Let's encrypt uses port 80 for domain verification. However, outgoing port 443 must be open in your firewall, otherwise let's encrypt script won't be able to connect to the API.
DirectAdmin 1.50.0 has been released
- Thread starter DirectAdmin Support
- Start date
Let's encrypt uses port 80 for domain verification. However, outgoing port 443 must be open in your firewall, otherwise let's encrypt script won't be able to connect to the API.
Why is it strange? DA always created these records for hostname. Please check:
Code:
cat /var/named/[B]your.hostname.com.db[/B]There you should see all the records, unless you removed the zone manually. The problem is that you're using an external DNS server, and you don't have an identical zone file there.
Active8
Verified User
- Joined
- Jul 13, 2013
- Messages
- 1,828
Its fixed now and the certificate is installed, but this one will not get auto-renewed i assume
Is it possible to automate this by cron ? if yes could you give some example how to do that ?
Thank for your time and great product
HolyDiver
Verified User
- Joined
- Feb 21, 2016
- Messages
- 51
Code:
root@server:~# netstat -tulpn | grep :443
tcp 0 0 127.0.0.1:443 0.0.0.0:* LISTEN 1854/nginx.conf
tcp 0 0 181.xx.278.xx:443 0.0.0.0:* LISTEN 1854/nginx.conf
tcp6 0 0 ::1:443 :::* LISTEN 1854/nginx.confIts fixed now and the certificate is installed, but this one will not get auto-renewed i assume
Is it possible to automate this by cron ? if yes could you give some example how to do that ?
Thank for your time and great product
It will auto-renew
If you'd like to test it, change /usr/local/directadmin/conf/ca.creation_time to an old time (timestamp) and run:
Code:
cd /usr/local/directadmin
echo "action=rewrite&value=letsencrypt" >> data/task.queue; ./dataskq d2000No, it cannot be the reason
Let's encrypt doesn't depend on the WWW server type (nginx/apache/litespeed). If you run modsecurity together with nginx_apache, please try turning it off, we've received several reports (not confirmed yet) about modsecurity causing issues with let's encrypt.
HolyDiver
Verified User
- Joined
- Feb 21, 2016
- Messages
- 51
This is the complete error I'm getting with SHA256 and 4096 bits
Code:
e is 65537 (0x10001)
problems making Certificate Request
140277613172368:error:0D07A098:asn1 encoding routines:ASN1_mbstring_ncopy:string too short:a_mbstr.c:147:minsize=1
/usr/local/directadmin/data/users/USER/domains/example.com.csr: No such file or directory
140363474167440:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('/usr/local/directadmin/data/users/USER/domains/example.com.csr','r')
140363474167440:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
Size of certificate response is smaller than 500 characters, it means something went wrong. Printing response...
"detail":"Error unmarshaling certificate request"HolyDiver
Verified User
- Joined
- Feb 21, 2016
- Messages
- 51
I randomly tried "example.com" instead of "www.example.com" as common name and my certificate got created! I'm not sure if it makes any sense?
Thanks for the help! I hope I also provided some useful feedback to the DA team or any reader who stumbled upon similar problems.
Thanks for the help! I hope I also provided some useful feedback to the DA team or any reader who stumbled upon similar problems.
Tristan
Verified User
Wow, the "Direct ~/imap backup without copy" is really amazing. On SSD servers where we backup to old fashioned HDD resulting in a ~170GB of admin backup files it used to take 18 hours to complete. Now with this new feature it took just 3,5 hours!
I used Lets Encrypt with a couple of website now, everything is working perfectly. Suggestion is to make the letsencrypt request a ajax or background method. It did take about 20-25 seconds to process and some people cannot wait patiently. Or make a notification to wait a few moments till the process is completed.
Also a nice functionality is to check which users currently have a SSL certificate, something like All Users Cron Jobs but for SSL.
Also a nice functionality is to check which users currently have a SSL certificate, something like All Users Cron Jobs but for SSL.
Last edited:
redjersey
Verified User
not sure if this has been answered, but yes, you can issue ssl for your subdomain, the only condition is that you have to add your subdomain using "add a domain" (domain management) you can't create your subdomain using the subdomain management.
As a workaround for the 'invalid challenge' we're currently using the following:
iptables -t nat -I PREROUTING -s 66.133.109.36 -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
With this rule the LetsEncrypt validation server will skip nginx+mod_security and directly go to apache
iptables -t nat -I PREROUTING -s 66.133.109.36 -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
With this rule the LetsEncrypt validation server will skip nginx+mod_security and directly go to apache
ZipperZapper
Verified User
- Joined
- Nov 30, 2015
- Messages
- 142
Make sure you don't have anything like the following in your custom templates, because it'd return 403 error then:
Code:location ~ /\. { deny all; }
You get 404, so I think it's still related to the alias thing
I indeed first got 403's because of the line you mention, which is recommended by WordPress to use. After I temporary disabled that, they turned into 404's. Haven't had the time yet to troubleshoot further, but it has to be WordPress-related. Other sites that aren't WordPress got new certs just fine.
Here's a guide for the Let's Encrypt feature I wrote: https://raymii.org/s/articles/Lets_Encrypt_Directadmin_Now_Built_In.html
So John, what is the difference in static and dynamic binaries for Debian 8, and why do you choose to build Directadmin as a static binary normally?
So John, what is the difference in static and dynamic binaries for Debian 8, and why do you choose to build Directadmin as a static binary normally?
- Joined
- Feb 27, 2003
- Messages
- 8,509
Static vs Dynamic:
Dynamic: DA links to the libraries that you have on your system. This means you can update those libraries and DA would automatically use them after you restart it.
Downside is that if the version of a linked library is too vastly different, DA may not be able to read it and won't be able to start up. Bonus is also smaller DA binaries.
Static: All libraries that DA needs are stored right inside the binaries themselves. Things like MySQL can be handy to keep internally in DA, so you can change anything you want with the MySQL client libraries on your system, and DA doesn't need to worry about it. Some issues can arise if your kernel is different, and DA's statically loaded libraries "assume" they'll be talking with the kernel based on our build system, but your OS may have slight variances preventing the binaries from running.
So there are pros and cons to both, but the majority of the DA binaries are dynamic, as things tend to stay fairly consistent within a major OS release. But with had to do some MySQL update tricker back when the libmysqlclient.so files went from libmysqlclient.so.16 to libmysqlcient.so.18, as DA was compiled against 16, but if MySQL client was updated on a box, it would install 18 and DA wouldn't be able to start, so the trickery involves keeping a 16 instance on standby beside 18, so DA can link to it directly.
John
Dynamic: DA links to the libraries that you have on your system. This means you can update those libraries and DA would automatically use them after you restart it.
Downside is that if the version of a linked library is too vastly different, DA may not be able to read it and won't be able to start up. Bonus is also smaller DA binaries.
Static: All libraries that DA needs are stored right inside the binaries themselves. Things like MySQL can be handy to keep internally in DA, so you can change anything you want with the MySQL client libraries on your system, and DA doesn't need to worry about it. Some issues can arise if your kernel is different, and DA's statically loaded libraries "assume" they'll be talking with the kernel based on our build system, but your OS may have slight variances preventing the binaries from running.
So there are pros and cons to both, but the majority of the DA binaries are dynamic, as things tend to stay fairly consistent within a major OS release. But with had to do some MySQL update tricker back when the libmysqlclient.so files went from libmysqlclient.so.16 to libmysqlcient.so.18, as DA was compiled against 16, but if MySQL client was updated on a box, it would install 18 and DA wouldn't be able to start, so the trickery involves keeping a 16 instance on standby beside 18, so DA can link to it directly.
John
Seems good, right?
But visiting https://www.klompenfabriek.nl still doesn't show valid certificate
Tried with both letsencrypt=1 and =2
Manually restarting apache isn't helping either
gsdiradmin
Verified User
You have to enable SSL in domain setup or you spell wrong domain name.
Doh! Something simple I've overlooked. Can't this be done automatically by DA when a user creates a certificate? Or at least give a notice?
Maybe Raymii can add this do his guide too..