DirectAdmin 1.50.0 has been released

[vancanneyt]

SSL rules haven't changed, but you can enable SNI if your OS supports it (most new ones do)
http://www.directadmin.com/features.php?id=1100

John

I'm on CentOS 6.7, Apache 2.4, OpenSSL 1.0.1e. So SNI should be supported. Enabled it in directadmin.conf (enable_ssl_sni=1), rewrote configs with ./build rewrite_confs and restarted DirectAdmin. SSL certificate page on user level still gives same error 'Cannot Execute Your Request - You can only add a certificate if you own the ip you are using'

Update: okay, after some digging i had to enable ssl in domain administration as well, then a rewrite_confs to get it working

 

[Active8]

@vancanneyt
I have the same config as you on 2 different servers and it works fine, definitely something wrong with your server config

 

[smtalk]

I'm on CentOS 6.7, Apache 2.4, OpenSSL 1.0.1e. So SNI should be supported. Enabled it in directadmin.conf (enable_ssl_sni=1), rewrote configs with ./build rewrite_confs and restarted DirectAdmin. SSL certificate page on user level still gives same error 'Cannot Execute Your Request - You can only add a certificate if you own the ip you are using'

Please check the output of:

/usr/local/directadmin/directadmin c | grep enable_ssl_sni

 

[HolyDiver]

What error do you get?

Currently I see an error on one server of the following kind:

Command::doCommand(/CMD_SSL)Domain domain.com  defaultdomain=yes usertype=2 multiple_ips=0 enable_ssl_sni=1
Dynamic(api=0, error=1):
        text='Cannot Execute Your Request'
        result='Getting challenge for domain.com from acme-server...<br>
Waiting for domain verification...<br>
Challenge is invalid. Details: Could not connect to http://domain.com/.well-known/acme-challenge/R4eaNjBi9gwB6Tio-Ui3qtvi4HIStPU46gvsX8RFHKI. Exiting...

What might it be caused by?

I have the same error on Debian Jessie with apache 2.4, nginx reverse proxy and OpenSSL 1.0.1k.

 

[HolyDiver]

What error do you get?

Currently I see an error on one server of the following kind:

Command::doCommand(/CMD_SSL)Domain domain.com  defaultdomain=yes usertype=2 multiple_ips=0 enable_ssl_sni=1
Dynamic(api=0, error=1):
        text='Cannot Execute Your Request'
        result='Getting challenge for domain.com from acme-server...<br>
Waiting for domain verification...<br>
Challenge is invalid. Details: Could not connect to http://domain.com/.well-known/acme-challenge/R4eaNjBi9gwB6Tio-Ui3qtvi4HIStPU46gvsX8RFHKI. Exiting...

at the same too 200 code in logs:

66.133.109.36 - - [21/Feb/2016:18:50:36 +0600] "GET /.well-known/acme-challenge/R4eaNjBi9gwB6Tio-Ui3qtvi4HIStPU46gvsX8RFHKI HTTP/1.1" 200 108 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"

What might it be caused by?

I have the same error with Debian Jessie, apache 2.4, nginx reverse proxy and OpenSSL 1.0.1k.

 

[vancanneyt]

added an extra line ending and after restart it suddenly worked

@smtalk: certificate generation is only for one domain. I got a few domains with domain aliases, how do we get those domains on ssl?

 

[ZipperZapper]

I tried this with one site that didn't had a certificate before, and it was working fine.

On another site that has a valid cert allready, i get a 404 for the Let's Encrypt challenge. Worth noting that this site is redirected to https://.
I couldn't find the alias to /.well-known anywhere, is it possible it doesn't work for https? Where should I edit things?

By the way, got a 403 first, turned out WordPress blocks access to '.' folders. Something to keep in mind for people reading this.

 

[smtalk]

There seems to be a bug with DA 1.50 and letsencrypt=1 option, to fix it, pelase use:

perl -pi -e 's|DOCUMENT_ROOT=\$5|DOCUMENT_ROOT=/var/www/html|' /usr/local/directadmin/scripts/letsencrypt.sh

 

[zEitEr]

Martynas,

Not too sure what supposes this fix to do, but it does nothing for issue reported here: https://forum.directadmin.com/showthread.php?t=52723&p=270565#post270565

 

[Frej]

ZipperZapper

same here, i had letsencrypt ssl before(installed in december) i attempted to install another one from 1.50 da feature
my site now got alot of issues because of the ssl failure to generate.

i have =2 please my site has been down for hours

 

[smtalk]

Make sure you don't have alias for .well-known in /etc/nginx/webapps.conf and /etc/httpd/conf/httpd-alias.conf if you use letsencrypt=2 option.

Frej, if your webserver is down, DA won't be able to communicate to let's encrypt server. Turn SSL off or remove the cert for the affected domain and your webserver should become up.

 

[Frej]

theres no alias there

edit. nginx is still working normally in my other sites that doesnt use ssl.its just that its pointing to a wrong ssl for some reason. but it doesnt actually generate certificate

Make sure you don't have alias for .well-known in /etc/nginx/webapps.conf and /etc/httpd/conf/httpd-alias.conf if you use letsencrypt=2 option.

Frej, if your webserver is down, DA won't be able to communicate to let's encrypt server. Turn SSL off or remove the cert for the affected domain and your webserver should become up.

 

[Frej]

Challenge is invalid. Details: Invalid response from http://
i dont have private_html though. only public html so for some reason everytime i attempt to generate a new certificate it rewrite my nginx config which isnt disireable and changes root directory yo private.

screenshot: http://i.imgur.com/fw3bpsV.png

 

[zEitEr]

Make sure you don't have alias for .well-known in /etc/nginx/webapps.conf and /etc/httpd/conf/httpd-alias.conf if you use letsencrypt=2 option.

Martynas,

Let's Encrypt validation server can read the correct file, but for some reason it does not like its content. There is HTTP 200 code in logs.


66.133.109.36 - - [21/Feb/2016:22:19:42 +0600] "GET /.well-known/acme-challenge/52GjlKG38oJE4odTriM_74gxqdaw8NohA-CJWfH_wjY HTTP/1.0" 200 379 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"

 

[HolyDiver]

Martynas,

Let's Encrypt validation server can read the correct file, but for some reason it does not like its content. There is HTTP 200 code in logs.


66.133.109.36 - - [21/Feb/2016:22:19:42 +0600] "GET /.well-known/acme-challenge/52GjlKG38oJE4odTriM_74gxqdaw8NohA-CJWfH_wjY HTTP/1.0" 200 379 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"

The same here (using letsencrypt=1 by the way)

66.133.109.36 - - [21/Feb/2016:18:09:56 +0100] "GET /.well-known/acme-challenge/IqWT8rzm3zj99TI51Gju3oFZzSZHro7oIAVudaDdB_M HTTP/1.0" 200 379 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"

 

[smtalk]

zEitEr, make sure that both apache and nginx have alias for .well-known, it might be that apache has a custom /etc/httpd/conf/extra/httpd-alias.conf file without .well-known there

 

[smtalk]

Also, please make sure everything is okay with DNS for www.domain.com and domain.com (https://community.letsencrypt.org/t...fy-the-domain-server-failure-at-resolver/8230), and that it's not under CDN (like cloudflare).

 

[Frej]

dns are correct, still issues. no cdn here

 

[zEitEr]

I've completely cleared

/etc/nginx/webapps.conf
/etc/nginx/webapps.hostname.conf
/etc/nginx/webapps.ssl.conf
/etc/nginx/webapps_settings.conf

-rw-r--r-- 1 root root 0 Feb 21 23:50 /etc/nginx/webapps.conf
-rw-r--r-- 1 root root 0 Feb 21 23:50 /etc/nginx/webapps.hostname.conf
-rw-r--r-- 1 root root 0 Feb 21 23:50 /etc/nginx/webapps_settings.conf
-rw-r--r-- 1 root root 0 Feb 21 23:50 /etc/nginx/webapps.ssl.conf

And validation successed.


Then run:

/usr/local/directadmin/custombuild/build rewrite_confs

and the files re-created:

-rw-r--r-- 1 root root 2290 Feb 21 23:53 /etc/nginx/webapps.conf
-rw-r--r-- 1 root root  295 Feb 21 23:53 /etc/nginx/webapps.hostname.conf
-rw-r--r-- 1 root root  321 Feb 21 23:53 /etc/nginx/webapps_settings.conf
-rw-r--r-- 1 root root 2293 Feb 21 23:53 /etc/nginx/webapps.ssl.conf

And validation for another domain successed.

Did you change/add the location in nginx?

        location /.well-known {
                root /var/www/html/;
                index index.php index.html index.htm;
                location ~ ^/.well-known/ {
                        access_log off;
                set $my_server_addr $server_addr;
                if ($server_addr ~ ^[0-9a-fA-F:]+$) { set $my_server_addr [$server_addr]; }
                        proxy_pass http://$my_server_addr:8080;
                        proxy_set_header X-Client-IP      $remote_addr;
                        proxy_set_header X-Accel-Internal /.well-known/nginx_static_files;
                        proxy_set_header Host        $host;
                        proxy_set_header X-Forwarded-For  $proxy_add_x_forwarded_for;
                }
                location ~ ^/.well-known/nginx_static_files/ {
                        access_log  /var/log/nginx/access_log_proxy;
                        alias       /var/www/html/;
                        internal;
                }
        }

recently (10-20-30 minutes ago)?

 

[Active8]

There seems to be a bug with DA 1.50 and letsencrypt=1 option, to fix it, pelase use:

perl -pi -e 's|DOCUMENT_ROOT=\$5|DOCUMENT_ROOT=/var/www/html|' /usr/local/directadmin/scripts/letsencrypt.sh

What is the bug exactly ? everything seems fine here, is it mandatory to apply this patch ?