ACTION REQUIRED: Renew these Let's Encrypt certificates by March 4

DirectAdmin Support

Administrator
Staff member
Joined
Feb 27, 2003
Messages
9,005
Hello,

You may or may not have received an email from noreply@letsencrypt.org with the subject:
ACTION REQUIRED: Renew these Let's Encrypt certificates by March 4
This is the related URL they've referenced describing the issue:

We do have a solution already in play in CustomBuild rev 2430 on our mirrors, where you'd simply need to run:
Code:
cd /usr/local/directadmin/custombuild
./build update
./build versions
and you'll see something like:
Code:
[root@server custombuild]# ./build versions
Checking Let's Encrypt certificates for renewal (to fix CAA bug)...
....
If you have any affected domains, they'll be logged in the check file:
Code:
/usr/local/directadmin/custombuild/.le_caa_fix
and each renewed domain will be added to this .le_caa_fix log file as:
Code:
Renewing domain.com
which is pushed to the task.queue for immediate renewal after resetting the domain.com.creation_time file to 1577994077, which is "61 days ago" so it should trigger the auto-renewal normally.
If the .le_caa_fix file is present, the check will not be run again. If you need it to run again, just delete the .le_caa_fix and re-run ./build versions.

Note, if you've got CustomBuild setup to update daily and send you a notice about new versions, the above will be covered within this, once you get the new script and the related calls are triggered. (If anyone wants to dig into the build script, the check is done in the doChecks() function call, which is called by various ./build <options>, including ./build versions.)

CustomBuild uses the provided curl request to the LE servers to confirm if a given domain is affected, so only affected domains will be renewed.

If you're only a User and your cert has issues from revocation, you can simply re-request it normally from your User Level, in case you get to it before your Admin or before CustomBuild does it for you.

John
 

tristan

Verified User
Joined
Feb 11, 2005
Messages
427
Location
The Netherlands
Thanks for the quick response, only one small flaw:
Bash:
ls: cannot access '/usr/local/directadmin/data/users/*/domains/*.creation_time': No such file or directory
On hosts without LetsEncrypt user certs.
 

sufiyanshaikh

Verified User
Joined
Aug 14, 2019
Messages
34
Hello,

Thanks for the prompt fix.
Really appreciate that you guys are improving day by day.
KEEP IT UP
 

sufiyanshaikh

Verified User
Joined
Aug 14, 2019
Messages
34
Hello,

You may or may not have received an email from noreply@letsencrypt.org with the subject:


This is the related URL they've referenced describing the issue:

We do have a solution already in play in CustomBuild rev 2430 on our mirrors, where you'd simply need to run:
Code:
./build update
./build versions
and you'll see something like:
Code:
[root@server custombuild]# ./build versions
Checking Let's Encrypt certificates for renewal (to fix CAA bug)...
....
If you have any affected domains, they'll be logged in the check file:
Code:
/usr/local/directadmin/custombuild/.le_caa_fix
and each renewed domain will be added to this .le_caa_fix log file as:
Code:
Renewing domain.com
which is pushed to the task.queue for immediate renewal after resetting the domain.com.creation_time file to 1577994077, which is "61 days ago" so it should trigger the auto-renewal normally.
If the .le_caa_fix file is present, the check will not be run again. If you need it to run again, just delete the .le_caa_fix and re-run ./build versions.

Note, if you've got CustomBuild setup to update daily and send you a notice about new versions, the above will be covered within this, once you get the new script and the related calls are triggered. (If anyone wants to dig into the build script, the check is done in the doChecks() function call, which is called by various ./build <options>, including ./build versions.)

CustomBuild uses the provided curl request to the LE servers to confirm if a given domain is affected, so only affected domains will be renewed.

If you're only a User and your cert has issues from revocation, you can simply re-request it normally from your User Level, in case you get to it before your Admin or before CustomBuild does it for you.

John
You forgot to add " cd /usr/local/directadmin/custombuild/" command first
 

Peter Laws

Verified User
Joined
Sep 13, 2008
Messages
1,786
Location
London UK
I do not see anything remotely resembling LE checks for build versions, apart from if the OS is Debian 9?
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,541
Location
Maastricht
Could it be not all mirrors are synced yet?
I don't see the:
Checking Let's Encrypt certificates for renewal (to fix CAA bug)...
either on Centos 7 servers.

This is what I see after doing the ./build update command ofcourse:
Code:
[root@server23: /usr/local/directadmin/custombuild]# ./build versions
Latest version of DirectAdmin: 1.60.4
Installed version of DirectAdmin: 1.60.4

Latest version of Let's Encrypt client: 1.1.40
Installed version of Let's Encrypt client: 1.1.40

Latest version of Apache: 2.4.41
Installed version of Apache: 2.4.41
etc.
At least 2 different mirrors are used.
 

ditto

Verified User
Joined
Apr 27, 2009
Messages
2,565
@Richard G, Is this file present on those servers?: /usr/local/directadmin/custombuild/.le_caa_fix - if so it just mean that the check has already been run previously.
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,541
Location
Maastricht
Thank you ditto, I only did a manual check via a tool from LE itself several days ago, before I read this thread. That said no affected certificates found on all servers.

The .le_caa_fix files by DA are create on the date I ran them, which is march 4th (day before yesterday) when I did not see the notice mentioned.

Now for the fun part.
On server 1 and 3, the file is 0 bytes.
On server 2 de file is 50 kb.
I checked the content and it contains 2 domains having the certificated renewed. This should have happaned the 4th too.
But as stated, on that server also no notification.

I don't mind, because it looks like the fix is working, but I would have been nice if I had seen this when the option is available. ;)
 

sparek

Verified User
Joined
Jun 27, 2019
Messages
131
You forgot to add " cd /usr/local/directadmin/custombuild/" command first
A bit off topic, but I've really never understood DirectAdmin's fascination with cd'ing into /usr/local/directadmin/custombuild/ before issuing commands. Why not just give the full path in a single command line.

/usr/local/directadmin/custombuild/build update
/usr/local/directadmin/custombuild/build versions


That seems simplier to me - and it's what I do.
 
Top