Request to provide support for Let's Encrypt

Just an update: we've made a few changes to DA, the script and CustomBuild for the pre-release.

So for anyone who wants to try it out, they need to ./build update; ./build rewrite_confs, such that the /.well-known alias gets added to httpd-aliases.conf, pointing to /var/www/html/.well-known. It was previously set to the User's public_html, but that started to get messy with custom DocumentRoot values (can still be used if you have letsencrypt=2, rather than 1, should you not want to use the Alias method)

John
 
DirectAdmin Support said:
Just an update: we've made a few changes to DA, the script and CustomBuild for the pre-release.

So for anyone who wants to try it out, they need to ./build update; ./build rewrite_confs, such that the /.well-known alias gets added to httpd-aliases.conf, pointing to /var/www/html/.well-known. It was previously set to the User's public_html, but that started to get messy with custom DocumentRoot values (can still be used if you have letsencrypt=2, rather than 1, should you not want to use the Alias method)

John
Click to expand...

I tested this feature but can't get it valid

Error msg.

Challenge is invalid. Details: Error parsing key authorization file: Invalid key authorization: 311 parts
Click to expand...
 
I installed the update today, and it seems to work fine. Do not forget to run these actions:
ACTION REQUIRED
You must have the .well-known Alias pointing to /var/www/html/.well-known, so update your CustomBuild configs:
cd /usr/local/directadmin/custombuild
./build update
./build rewrite_confs
Click to expand...

Now I have a domain with a subdomain, but DA does not include these in the certificate request. How is it possible to do this? And would it be possible to have an option in the future to include all subdomains in the certificate?
 
DirectAdmin Support said:
Just an update: we've made a few changes to DA, the script and CustomBuild for the pre-release.

So for anyone who wants to try it out, they need to ./build update; ./build rewrite_confs, such that the /.well-known alias gets added to httpd-aliases.conf, pointing to /var/www/html/.well-known. It was previously set to the User's public_html, but that started to get messy with custom DocumentRoot values (can still be used if you have letsencrypt=2, rather than 1, should you not want to use the Alias method)

John
Click to expand...


John, this is seriously very awesome. Thanks :D
 
I've tried it and it works amazingly well. I've also written a guide for it here: https://raymii.org/s/articles/Lets_Encrypt_Directadmin_Now_Built_In.html, for others that are interested.

Let's hope the auto-renewal works just as well, that would save a lot of time for me :)

Again, thanks very much for building this in.

Would you consider an option to mass-enable Lets Encrypt for all domains in the future, just as for example DKIM and spamassassin can be enabled for all domains currently on the server and new ones added?
 
Barryvdh said:
Letsencrypt uses a default key size of 2048, right. Any reason why DirectAdmin has set 4096 as default?
See https://www.gnupg.org/faq/gnupg-faq.html#no_default_of_rsa4096 which recommands using 2048.
Click to expand...

I totally agree that 2048 is really enough for today, however, there are different opinions about it. For example, if you'd like to get 100% scores with ssl labs test: https://www.ssllabs.com/ssltest/, you'd need a 4096bit key: https://www.ssllabs.com/downloads/SSL_Server_Rating_Guide.pdf. Their explanation:
https://community.qualys.com/thread/11386 said:
With some suites, the size of the key is the only factor that determines the strength of the key exchange. However, some suites will use RSA for authentication and DH for the key exhchange. In the latter case, the kx strenght is equal to the weaker of two. If you look at your results, you will find that some DH parameters are 1024 bis, which is what is bringing your score down.
Click to expand...
 
At the moment, I'm having trouble with one instance of the Let's Encrypt system.
For example, I have a user with domain 'foobar.example.org'. We don't control the DNS, and only the foobar.example.org has been forwarded to our system.
I have manually edited the httpd.conf and san_config file, but DA seems to add www. by default all the time. Usually this isn't a problem, but for Let's Encrypt it is.
Mostly due to the fact the control the system does, need to be ok, which isn't the case for www.foobar.example.org.

Is it possible to detect this, and provide an option to disable the www. record or something when enabling Let's Encrypt?

By the way: it's a great feature we're actively testing with, before enabling it for all our clients.
 
"chattr +i" might be a good temporary solution for the san_config :)
 
It would be handy to have POST/PRE scripts for Let's Encrypt request/renew/revoke.
For the cases when we use remote services to filter traffic and other load balancers and proxies.
So that we could write a script to copy/transfer renewed and newly created CERTs into a remote server without an admin.

- POST/PRE scripts for Let's Encrypt request/renew/revoke
https://forum.directadmin.com/showthread.php?t=52829&p=271191
 
I have some resellers which want whitelabel services. Is it possible to use multiple domains in the exim Let's Encrypt certificate?
 
Petertjuh360 said:
I have some resellers which want whitelabel services. Is it possible to use multiple domains in the exim Let's Encrypt certificate?
Click to expand...
Can you even use let's encrypt with exim? For websites they are single domain only at least.
 
You must log in or register to reply here.
Back
Top