ACTION REQUIRED: Renew these Let's Encrypt certificates by March 4

DirectAdmin Support

DirectAdmin Support

Administrator
Staff member
Joined
Feb 27, 2003
Messages
8,138
Hello,

You may or may not have received an email from [email protected] with the subject:
ACTION REQUIRED: Renew these Let's Encrypt certificates by March 4
Click to expand...

This is the related URL they've referenced describing the issue:
community.letsencrypt.org

Revoking certain certificates on March 4

[Update 2020-03-05: The most up-to-date summary is at 2020.02.29 CAA Rechecking Bug] Due to the 2020.02.29 CAA Rechecking Bug, we unfortunately need to revoke many Let’s Encrypt TLS/SSL certificates. We’re e-mailing affected subscribers for whom we have contact information. This post and...
community.letsencrypt.org community.letsencrypt.org

We do have a solution already in play in CustomBuild rev 2430 on our mirrors, where you'd simply need to run:
Code: 
cd /usr/local/directadmin/custombuild
./build update
./build versions
and you'll see something like:
Code: 
[root@server custombuild]# ./build versions
Checking Let's Encrypt certificates for renewal (to fix CAA bug)...
....
If you have any affected domains, they'll be logged in the check file:
Code: 
/usr/local/directadmin/custombuild/.le_caa_fix
and each renewed domain will be added to this .le_caa_fix log file as:
Code: 
Renewing domain.com
which is pushed to the task.queue for immediate renewal after resetting the domain.com.creation_time file to 1577994077, which is "61 days ago" so it should trigger the auto-renewal normally.
If the .le_caa_fix file is present, the check will not be run again. If you need it to run again, just delete the .le_caa_fix and re-run ./build versions.

Note, if you've got CustomBuild setup to update daily and send you a notice about new versions, the above will be covered within this, once you get the new script and the related calls are triggered. (If anyone wants to dig into the build script, the check is done in the doChecks() function call, which is called by various ./build <options>, including ./build versions.)

CustomBuild uses the provided curl request to the LE servers to confirm if a given domain is affected, so only affected domains will be renewed.

If you're only a User and your cert has issues from revocation, you can simply re-request it normally from your User Level, in case you get to it before your Admin or before CustomBuild does it for you.

John
 
Thanks for the quick response, only one small flaw:
Bash: 
ls: cannot access '/usr/local/directadmin/data/users/*/domains/*.creation_time': No such file or directory
On hosts without LetsEncrypt user certs.
 
Hello,

Thanks for the prompt fix.
Really appreciate that you guys are improving day by day.
KEEP IT UP
 
DirectAdmin Support said:
Hello,

You may or may not have received an email from [email protected] with the subject:


This is the related URL they've referenced describing the issue:
community.letsencrypt.org

Revoking certain certificates on March 4

[Update 2020-03-05: The most up-to-date summary is at 2020.02.29 CAA Rechecking Bug] Due to the 2020.02.29 CAA Rechecking Bug, we unfortunately need to revoke many Let’s Encrypt TLS/SSL certificates. We’re e-mailing affected subscribers for whom we have contact information. This post and...
community.letsencrypt.org community.letsencrypt.org

We do have a solution already in play in CustomBuild rev 2430 on our mirrors, where you'd simply need to run:
Code: 
./build update
./build versions
and you'll see something like:
Code: 
[root@server custombuild]# ./build versions
Checking Let's Encrypt certificates for renewal (to fix CAA bug)...
....
If you have any affected domains, they'll be logged in the check file:
Code: 
/usr/local/directadmin/custombuild/.le_caa_fix
and each renewed domain will be added to this .le_caa_fix log file as:
Code: 
Renewing domain.com
which is pushed to the task.queue for immediate renewal after resetting the domain.com.creation_time file to 1577994077, which is "61 days ago" so it should trigger the auto-renewal normally.
If the .le_caa_fix file is present, the check will not be run again. If you need it to run again, just delete the .le_caa_fix and re-run ./build versions.

Note, if you've got CustomBuild setup to update daily and send you a notice about new versions, the above will be covered within this, once you get the new script and the related calls are triggered. (If anyone wants to dig into the build script, the check is done in the doChecks() function call, which is called by various ./build <options>, including ./build versions.)

CustomBuild uses the provided curl request to the LE servers to confirm if a given domain is affected, so only affected domains will be renewed.

If you're only a User and your cert has issues from revocation, you can simply re-request it normally from your User Level, in case you get to it before your Admin or before CustomBuild does it for you.

John
Click to expand...
You forgot to add " cd /usr/local/directadmin/custombuild/" command first
 
I do not see anything remotely resembling LE checks for build versions, apart from if the OS is Debian 9?
 
Could it be not all mirrors are synced yet?
I don't see the:
Checking Let's Encrypt certificates for renewal (to fix CAA bug)...
Click to expand...
either on Centos 7 servers.

This is what I see after doing the ./build update command ofcourse:
Code: 
[root@server23: /usr/local/directadmin/custombuild]# ./build versions
Latest version of DirectAdmin: 1.60.4
Installed version of DirectAdmin: 1.60.4

Latest version of Let's Encrypt client: 1.1.40
Installed version of Let's Encrypt client: 1.1.40

Latest version of Apache: 2.4.41
Installed version of Apache: 2.4.41
etc.

At least 2 different mirrors are used.
 
@Richard G, Is this file present on those servers?: /usr/local/directadmin/custombuild/.le_caa_fix - if so it just mean that the check has already been run previously.
 
Thank you ditto, I only did a manual check via a tool from LE itself several days ago, before I read this thread. That said no affected certificates found on all servers.

The .le_caa_fix files by DA are create on the date I ran them, which is march 4th (day before yesterday) when I did not see the notice mentioned.

Now for the fun part.
On server 1 and 3, the file is 0 bytes.
On server 2 de file is 50 kb.
I checked the content and it contains 2 domains having the certificated renewed. This should have happaned the 4th too.
But as stated, on that server also no notification.

I don't mind, because it looks like the fix is working, but I would have been nice if I had seen this when the option is available. ;)
 
sufiyanshaikh said:
You forgot to add " cd /usr/local/directadmin/custombuild/" command first
Click to expand...

A bit off topic, but I've really never understood DirectAdmin's fascination with cd'ing into /usr/local/directadmin/custombuild/ before issuing commands. Why not just give the full path in a single command line.

/usr/local/directadmin/custombuild/build update
/usr/local/directadmin/custombuild/build versions

That seems simplier to me - and it's what I do.
 
You must log in or register to reply here.
Back
Top