour.

FYI I am using default Evolution skin
 
You say you added subdomain.domain.com in user level. But to me it looks like subdomain.domain.com is added in the "admin" user account. Is that correct? If so, that may be the reason. Personally I never add domains in "admin" user account. Maybe you could create a new regular user account and test if that solve the problem?
 
You say you added subdomain.domain.com in user level. But to me it looks like subdomain.domain.com is added in the "admin" user account. Is that correct? If so, that may be the reason. Personally I never add domains in "admin" user account. Maybe you could create a new regular user account and test if that solve the problem?

Yeah i added it to admin user account it seems. Standard procedure is to create a new user for each domain ?

can't see where to add a regular non-admin user, the options listed only show create admin or reseller ?

  • Create Administrator
  • List Administrators
  • Change Passwords
  • Create Reseller
  • List Resellers
  • Manage Reseller Packages
  • Show All Users
  • Move Users between Resellers
 
Last edited:
I am not sure what everybody else does, but I think most people do not add domains in admin user account. But I can only speak for myself.

But you don't need to create a user for every new domain, you can create a packages that allow for many addon domains in a single user account.

It might be a bug with Let's Encrypt and addon domains in "admin" user account, maybe Martynas can check that out. At least if you confirm the problem does not happen in regular user accounts (it should not).
 
can't see where to add a regular non-admin user, the options listed only show create admin or reseller ?

I have never used Evolution skin, so I can't guide you on that. However you need to go to "Reseller level" first. In Enhanced skin you create a new user like this:

Log in as admin user in Enhanced:
Go to "Reseller level"
Click "Add New User" (select package)

But before creating a new user I recommend that you create a package with the max values and setting you want, like this:

Log in as admin user in Enhanced:
Go to "Reseller level"
Click "Add Package" (and set all the max values and settings you want)

Then when creating a new user, select the packages you previous created.
 
thanks

I see so non-admin means reseller user in this context for create a non-admin user to add new domains to ?
 
I am not sure I understand you completely. However, when you create a new user at Reseller level without creating a reseller, then that user is assigned directly under the admin user. So put in other words; if you do not use/offer reseller hosting, then you still need to go to Reseller level when creating a new regular user, that is the normal way you create a new user (unless you want to create a reseller user and assign the new user under that particular reseller).
 
However, when you create a new user at Reseller level without creating a reseller, then that user is assigned directly under the admin user. So put in other words; if you do not use/offer reseller hosting, then you still need to go to Reseller level when creating a new regular user, that is the normal way you create a new user (unless you want to create a reseller user and assign the new user under that particular reseller).

Ah that's what I was asking - basically to create a non-admin need to create it at Reseller level.

thanks
 
Yes, that is correct. I understand you now. :) I don't know how intuitively the Evolution skin is on the levels, as I have not used Evolution skin myself (I have created a custom skin based on Enhanced). However I find the "Admin" level (most normal admin task), "Reseller" level (create users and create/manage user packages) and "User" level (mostly to "Login as User" by going directly from Admin level to "Show All Users" and click on them), pretty intuitively in the Enhanced skin.
 
Yeah i added it to admin user account it seems. Standard procedure is to create a new user for each domain ?

can't see where to add a regular non-admin user, the options listed only show create admin or reseller ?

  • Create Administrator
  • List Administrators
  • Change Passwords
  • Create Reseller
  • List Resellers
  • Manage Reseller Packages
  • Show All Users
  • Move Users between Resellers
George
If you go here: https://www.site-helper.com/evo/sitehelper.php
It's the main link for site helper. it covers all the different sections and more.

It's in the section labeled as Help and Support.

Also just for note: The old one for enhanced is here https://www.site-helper.com/
 
I think most people do not add domains in admin user account.

Ditto thanks..

I was told by Alex it's not really recommended. I assume this means only to admin "user" itself.

Let me preface this below with I don't have any resellers it's just me.

So is it?

That adding users to the in the reseller section is ok under admin? What I understand is Admins are both Admins and resellers in operation. Which is a bit confusing. I think cpanel was the same actually but hid it better maybe.

OR

Do you all create a totally separate reseller account for just shared hosting even if it's "just you"?

I hope that makes sense...
 
Ditto thanks..

I was told by Alex it's not really recommended. I assume this means only to admin "user" itself.

Let me preface this below with I don't have any resellers it's just me.

That sounds correct. :)

So is it?

That adding users to the in the reseller section is ok under admin? What I understand is Admins are both Admins and resellers in operation. Which is a bit confusing. I think cpanel was the same actually but hid it better maybe.

Yes, that is OK. I guess you could call a admin user a reseller also.

OR

Do you all create a totally separate reseller account for just shared hosting even if it's "just you"?

I hope that makes sense...

I have never done that (I am running shared hosting servers), and I have never heard of anyone else that have done that. Also I don't see any real benefit of creating a reseller in this case.
 
Last edited:
letsencrypt.sh just generates the cert, it does not change user settings to enable ssl or use it. When done from interface, or new SSL administration page (not finished yet) - it turns it on too. Autoletsencypt.sh is a good example of how to automate it. Of course, if there is a need, we could modify that script to affect configs too :)

Ok here is what I think. There should be a switchable, notifiable, and totally full auto way. Here is what I mean. I will start with a server creation.

Server setup should automatically attempt to secure the Server side on or before first use. As long as all the needed pieces to create are there eg fqdn and dns in place. If the Admin wants to use a Paid cert they can replace it easily.

Once any domain, subdomain is added at anytime if SSL is "switched" on (should be by default) The system just automatically goes and creates and installs the cert for the domain. Then notifies the User and or the admin of error and or completion.
If the cert does not complete and or install fully for say dns issues it should retry every few hours automatically.

The GUI should have the ability to show the user and or the admin what happened via a log. It should also allow for current function as well. In general it should also remove the Certs if the user is deleted or the user deletes the domain.

In short if the admin switches on SSL it should be as transparent and automatic as possible. The system should be readily secured easily. For those that don't want ssl to be automatic the switch can be set to 0 or turned off in packages.
 
I have never done that (I am running shared hosting servers), and I have never heard of anyone else that have done that. Also I don't see any real benefit of creating a reseller in this case.

Great I have mine set up correctly then.. Yeah an extra reseller did not make sense to me either. Wanted to be sure I wasn't missing something..

Thanks again Ditto..
 
Back
Top