DirectAdmin 1.50.0 has been released

[zmippie]

No, I didn't apply the bugfix yet. I have to read further back in this thread I guess. I did manage to get the server-wide authentication to work by providing the 5th parameter "/var/www/html" to the script. A new problem arises though, NGINX barfs "SSL_CTX_use_PrivateKey_file" because apparently the resulting pem file has been messed up (wrong order of key/cert?). I'll have to figure this out, but I'll apply the bug fix first. Thanks!

PS. Darn, I indeed see Martynas mentioning the exact issue I'm reporting here. Duh!

 

[zmippie]

To add SSL to domain pointers i did this to make it work (hope this is the good way):

Well... I don't think it's the right way. I end up with NGINX failing to accept the new certificate after adding an extra SAN:

nginx: [emerg] SSL_CTX_use_PrivateKey_file("/usr/local/directadmin/data/users/user/domains/domain.com.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
nginx: configuration file /etc/nginx/nginx.conf test failed

Key and certs were all updated after manually running the (patched) script, but invalid, it seems. I'd love to hear from Martynas if what we are after is at all provided for in the script.

 

[vancanneyt]

I'm using Apache where it worked without issues. Could be Nginx problem

 

[smtalk]

Well... I don't think it's the right way. I end up with NGINX failing to accept the new certificate after adding an extra SAN:

nginx: [emerg] SSL_CTX_use_PrivateKey_file("/usr/local/directadmin/data/users/user/domains/domain.com.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
nginx: configuration file /etc/nginx/nginx.conf test failed

Key and certs were all updated after manually running the (patched) script, but invalid, it seems. I'd love to hear from Martynas if what we are after is at all provided for in the script.

It's a good way of doing that, but it wasn't planned for 1.5 To fix the cert/key mismatch just do:

cat /usr/local/directadmin/data/users/user/domains/domain.com.key /usr/local/directadmin/data/users/user/domains/domain.com.cert > /usr/local/directadmin/data/users/user/domains/domain.com.cert.combined
service nginx restart

DA 1.50.1 will create domain.com.cert.combined automatically when letsencrypt.sh is manually run from console (DA 1.50.0 creates it only when letsencrypt.sh is ran from DA interface).

 

[Arieh]

I played with the let's encrypt feature also. When selecting let's encrypt at SSL management, you need to enter all the company and address info like normal, however that info can't be used to let's encrypt, only the e-mail address field should be left there (and maybe pre-fill in the address belonging to the DA account). That way you can enable it with a few clicks.

Also on http://www.directadmin.com/features.php?id=1828 it lists the rate limits; they are probably based on an outdated article. See a more recent article at https://community.letsencrypt.org/t/rate-limits-for-lets-encrypt/6769

 

[smtalk]

The most actual limit seems to still be the same:

Rate limit on certificates per Domain is now 5 per 7 days

About the fields in SSL management, I think John left them there in case anyone would like to use the same CSR for normal certs, however, only John knows the real answer When called from SSH, letsencrypt.sh doesn't ask you to fill any information.

 

[Arieh]

The other limit though: "Rate limit on registrations per IP is now 10 per 3 hours" which is now 500 per 3 hours.

I suppose with a few javascript lines the fields can be hidden when LE is selected.

The filled in e-mail isn't being used either I see: EMAIL="${USER}@${DOMAIN}"

 

[HolyDiver]

        rm -f "${WELLKNOWN_PATH}/${CHALLENGE_TOKEN}"

        if [ "${CHALLENGE_STATUS}" = "valid" ]; then
                echo "Challenge is valid."
        else
                echo "Challenge is ${CHALLENGE_STATUS}. Details: ${CHALLENGE_DETAIL}. Exiting..."
                exit 1
        fi

I removed the rm part to check if the tokens are even generated in /.well-known/acme-challenge/, they were there as chmoded 644 files with a string of 88 signs. The error makes no sense at all since the file is reachable for the world during the check, after which it gets removed and then it echoes an error about not being able to connect The error messages aren't helpful enough.

 

[zmippie]

It's a good way of doing that, but it wasn't planned for 1.5

OK, got it. It's nice to be ahead of the curve every once in a while

To fix the cert/key mismatch just do:

I only *just* figured that out myself and then read your answer. It seems like today is one of those days that I'm actually not ahead of the curve, rather, slightly behind all the time...

Thanks Martynas.

The filled in e-mail isn't being used either I see: EMAIL="${USER}@${DOMAIN}"

I noticed that too, and was wondering what happens to the email address in the CSR form. I guess it just goes lost.

 

[smtalk]

The filled in e-mail isn't being used either I see: EMAIL="${USER}@${DOMAIN}"

Why it isn't?

[FONT=Menlo]if [ "${CSR_CF_FILE}" != "" ] && [ -s ${CSR_CF_FILE} ]; then[/FONT]
[FONT=Menlo]        if grep -q -m1 '^emailAddress' ${CSR_CF_FILE}; then[/FONT]
[FONT=Menlo]                EMAIL="`grep '^emailAddress' ${CSR_CF_FILE} | awk '{print $3}'`"[/FONT]
[FONT=Menlo]        fi[/FONT]
[FONT=Menlo]elif [ "${CSR_CF_FILE}" = "" ] && [ -s ${SAN_CONFIG} ]; then[/FONT]
[FONT=Menlo]        if grep -q -m1 '^emailAddress' ${SAN_CONFIG}; then[/FONT]
[FONT=Menlo]                EMAIL="`grep '^emailAddress' ${SAN_CONFIG} | awk '{print $3}'`"[/FONT]
[FONT=Menlo]        fi[/FONT]
[FONT=Menlo]fi[/FONT]

 

[Webgangster]

I have enabled the SSL functie (Lets Encrypt), but there is no checkbox on the page with 'Free & automatic certificate from Let's Encrypt'.
In Users\ssl.htm is no text shown.

-----------

|*if LETSENCRYPT="1"|
<br><input type=radio name=request value="letsencrypt" disabled>Free & automatic certificate from <a class='listtitle' target=_blank href="https://letsencrypt.org/">Let's Encrypt</a></td>
|*endif|

Nobody with the same problem?

DA runs version 1.5
Lets Encrypt = 1
No radio button on de SSL page / Template is not updates

 

[Erulezz]

Nobody with the same problem?

DA runs version 1.5
Lets Encrypt = 1
No radio button on de SSL page / Template is not updates

letsencrypt=1?

Did you restart DA after the config change?

 

[Arieh]

Why it isn't?

[FONT=Menlo]if [ "${CSR_CF_FILE}" != "" ] && [ -s ${CSR_CF_FILE} ]; then[/FONT]
[FONT=Menlo]        if grep -q -m1 '^emailAddress' ${CSR_CF_FILE}; then[/FONT]
[FONT=Menlo]                EMAIL="`grep '^emailAddress' ${CSR_CF_FILE} | awk '{print $3}'`"[/FONT]
[FONT=Menlo]        fi[/FONT]
[FONT=Menlo]elif [ "${CSR_CF_FILE}" = "" ] && [ -s ${SAN_CONFIG} ]; then[/FONT]
[FONT=Menlo]        if grep -q -m1 '^emailAddress' ${SAN_CONFIG}; then[/FONT]
[FONT=Menlo]                EMAIL="`grep '^emailAddress' ${SAN_CONFIG} | awk '{print $3}'`"[/FONT]
[FONT=Menlo]        fi[/FONT]
[FONT=Menlo]fi[/FONT]

You're right of course.

In that case it should hide all other fields except email. And the server-side check modified.

 

[HolyDiver]

Webgangster, have you rewritten your confis?

./build rewrite_configs

{"type":"http-01","status":"invalid","error":{"type":"urn:acme:error:connection","detail":"Could not connect to http://example.com/.well-known/acme-challenge/FIPXfnUYnP-0dRB9b3x7ayjS1Hrqoupfl2oHpyOClCc"},"uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/7RQNPzjQiks1-DadrPVrP6xQgiXWEcW2zc_VD51Cj8U/18860782","token":"FIPXfnUYnP-0dRB9b3x7ayjS1Hrqoupfl2oHpyOClCc","keyAuthorization":"FIPXfnUYnP-0dRB9b3x7ayjS1Hrqoupfl2oHpyOClCc.5DN7NgwFmPM3Qe94l4n6PFWZoW1Yx3bDH19GIEiGVxA","validationRecord":[{"url":"http://example.com/.well-known/acme-challenge/FIPXfnUYnP-0dRB9b3x7ayjS1Hrqoupfl2oHpyOClCc","hostname":"example.com","port":"80","addressesResolved":["181.xx.278.xxx"],"addressUsed":"181.xx.278.xx"}]}

I'm on a dead end

 

[Webgangster]

letsencrypt=1?

Did you restart DA after the config change?

Yes, i have restared DA after the config change.

Webgangster, have you rewritten your confis?

./build rewrite_configs

I'm on a dead end

Yes, i have rewrites the configs, no effect.
If i run 'grep well /etc/httpd/conf/extra/httpd-alias.conf', there is nothing shown.

 

[smtalk]

Nobody with the same problem?

DA runs version 1.5
Lets Encrypt = 1
No radio button on de SSL page / Template is not updates

Please change your skin to enhanced if it's set to any other. Please also check:

/usr/local/directadmin/directadmin c | grep letsencrypt

 

[Webgangster]

Please change your skin to enhanced if it's set to any other. Please also check:

/usr/local/directadmin/directadmin c | grep letsencrypt

Thanks, its return a 0.
letsencrypt=1 moved to line 2, DA restarted and it works now!

 

[ditto]

In that case it should hide all other fields except email. And the server-side check modified.

+1 for that. I wanted to hide all the other fields in my custom skin under a link by using css, and unless that link is clicked (it could be called "advanced configuration other then letsencrypt") it will only show letsenrypt needed stuff. So to bad all the other fields are still needed, even though they actually are not ...

 

[HolyDiver]

Should port 443 be open on apache when requesting letsencrypt.sh?

 

[Active8]

I faced the same. A cert will be generated for www.srv1.myserver.com and srv1.myserver.com. So just add an A-type record for www in srv1.myserver.com zone on your authoritative NS servers.

Strange isnt it ?

so i have to add www.srv1 A record to my DNS ?