Directadmin added domain site ends up using main hostname's Letsencrypt SSL cert?

eva2000

Verified User
Joined
Jul 1, 2019
Messages
93
DirectAdmin noob adding his first domain setup via DirectAdmin User control panel :)

Background
  • Directadmin was installed with hostname configured as hostname.domain.com with letsencrypt SSL cert setup as outlined here. Specifically
    Code:
    cd /usr/local/directadmin/scripts
    dahostname=hostname.yourdomain.com
    ./letsencrypt.sh request_single $dahostname 4096
  • New domain added was a subdomain name as subdomain1.domain.com via User level access via Account Manager > Domain Setup with SSL checkbox enabled.
Problem
  • The new subdomain1.domain.com ends up using the Letsencrypt SSL certificate issued to the hostname.domain.com and not as subdomain1.domain.com ? Am I meant to also manually run
    Code:
    cd /usr/local/directadmin/scripts
    vhostname=subdomain1.yourdomain.com
    ./letsencrypt.sh request_single $vhostname 2048
    I thought if I enabled Letsencrypt it would automatically do this step if SSL is checked ?
    Code:
    egrep 'enable_ssl_sni=|letsencrypt=' /usr/local/directadmin/conf/directadmin.conf
    letsencrypt=1

directadmin-users-domain-setup-01.png

And resulting vhost below see it's using the main hostname's SSL certs ?
Code:
        SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
        SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
        SSLCACertificateFile /etc/httpd/conf/ssl.crt/server.ca
        ServerName www.subdomain.domain.com
Code:
# Auto generated apache config file by DirectAdmin version 1.57.5
# Modifying this file is not recommended as any changes you make will be
# overwritten when the user makes any changes to their website

# For global config changes that affect all Users, see this guide:
# http://help.directadmin.com/item.php?id=2
# For local config changes that only affect one User, see this guide:
# http://help.directadmin.com/item.php?id=3


<Directory "/home/admin/public_html">
                <FilesMatch "\.(inc|php|phtml|phps|php73)$">
                        AddHandler "proxy:unix:/usr/local/php73/sockets/admin.sock|fcgi://localhost" .inc .php .phtml .php73
                </FilesMatch> 
        <IfModule mod_fcgid.c>
                SuexecUserGroup admin admin
        </IfModule>
</Directory>

<VirtualHost SERVERIP:80 >
        ServerName www.subdomain.domain.com
        ServerAlias www.subdomain.domain.com subdomain.domain.com 
        ServerAdmin webmaster@subdomain.domain.com
        DocumentRoot /home/admin/domains/subdomain.domain.com/public_html
        UseCanonicalName OFF
        <IfModule !mod_ruid2.c>
                SuexecUserGroup admin admin
        </IfModule>
        CustomLog /var/log/httpd/domains/subdomain.domain.com.bytes bytes
        CustomLog /var/log/httpd/domains/subdomain.domain.com.log combined
        ErrorLog /var/log/httpd/domains/subdomain.domain.com.error.log
        <Directory /home/admin/domains/subdomain.domain.com/public_html>
                AllowOverride AuthConfig FileInfo Indexes Limit Options=Indexes,IncludesNOEXEC,MultiViews,SymLinksIfOwnerMatch,FollowSymLinks,None
                Options -ExecCGI -Includes +IncludesNOEXEC
                <FilesMatch "\.(inc|php|phtml|phps|php73)$">
                        <If "-f %{REQUEST_FILENAME}">
                                #ProxyErrorOverride on
                                AddHandler "proxy:unix:/usr/local/php73/sockets/admin.sock|fcgi://localhost" .inc .php .phtml .php73
                        </If>
                </FilesMatch>
        </Directory>
</VirtualHost>

<VirtualHost SERVERIP:443 >
        SSLEngine on
        SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
        SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
        SSLCACertificateFile /etc/httpd/conf/ssl.crt/server.ca
        ServerName www.subdomain.domain.com
        ServerAlias www.subdomain.domain.com subdomain.domain.com 
        ServerAdmin webmaster@subdomain.domain.com
        DocumentRoot /home/admin/domains/subdomain.domain.com/private_html
        UseCanonicalName OFF
        <IfModule !mod_ruid2.c>
                SuexecUserGroup admin admin
        </IfModule>
        CustomLog /var/log/httpd/domains/subdomain.domain.com.bytes bytes
        CustomLog /var/log/httpd/domains/subdomain.domain.com.log combined
        ErrorLog /var/log/httpd/domains/subdomain.domain.com.error.log
        <Directory /home/admin/domains/subdomain.domain.com/private_html>
                AllowOverride AuthConfig FileInfo Indexes Limit Options=Indexes,IncludesNOEXEC,MultiViews,SymLinksIfOwnerMatch,FollowSymLinks,None
                Options -ExecCGI -Includes +IncludesNOEXEC
                <FilesMatch "\.(inc|php|phtml|phps|php73)$">
                        <If "-f %{REQUEST_FILENAME}">
                                #ProxyErrorOverride on
                                AddHandler "proxy:unix:/usr/local/php73/sockets/admin.sock|fcgi://localhost" .inc .php .phtml .php73
                        </If>
                </FilesMatch> 
        </Directory>
</VirtualHost>
 

smtalk

Administrator
Staff member
Joined
Aug 22, 2006
Messages
8,331
Location
LT, EU
letsencrypt.sh just generates the cert, it does not change user settings to enable ssl or use it. When done from interface, or new SSL administration page (not finished yet) - it turna it on too. Autoletsencypt.sh is a good example of how to automate it. Of course, if there is a neeed, we could modify that script to affect configs too :)
 

eva2000

Verified User
Joined
Jul 1, 2019
Messages
93
letsencrypt.sh just generates the cert, it does not change user settings to enable ssl or use it. When done from interface, or new SSL administration page (not finished yet) - it turna it on too. Autoletsencypt.sh is a good example of how to automate it. Of course, if there is a neeed, we could modify that script to affect configs too :)
so for my subdomain1.domain.com to have it's letsencrypt ssl cert I still need to run the below ?
Code:
cd /usr/local/directadmin/scripts
vhostname=subdomain1.yourdomain.com
./letsencrypt.sh request_single $vhostname 2048
 

ditto

Verified User
Joined
Apr 27, 2009
Messages
2,455
It should not be needed to run the code manually. At least in Enhanced skin it would not be needed. Hopfully Martynas can clarify, or guess what is special in your settings that can cause this behaviour.
 

eva2000

Verified User
Joined
Jul 1, 2019
Messages
93
It should not be needed to run the code manually. At least in Enhanced skin it would not be needed. Hopfully Martynas can clarify, or guess what is special in your settings that can cause this behaviour.
FYI I am using default Evolution skin
 

ditto

Verified User
Joined
Apr 27, 2009
Messages
2,455
You say you added subdomain.domain.com in user level. But to me it looks like subdomain.domain.com is added in the "admin" user account. Is that correct? If so, that may be the reason. Personally I never add domains in "admin" user account. Maybe you could create a new regular user account and test if that solve the problem?
 

eva2000

Verified User
Joined
Jul 1, 2019
Messages
93
You say you added subdomain.domain.com in user level. But to me it looks like subdomain.domain.com is added in the "admin" user account. Is that correct? If so, that may be the reason. Personally I never add domains in "admin" user account. Maybe you could create a new regular user account and test if that solve the problem?
Yeah i added it to admin user account it seems. Standard procedure is to create a new user for each domain ?

can't see where to add a regular non-admin user, the options listed only show create admin or reseller ?

  • Create Administrator
  • List Administrators
  • Change Passwords
  • Create Reseller
  • List Resellers
  • Manage Reseller Packages
  • Show All Users
  • Move Users between Resellers
 
Last edited:

ditto

Verified User
Joined
Apr 27, 2009
Messages
2,455
I am not sure what everybody else does, but I think most people do not add domains in admin user account. But I can only speak for myself.

But you don't need to create a user for every new domain, you can create a packages that allow for many addon domains in a single user account.

It might be a bug with Let's Encrypt and addon domains in "admin" user account, maybe Martynas can check that out. At least if you confirm the problem does not happen in regular user accounts (it should not).
 

ditto

Verified User
Joined
Apr 27, 2009
Messages
2,455
can't see where to add a regular non-admin user, the options listed only show create admin or reseller ?
I have never used Evolution skin, so I can't guide you on that. However you need to go to "Reseller level" first. In Enhanced skin you create a new user like this:

Log in as admin user in Enhanced:
Go to "Reseller level"
Click "Add New User" (select package)

But before creating a new user I recommend that you create a package with the max values and setting you want, like this:

Log in as admin user in Enhanced:
Go to "Reseller level"
Click "Add Package" (and set all the max values and settings you want)

Then when creating a new user, select the packages you previous created.
 

eva2000

Verified User
Joined
Jul 1, 2019
Messages
93
thanks

I see so non-admin means reseller user in this context for create a non-admin user to add new domains to ?
 

ditto

Verified User
Joined
Apr 27, 2009
Messages
2,455
I am not sure I understand you completely. However, when you create a new user at Reseller level without creating a reseller, then that user is assigned directly under the admin user. So put in other words; if you do not use/offer reseller hosting, then you still need to go to Reseller level when creating a new regular user, that is the normal way you create a new user (unless you want to create a reseller user and assign the new user under that particular reseller).
 

eva2000

Verified User
Joined
Jul 1, 2019
Messages
93
However, when you create a new user at Reseller level without creating a reseller, then that user is assigned directly under the admin user. So put in other words; if you do not use/offer reseller hosting, then you still need to go to Reseller level when creating a new regular user, that is the normal way you create a new user (unless you want to create a reseller user and assign the new user under that particular reseller).
Ah that's what I was asking - basically to create a non-admin need to create it at Reseller level.

thanks
 

ditto

Verified User
Joined
Apr 27, 2009
Messages
2,455
Yes, that is correct. I understand you now. :) I don't know how intuitively the Evolution skin is on the levels, as I have not used Evolution skin myself (I have created a custom skin based on Enhanced). However I find the "Admin" level (most normal admin task), "Reseller" level (create users and create/manage user packages) and "User" level (mostly to "Login as User" by going directly from Admin level to "Show All Users" and click on them), pretty intuitively in the Enhanced skin.
 

bdacus01

Verified User
Joined
Jul 22, 2017
Messages
528
Location
Murfreesboro
Yeah i added it to admin user account it seems. Standard procedure is to create a new user for each domain ?

can't see where to add a regular non-admin user, the options listed only show create admin or reseller ?

  • Create Administrator
  • List Administrators
  • Change Passwords
  • Create Reseller
  • List Resellers
  • Manage Reseller Packages
  • Show All Users
  • Move Users between Resellers
George
If you go here: https://www.site-helper.com/evo/sitehelper.php
It's the main link for site helper. it covers all the different sections and more.

It's in the section labeled as Help and Support.

Also just for note: The old one for enhanced is here https://www.site-helper.com/
 

bdacus01

Verified User
Joined
Jul 22, 2017
Messages
528
Location
Murfreesboro
I think most people do not add domains in admin user account.
Ditto thanks..

I was told by Alex it's not really recommended. I assume this means only to admin "user" itself.

Let me preface this below with I don't have any resellers it's just me.

So is it?

That adding users to the in the reseller section is ok under admin? What I understand is Admins are both Admins and resellers in operation. Which is a bit confusing. I think cpanel was the same actually but hid it better maybe.

OR

Do you all create a totally separate reseller account for just shared hosting even if it's "just you"?

I hope that makes sense...
 

ditto

Verified User
Joined
Apr 27, 2009
Messages
2,455
Ditto thanks..

I was told by Alex it's not really recommended. I assume this means only to admin "user" itself.

Let me preface this below with I don't have any resellers it's just me.
That sounds correct. :)

So is it?

That adding users to the in the reseller section is ok under admin? What I understand is Admins are both Admins and resellers in operation. Which is a bit confusing. I think cpanel was the same actually but hid it better maybe.
Yes, that is OK. I guess you could call a admin user a reseller also.

OR

Do you all create a totally separate reseller account for just shared hosting even if it's "just you"?

I hope that makes sense...
I have never done that (I am running shared hosting servers), and I have never heard of anyone else that have done that. Also I don't see any real benefit of creating a reseller in this case.
 
Last edited:

bdacus01

Verified User
Joined
Jul 22, 2017
Messages
528
Location
Murfreesboro
letsencrypt.sh just generates the cert, it does not change user settings to enable ssl or use it. When done from interface, or new SSL administration page (not finished yet) - it turns it on too. Autoletsencypt.sh is a good example of how to automate it. Of course, if there is a need, we could modify that script to affect configs too :)
Ok here is what I think. There should be a switchable, notifiable, and totally full auto way. Here is what I mean. I will start with a server creation.

Server setup should automatically attempt to secure the Server side on or before first use. As long as all the needed pieces to create are there eg fqdn and dns in place. If the Admin wants to use a Paid cert they can replace it easily.

Once any domain, subdomain is added at anytime if SSL is "switched" on (should be by default) The system just automatically goes and creates and installs the cert for the domain. Then notifies the User and or the admin of error and or completion.
If the cert does not complete and or install fully for say dns issues it should retry every few hours automatically.

The GUI should have the ability to show the user and or the admin what happened via a log. It should also allow for current function as well. In general it should also remove the Certs if the user is deleted or the user deletes the domain.

In short if the admin switches on SSL it should be as transparent and automatic as possible. The system should be readily secured easily. For those that don't want ssl to be automatic the switch can be set to 0 or turned off in packages.
 

bdacus01

Verified User
Joined
Jul 22, 2017
Messages
528
Location
Murfreesboro
I have never done that (I am running shared hosting servers), and I have never heard of anyone else that have done that. Also I don't see any real benefit of creating a reseller in this case.
Great I have mine set up correctly then.. Yeah an extra reseller did not make sense to me either. Wanted to be sure I wasn't missing something..

Thanks again Ditto..
 
Top