Let's Encrypt - special field for additional CA certificates?

jaanusnurmoja

New member
Joined
Nov 13, 2017
Messages
2
Hi all,

Let's Encrypt free certs is a nice feature, especially because (unlike with CPanel's AutoSSL) I can add also additional CA certificates to those generated by LE. In my case the certs that are needed for Estonian ID-card support.

Everthing seems to be working well, but there is also one weakness that makes the things not so userfriendly: When LE renews its certs then all CA chain become overwritten and I have to paste the additional CA certs again.

Would it be possible to consider any solution to prevent such overwriting? Like the following (assuming the rest will stay as is):

The CA certificates form has 2 or even more fields.

The first is reserved for LE CA certs. It will be updated every time when LE renews its certs.
Another one is for additional CA chain. It could be updated only manually, remaining untouched even if both textareas (for LE and for additionals) are writing their contents into one file.

Another option with 4 fields - one textarea is reserved for LE CA-s and this one will be updated with the rest of LE stuff.
Another is a subform or file upload field to post custom global CA chains.
Third is a dropdown field where to choose one from existing chains that are posted earier.4
And fourth is a textarea for additional custom ca certs.

Or even something better. As said, the main goal is to prevent updationg non-LE CA certs.
 
Hello,

While you are waiting for a response from Directadmin developers I would suggest that you use this feature: https://www.directadmin.com/features.php?id=1841 it allows to use custom scripts for before and after calls to letsencrypt.sh.

So you can apply your changes after a renewal to fit your needs.

Thanks for hint! You mean letsencrypt_post.sh and action=request? And where the letsencrypt_post.sh and file with certs should locate then? In .well-known?
 
You've got the idea, haven't you? You can use the hook in directadmin.

Well action is clear enough I'd rather say and there is no need to write what is the difference between request and renew? Right?

All the individual certs and related files are located under /usr/local/directadmin/data/users/$username/domains/

- ${domain}.cacert
- ${domain}.cert
- ${domain}.cert.bundle (this or next?)
- ${domain}.cert.combined (this or previous?)
- ${domain}.key

So that's up to you to write a script. You can use any programming language: bash, perl , php, python, etc for it.

So you update cacert and bundle or combined (you need to check which one is used by default on your server) with your custom cert and restart services.
 
Back
Top