Automatic SSL is not enabled Ubuntu 20.04 DA v1.63.1

[SupermanInNY]

Hi all,

I migrated users to a new server from CentOS 6 to Ubuntu 20.04.
All works fine except that SSL Lets Encrypt certificates do not get renewed automatically.
A manual "create" works fine.




In the pic you can see the message below about Automatic SSL is not enabled

According to the help docs:

https://help.directadmin.com/item.php?id=2147

server.myserver.com:/usr/local/directadmin/custombuild # service directadmin restart

server.myserver.com:/usr/local/directadmin/custombuild # cd /usr/local/directadmin

server.myserver.com:/usr/local/directadmin # ./directadmin c | grep letsencrypt=
letsencrypt=1

server.myserver.com:/usr/local/directadmin # ./directadmin c | grep pointers_own_virtualhost=
pointers_own_virtualhost=1

server.myserver.com:/usr/local/directadmin # ./directadmin c | grep admin_ssl_cert_per_vh=
admin_ssl_cert_per_vh=1

server.myserver.com:/usr/local/directadmin # ./directadmin c | grep admin_ssl_check_retries=
admin_ssl_check_retries=1

server.myserver.com:/usr/local/directadmin # ./directadmin c | grep mail_sni=
mail_sni=1


So all are with 1 entry.


the settings for mydomain.com show I think correct answer?



server.myserver.com:/usr/local/directadmin # echo "action=ssl&value=admin_ssl" >> /usr/local/directadmin/data/task.queue.cb; /usr/local/directadmin/dataskq d1245 --custombuild
Debug mode. Level 1245

2021/11/17 12:14:33 info starting queues
dataskq: command: action=ssl&value=admin_ssl
Ssl::admin_poll: Admin SSL is not enabled in your license. admin_ssl_install_to_missing and admin_ssl_replace_all_expired_invalid are both disabled.
Ssl::admin_poll: START: admin_ssl_install_to_missing=0 admin_ssl_replace_all_expired_invalid=0 admin_ssl_check_retries=1 TIME=1637144073
Ssl::get_admin_ssl_poll_domain_list: Checking mydomain.com
Ssl::admin_ssl_should_domain_retry:u=alom1 d=mydomain.com


So what am I missing on this?
Any pointers on what to do to fix this?

Thanks,

-Sup.

 

[dorock]

This is a serious problem, why hasn't anyone noticed?

i am having the same problem.

Does anyone know how to solve the problem?

 

[dorock]

the problem continues

 

[f4d]

Automatic SSL is not the same thing as Auto-renewal of a certificate (as far as I know).
I am actually not completely sure what "Automatic SSL" should do. Because I can enable the Force SSL with https redirect but that doesn't set it to "Automatic SSL", so not completely sure. For this domain SSL=On in the config file. And all the parameters return =1.

Anyways, when you have clicked the "Disable Auto-renew" you will have to regenerate a certificate again to re-enable the auto-renew.
I wasn't able to enable auto-renew again in a different way. After that you should then see something like "Auto-renewal in 59 days".
However, I don't know if you already see this message, if you do see this and the auto-renew doesn't work you probably want to check why acme failed to renew I guess.

 

[Richard G]

I am actually not completely sure what "Automatic SSL" should do.

Automatic SSL should automatically create an LE certificate for newly created accounts and domains.

Auto-renewal = automatic renewal of an existing certificate.

Force SSL with https redirect = what it says. If a visitor puts http in the browser, he will automatically be forced redirected to the https website.

So all are with 1 entry.

I'm missing the ssl=1 setting check.
and enable_ssl_sni=1 setting check.

If you keep encountering issues, I would suggest sending in a ticket for this.

 

[MaXi32]

enable_ssl_sni=1 setting check.

I want to ask does this option still exist in directadmin? The DA does not even recognize this config anymore when I try to set it. Trying to find out the documentation that says this value is not used anymore.



This is a fresh install just an hour ago and I can confirm the entry is not there

 

[f4d]

It probably isn't configured/missing from the file.
I would just open the config file and search for "sni". If you can't find it just define it yourself. But I would assume it would be set to =0 by default and included in the file if it's a valid parameter.

vim /usr/local/directadmin/conf/directadmin.conf

 

[MaXi32]

It probably isn't configured/missing from the file.
I would just open the config file and search for "sni". If you can't find it just define it yourself. But I would assume it would be set to =0 by default and included in the file if it's a valid parameter.

vim /usr/local/directadmin/conf/directadmin.conf

I know this can be defined manually but that is not the safest method. The official and safe method is to use config-set or set command as it has validation. The question is whether the value is deprecated as it happens with both settings for disable_ip_check and show_info_in_header (with recent update) where both of these values are not used anymore by DA.

and yes, you can edit directadmin.conf and define the 2 deprecated values I mentioned above manually too but you actually messed up the directadmin.conf for unnecessary configs. It is best to use config-set when you want to modify directadmin.conf that is why the command is invented.

It is actually confusing because the config-set method should be able to tell if the internal value is 0 or 1 if the entry is not there and the value is still in use. So, this obviously looks like a bug for the command config-set usage if the option enable_ssl_sni is still in use.

EDIT: config-set can recognize missing entries. eg:

When you try to remove an entry add_userdb_quota=1 from DA and use config-set to set this:

da config-set add_userdb_quota 1

The config-set will help you to insert the new entry for add_userdb_quota. So, anything default that has no entry should be validated by config-set. So, I don't think it is necessary to manually edit directadmin.conf if the entry is not there by default.

So either this option (enable_ssl_sni) might not be used anymore with upcoming updates (the same clue I got with disable_ip_check option) OR the config-set command has a bug looking for this option in da that needs to be set manually as you said.


@fln Brief question from the above, can you check why config-set does not recognize this option enable_ssl_sni?

 

[Richard G]

I want to ask does this option still exist in directadmin?

I don't recognize the command you gave to enable it. I've not seen that da config-set command until now, so I also still learn.

We normally used this one:
./directadmin set enable_ssl_sni 1

But yes, it does still exists in directadmin.conf but should be set to 1 as internal default.

Version 1.51.4 | Directadmin Docs

DirectAdmin Knowledge Base

docs.directadmin.com

 

[MaXi32]

They are all equivalence commands. The `da` command is CLI shortcut of /usr/local/directadmin/directadmin released since 1.63.9 https://docs.directadmin.com/change...l#command-alias-da-for-directadmin-cli-access. This is the starting CLI feature that I was requested here https://feedback.directadmin.com/b/feature-requests/include-directadmin-cli-commands/ but it still has limited commands.

So, these are the same things:

da config-set enable_ssl_sni 1

=

da set enable_ssl_sni 1

=

cd /usr/local/directadmin
./directadmin set enable_ssl_sni 1

You can see the da command is a short form here and easy to use without having to navigate to the DirectAdmin binary path.

The 3 commands above gave me unrecognized options.



The enable_ssl_sni option was in 1.51.4 but as I'm on the latest version 1.644 and the option is not recognized by the set command. So, I think they have gone testing that this value have to be enabled by default and we don't have to care about this option anymore that might be the reason it is not recognized as an option.

 

[Richard G]

and we don't have to care about this option anymore that might be the reason it is not recognized as an option.

That's a good probability. However, normally variables mentioned in the docs could be on and off. So if you can't set it to on (which indeed gives that error) then you can't set it to off either.

Maybe it's best then to remove that from the docs.
@fln @scriptkitty ? What's the issue here?

 

[fln]

It was removed in DA 1.63.5 and mentioned in the change-log - https://docs.directadmin.com/changelog/version-1.63.5.html#sni-support-is-always-on

 

[MaXi32]

It was removed in DA 1.63.5 and mentioned in the change-log - https://docs.directadmin.com/changelog/version-1.63.5.html#sni-support-is-always-on

Okay, I missed reading this part. Thank you.