Let's Encrypt not saving new key size settings

E

Erulezz

Verified User
Joined
Sep 14, 2015
Messages
958
Location
🇳🇱
A while back I requested new certificates (to replace old Let's Encrypt certificates) for domains to use the new default EC-384 keysize, as described here:

Version 1.61.0 | Directadmin Docs

DirectAdmin Knowledge Base
directadmin.com

But now when the certificates are automatically renewed they are renewed with the old settings, that are stored in the san_config file for every domain:

Code: 
default_bits    = 4096

So after they are renewed the certificates use the old 4096 key size, instead of the newly requested EC-384 trough the DirectAdmin interface. Can this be changed that if you request new Let's Encrypt certificates with a new key size, that will become the default, also after a renewal?

I am now manually changing the key size settings in every san_config file to check with the next renewal if is goes correctly.
 
In addition to the above problem I also experience:
I alse notice that no san_config files are being generated for new requested certifcates (since a number of weeks for what I can see).
When renewing a recently requested certificate by directadmin, I see the following error:

2020:10:17-00:14:18: Error reading /usr/local/directadmin/data/users/xxxx/domains/xxxx.be.san_config to find default_bits. Defaulting to 4096
2020:10:17-00:14:59: Error reading /usr/local/directadmin/data/users/xxxx/domains/xxxx.online.san_config to find default_bits. Defaulting to 4096

Looks like no certificate settings are stored at all, for new or for renewed certificates?
 
That's also a problem I am seeing right now. Requested a couple of new certificates for new users and no san_config file present for these users.
 
This problem still exists, today i saw this in the logs:
Error reading /usr/local/directadmin/data/users/suser/domains/user.net.san_config to find default_bits. Defaulting to 4096
@smtalk @DirectAdmin Support
What is happening ?
 
Last edited:
Same here! Initial certificate is a EC-384, as requests via the WebGui of DirectAdmin, but after 60 days, the renewal falls back to RSA-4096.

Code: 
Cannot find the file /usr/local/directadmin/data/users/username/domains/domain.tld.san_config, but the script should create it if it's missing. Ingoring missing file and continuing.
Error reading /usr/local/directadmin/data/users/username/domains/domain.tld.san_config to find default_bits. Defaulting to 4096

Especially the "but the script should create it if it's missing" part in the logs; the ".san_config"-file isn't created ;)

Which raises two questions;
1) Should this be fixed? The creation of the ".san_config" file by the WebGui and/or renewal script?
2) Where can I change the "Defaulting to 4096" part :)?
 
tim427 said:
Same here! Initial certificate is a EC-384, as requests via the WebGui of DirectAdmin, but after 60 days, the renewal falls back to RSA-4096.

Code: 
Cannot find the file /usr/local/directadmin/data/users/username/domains/domain.tld.san_config, but the script should create it if it's missing. Ingoring missing file and continuing.
Error reading /usr/local/directadmin/data/users/username/domains/domain.tld.san_config to find default_bits. Defaulting to 4096

Especially the "but the script should create it if it's missing" part in the logs; the ".san_config"-file isn't created ;)

Which raises two questions;
1) Should this be fixed? The creation of the ".san_config" file by the WebGui and/or renewal script?
2) Where can I change the "Defaulting to 4096" part :)?
Click to expand...
What’s the version of DA? Latest stable?
 
smtalk said:
What’s the version of DA? Latest stable?
Click to expand...
Version 1.61.5

Full log during `/usr/local/directadmin/dataskq d3100`:

Code: 
dataskq: command: action=rewrite&value=letsencrypt&domain=domain.tld
Ssl::check_letsencrypt_expiries: START (this_domain_only=domain.tld
InternalText::load:ssl: reload=0 reload_index=-1
InternalText::init(ssl)
Ssl::letsencrypt_about_to_expire: checking file /usr/local/directadmin/data/users/username/domains/domain.tld.cert.creation_time
Ssl::letsencrypt_about_to_expire: c_time=1577965621 + renewal_threshold=5184000 > now=1618913512
Ssl::letsencrypt_about_to_expire: TRUE! We will renew
InternalText::load:domain: reload=0 reload_index=-1
InternalText::init(domain)
just after hc.init("domain"); for domain.tld.
Currently in start : getlock(/usr/local/directadmin/data/task.queue.tmp, 'ListFile::readFile') : finished
Calling letsencrypt license renewal for domain 'domain.tld'
InternalText::load:ssl: reload=0 reload_index=-1
InternalText::init(ssl)
Ssl::use_letsencrypt:ConfigFile &cf, action='renew': letsencrypt_pre.sh
get_hook_paths_from:/usr/local/directadmin/scripts/custom/letsencrypt_pre.sh: Found hook name 'letsencrypt_pre'
isDir(/usr/local/directadmin/scripts/custom/letsencrypt_pre): lstat error: No such file or directory
get_hook_paths_from:/usr/local/directadmin/scripts/custom/letsencrypt_pre.sh: got the following paths for 'letsencrypt_pre':
listType: 0 size=64
Ssl::use_letsencrypt:ConfigFile &cf, action='renew': renewing
Cannot find the file /usr/local/directadmin/data/users/username/domains/domain.tld.san_config, but the script should create it if it's missing. Ingoring missing file and continuing.
Error reading /usr/local/directadmin/data/users/username/domains/domain.tld.san_config to find default_bits. Defaulting to 4096
Ssl::use_letsencrypt:ConfigFile &cf, action='renew': write_san_config
Load to env (Let's Encrypt):
 0: HOME=/root
 1: staging=no
Ssl::use_letsencrypt:ConfigFile &cf, action='renew': calling command: /usr/local/directadmin/scripts/letsencrypt.sh renew 'domain.tld' 4096 /usr/local/directadmin/data/users/username/domains/domain.tld.san_config /var/www/html
execute('/usr/local/directadmin/scripts/letsencrypt.sh renew 'domain.tld' 4096 /usr/local/directadmin/data/users/username/domains/domain.tld.san_config /var/www/html', maxsize=149, fd=1, env=0)
Ssl::use_letsencrypt:ConfigFile &cf, action='renew': letsecnrypt_post.sh
get_hook_paths_from:/usr/local/directadmin/scripts/custom/letsencrypt_post.sh: Found hook name 'letsencrypt_post'
isDir(/usr/local/directadmin/scripts/custom/letsencrypt_post): lstat error: No such file or directory
get_hook_paths_from:/usr/local/directadmin/scripts/custom/letsencrypt_post.sh: got the following paths for 'letsencrypt_post':
listType: 0 size=64
LetsEncrypt renewal on domain.tld has succeeded. Not sending a notice.
Ssl::check_letsencrypt_expiries: renewed 1 certificates
get_hook_paths_from:/usr/local/directadmin/scripts/custom/check_letsencrypt_expiries_post.sh: Found hook name 'check_letsencrypt_expiries_post'
isDir(/usr/local/directadmin/scripts/custom/check_letsencrypt_expiries_post): lstat error: No such file or directory
get_hook_paths_from:/usr/local/directadmin/scripts/custom/check_letsencrypt_expiries_post.sh: got the following paths for 'check_letsencrypt_expiries_post':
listType: 0 size=64
 
Hello,

I've confirmed that if there is no san_config, it would have defaulted to 4096.
As we no longer write san_configs, the system will now:
  1. Check the existing key for it's type and use that
  2. else fallback to the correct default of secp384r1 (if available), else 4096.
Pre-release binaries are uploading now.

John
 
DirectAdmin Support said:
Hello,

I've confirmed that if there is no san_config, it would have defaulted to 4096.
As we no longer write san_configs, the system will now:
  1. Check the existing key for it's type and use that
  2. else fallback to the correct default of secp384r1 (if available), else 4096.
Pre-release binaries are uploading now.

John
Click to expand...
Thanks for the prompt reply!

As for now, the current running version (1.61.5), doesn't honor the existing secp384r1 key, and generates a new 4096 key.

I'll keep you posted, when the version is installed!
 
You must log in or register to reply here.
Back
Top