DirectAdmin 1.50.0 has been released

ZipperZapper said:
Tried this one, still get a 404 on .well-known? I checked /etc/nginx/webapps.conf and the alias seems to be there. I do use custom nginx-templates, but they all include webapps.conf so it should be good?

I get the feeling WordPress is messing things up here, because I tried another site (with a Piwik install) and there were no problems there. Going to investigate this more now.
Click to expand...

Make sure you don't have anything like the following in your custom templates, because it'd return 403 error then:
Code: 
location ~ /\. { deny  all; }

You get 404, so I think it's still related to the alias thing :) (I can check it directly on your sever if you'd like me to)
 
Active8 said:
Can you please tell me the difference between the domain certificate and de server-level certificate ? im confused

I have set up now as:

hostname: srv1.myserver.com
I did generate for this domain (in user mode in DA) myserver.com a SSL certificate is this not sufficient ? the main website myserver.com is working with teh new generated SSL, must i do the server-level certificate as you meant before ?
Click to expand...

You shouldn't have your server hostname added as a domain in DirectAdmin. That's why you cannot generate an SSL certificate for your hostname directly in DirectAdmin.
 
HolyDiver said:
If I navigate with my browser to example.com/.well-known/ or example.com/.well-known/acme-challenge/, is it normal it returns a 403 Forbidden? Could that interfere with the process?

(Using letsencrypt=1)
Click to expand...

Please read my reply above about the error 403. Any files placed in /var/www/html/.well-known/acme-challenge should be reachable to the world, for example, if you place /var/www/html/.well-known/acme-challenge/test.txt file on the server, you should be able to see it's contents when accessing http://www.domain.com/.well-known/acme-challenge/test.txt.
 
smtalk said:
You shouldn't have your server hostname added as a domain in DirectAdmin. That's why you cannot generate an SSL certificate for your hostname directly in DirectAdmin.
Click to expand...

So the only option is than create with:
cd /usr/local/directadmin/scripts
./letsencrypt.sh request your.hostname.com 4096
Click to expand...

Will it harm the first one ? (one with www.myserver.com ? )
what are my options ?
 
smtalk said:
Please read my reply above about the error 403. Any files placed in /var/www/html/.well-known/acme-challenge should be reachable to the world, for example, if you place /var/www/html/.well-known/acme-challenge/test.txt file on the server, you should be able to see it's contents when accessing http://www.domain.com/.well-known/acme-challenge/test.txt.
Click to expand...
I don't have /var/www/html/.well-known/acme-challenge, even after doing another rewrite_confs

Code: 
root@server:/var/www/html# ls
index.html  phpMyAdmin-4.4.15-all-languages  roundcube
phpMyAdmin  redirect.php                     roundcubemail-1.1.4

Could this be why it's not working? If so, should I make the folders myself and chown them to webapps:webapps?
 
HolyDiver said:
I don't have /var/www/html/.well-known/acme-challenge, even after doing another rewrite_confs

Code: 
root@server:/var/www/html# ls
index.html  phpMyAdmin-4.4.15-all-languages  roundcube
phpMyAdmin  redirect.php                     roundcubemail-1.1.4

Could this be why it's not working? If so, should I make the folders myself and chown them to webapps:webapps?
Click to expand...

Hm.. DirectAdmin should create the directory for you. Please do "ls -a" instead of just "ls" to list hidden folder as well (folders starting with a dot).
 
smtalk said:
It won't harm the first one, because they should differ :) For example, your hostname is server1.myserver.com and your domain is myserver.com.
Click to expand...

get a error here:

Account has been registered.
Getting challenge for srv1.myserver.com from acme-server...
Waiting for domain verification...
Challenge is valid.
Getting challenge for www.srv1.myserver.com from acme-server...
Waiting for domain verification...

Challenge is invalid. Details: DNS problem: NXDOMAIN looking up A for www.srv1.myserver.com. Exiting...

Where the hell he find www.srv1 ? i did not have this in my DNS it should be srv1. only that exist in my DNS
 
Last edited:
smtalk said:
Hm.. DirectAdmin should create the directory for you. Please do "ls -a" instead of just "ls" to list hidden folder as well (folders starting with a dot).
Click to expand...
Oh, the folder does exist. The folder was chmoded to 711 hence the 403 error, setting it to 755 made the test.txt reachable for the world , but it still gives me the same "Could not connect" error when I run letsencrypt.sh.
 
HolyDiver said:
Oh, the folder does exist. The folder was chmoded to 711 hence the 403 error, setting it to 755 made the test.txt reachable for the world , but it still gives me the same "Could not connect" error when I run letsencrypt.sh.
Click to expand...
Also the folder and everything underneath is owned by the root owner and group, is that a correct setting?

(Sorry for double post, I don't have an edit button on my posts)
 
i just used 777 and it works now thanks
i was hoping DA script could just chmode those folders correctly though
HolyDiver said:
Also the folder and everything underneath is owned by the root owner and group, is that a correct setting?

(Sorry for double post, I don't have an edit button on my posts)
Click to expand...
 
Active8 said:
Challenge is invalid. Details: DNS problem: NXDOMAIN looking up A for www.srv1.myserver.com. Exiting...

Where the hell he find www.srv1 ? i did not have this in my DNS it should be srv1. only that exist in my DNS
Click to expand...


I faced the same. A cert will be generated for www.srv1.myserver.com and srv1.myserver.com. So just add an A-type record for www in srv1.myserver.com zone on your authoritative NS servers.
 
smtalk said:
No, it was added 11 days ago. CB 2.0 rev. 1496.
Click to expand...

That's weird, looking through the history I see the steps were correct:

Code: 
  824  2016-02-21 18:36:02  /usr/local/directadmin/directadmin c | grep let
  825  2016-02-21 18:36:19  service directadmin restart
 [COLOR=#d3d3d3] 826  2016-02-21 18:36:28  <skipped>[/COLOR]
  827  2016-02-21 18:36:34  ./build rewrite_confs
 [COLOR=#d3d3d3] 828  2016-02-21 18:40:00  host <hostname>
  829  2016-02-21 18:40:04  ifconfig
  830  2016-02-21 18:41:31  touch test.html[/COLOR]
  831  2016-02-21 18:46:53  ps aux | grep nginx
  832  2016-02-21 18:47:12  service nginx restart

I was able to browse the files. And 200 HTTP code in nginx/apache logs... then suddenly is started to work.
 
Active8 said:
get a error here:

Account has been registered.
Getting challenge for srv1.myserver.com from acme-server...
Waiting for domain verification...
Challenge is valid.
Getting challenge for www.srv1.myserver.com from acme-server...
Waiting for domain verification...

Challenge is invalid. Details: DNS problem: NXDOMAIN looking up A for www.srv1.myserver.com. Exiting...

Where the hell he find www.srv1 ? i did not have this in my DNS it should be srv1. only that exist in my DNS
Click to expand...

DA creates a DNS zone for hostname having www, smtp, mail, pop, ftp A records by default. That's why letsencrypt.sh tries to setup the cert for all of them and assign to appropriate services (dovecot, exim, pureftpd/proftpd, nginx/apache).
 
Let's Encrypt feature conflict with modSecurity feature?

Because I tried use modsecurity and letsencrypt in the same time but it show error "Could not connect to ...".

I disabled modsecurity it work fine.
 
mystck said:
Let's Encrypt feature conflict with modSecurity feature?

Because I tried use modsecurity and letsencrypt in the same time but it show error "Could not connect to ...".

I disabled modsecurity it work fine.
Click to expand...

It shouldn't conflict, it's likely that a restart of nginx/apache was enough to solve the issue.
 
smtalk said:
Please read my reply above about the error 403. Any files placed in /var/www/html/.well-known/acme-challenge should be reachable to the world
Click to expand...

Martynas, I had to figure this out on my own. I had been playing (succesfully) with the standalone LetsEncrypt webroot authentication method earlier on, and there was already a /var/www/html/.well-known directory. I removed that after getting some errors (I had done some manual edits to the httpd configs, and they were conflicting). When I eventually traced the alias in the web-apps include (coincidentally the same method I used myself), I ended up with the 403 error. I noticed that the DA script creates /.well-known/acme-challenge (and the token file, for a short moment) but sets the permissions of all of these to 711, meaning they're not world-readable, hence the 403. I had to change the permissions to 705 to get this working.
This is on a server running nginx BTW (so the ".htaccess" that was created in /.well-known seems a little out of place...). So, is the script setting the wrong permissions on /.well-known? (/var/html has 755, why did the script make /.well-known 711?).
 
zmippie yeah, i had ssl before 1.5 update and had the well known folder too. DA script does create folders but with wrong permission.
i told john about this issue
 
vancanneyt said:
To add SSL to domain pointers i did this to make it work (hope this is the good way):
Click to expand...

Thanks for posting this, I was after the same thing (I want to add "mail." and "smtp."). Unfortunately, it doesn't work because strangely enough, "renew" seems to only accept the per-domain webroot authentication method (letsencrypt=2):

Code: 
./letsencrypt.sh renew mydomain.com 4096

Results in:

Code: 
Cannot find /home/user/domains/mydomain.com/public_html/.well-known/acme-challenge. Create this path, ensure it's chowned to the User.

So, vancanneyt, am I right in assuming you're using "letsencrypt=2"?

If renew isn't working for the server-wide webroot authentication method (letsencrypt=1), then there will be problems in 85 days...

PS. There's a little typo in letsencrypt.sh at the end: "The services will be retarted in about 1 minute via the dataskq." I think it should either be "retarded" or "restarted" ;)

PS2. I see this on line 246: "#For hostname, we add www, mail, ftp, pop, smtp to the SAN". Hmmm... how to trigger that?

PS3. I see that despite the "Usage" comment, the script accepts more parameters, including document root.
 
Last edited:
@zmippie: on my server the directadmin option is letsencrypt=1. Did u Apply the bugfix smtalk posted earlier? That fixes the error u have ;)
 
You must log in or register to reply here.
Back
Top