Assistance on which subdomains auto SSL attempts

[John C. Reid]

I am setting up a new server to evaluate DirectAdmin as I am looking at possibly converting all my shared hosting servers from cPanel. This server will end up being a production server, but it is not shared hosting. It is used for out internal domains and websites. I am using it as testing and to help me get a template for how I would setup all of my other DirectAdmin servers for the shared hosting. Right now I am attempting to get new user creation to work as I need it to.

In our environment we don't use the web servers for DNS or Email, those are separate dedicated servers. However, I want the zone on the web server to at least reflect the correct records as much as possible, and I would like to prevent conflicts and issues as much as possible. Right now this means not attempting to get an SSL cert for subdomains that will never be pointed to the server.

I have created a

/usr/local/directadmin/data/templates/custom/dns_a.conf

file that eliminates the "mail", "pop", and "smtp" subdomains from the zone file when I create a new user. I can see that those subdomains are in fact not in the created zone, however logged in as the user, under Account Manager » SSL Certificates, Hosts: It still shows the mail., pop, and smtp. subdomains.

How do I go about editing that for new user creation? It is a template somewhere? Is DA doing some kind of detection of existing subdomains in the domain zone file? It seems to me that as long as the auto SSL is attempting to get a cert for subdomains that are not pointed at that server it will fail, and since we use a dedicated mail server, those subdomains will never be pointed at that server. Meaning that auto SSL as it stands will always fail.

Thank you for helping a noob learn how DA handles this kind of thing.

 

[Richard G]

How do I go about editing that for new user creation?

Please don't call them subdomains as they are not real subdomains.
The dns_a.conf is indeed used for A records.
If you want to have the Letsencrypt options removed too, that's another part as that is seperate from DNS.
In the /usr/local/directadmin/conf/directadmin.conf file change:
letsencrypt_list=www:mail:ftp:pop:smtp:imap
to
letsencrypt_list=www:ftp
and restart Directadmin and then these options should be removed too.

 

[John C. Reid]

Thank you Richard. I am still learning where all of these things are configured. There appears to be much which is done from config files rather than the GUI, which is fine, but you have to know which files to modify. You can't just stumble into it like you could if it was in the GUI somewhere. Since we are talking about a setting that you only configure once on server setup and likely would not touch again, it is probably for the best it is not in the GUI.

BTW, what do you mean they are not real subdomains? I am pretty sure my terminology there is correct. In the example of ftp.test.com the .com is the TLD (Top Level Domain) and resides directly below the root domain of "." The "test" portion of that string combined with the TLD is the domain, and anything that comes before the "." preceding test.com is a subdomain, which can go about as deep as you want. I have been working with DNS for well over 30 years, and I have not heard any of it referred to differently. Well, at least not by anyone who understood DNS.

P.S. - I didn't find a letsencrypt_list= in the file so I created it.

 

[Richard G]

There appears to be much which is done from config files rather than the GUI,

Yes indeed that is correct. Some things should normally be basically present, like mail and ftp and LE certificates so that is all enabled by default. And then it needs to be changed in the config. DA is a bit more customisable via the console and less via the GUI compared to cPanel for example.

BTW, what do you mean they are not real subdomains? I am pretty sure my terminology there is correct.

Yes and no. Subdomains are real subdomains created to be used for the web. I find this describtion very good:

A subdomain name is a piece of additional information added to the beginning of a website’s domain name. It allows websites to separate and organize content for a specific function — such as a blog or an online store — from the rest of your website.

Very very strict, it's ofcourse subdomains, but they are often not called that way to prevent confusion with real subdomains (which can be visited via browser too).
There are some "sub" domains which are more or less reserved for other functions and this way also not accessible via the web, like the mail functions, and ftp is an A record used for FTP transfers, you also don't visit that via http normally. It's not part of the website.

So that is why we rather say subdomains to real subdomains, and just call the other ftp a record or cname record and mail records. That makes it also a lot easier to help people when there is a problem. Because for example to use a real subdomain like mail.domain.com for your e-mail, you have to customize the vhost. This is not default by servers/panels while they still have A records. That is an important difference.
So maybe this makes you understand why we rather not call those names subdomains because it's confusing.

Personally I always say "subdomains are everything used with web, but mail, ftp, pop, imap, smtp are not subdomains but reserved for other functions". Which might not be 100 strictly correct to the book, but in fact they are used that way almost everywhere without customisation.
And I'm not the only one which for this reason don't like to call those subdomains (in spite of the fact that very strict the are).

P.S. - I didn't find a letsencrypt_list= in the file so I created it.

That is odd, because that list should be in there by default as far as I know. But if LE is working correctly then they are probably default now.
But adding it is fine.