Request to provide support for Let's Encrypt

[nielsh]

Let's Encrypt is a new certificate authority that will launch in september. It'll offer free DV certificates and it has the option to automatically place a validation file in the public_html of a website of webservers so the certificate can be issued.

It would be awesome if DirectAdmin could talk with the Let's Encrypt API so SSL certificates can automatically be generated and installed for websites.

See https://letsencrypt.org/faq/ and http://www.cryptologie.net/article/274/lets-encrypt-overview/

- Niels

 

[michelb]

Totally agree! Just wanted to post this, would be really awesome if support was build in DirectAdmin!

- Michel

 

[Petertjuh360]

I don't think this is a good idea. A certificate should be requested and validated. I don't think I want to support this easy certificates.

 

[nielsh]

I don't think this is a good idea. A certificate should be requested and validated. I don't think I want to support this easy certificates.

Let's encrypt will only offer domain validated certificates. The validation is simply automated (or, can be automated) because you control the domain and the files on it. It removes a lot of the hassle and removes a big boundary for customers to offer HTTPS.

Either way like all certificate authorities there are checks to ensure you actually own the domain. It's not like you can create bogus certificates this way

 

[corneyl]

Agree!
And, the certificate is requested and validated, but all automatically. Read it here: https://letsencrypt.org/howitworks/technology/.

To kick off the process, the agent asks the Let’s Encrypt CA what it needs to do in order to prove that it controls example.com. The Let’s Encrypt CA will look at the domain name being requested and issue one or more sets of challenges. These are different ways that the agent can prove control of the domain. For example, the CA might give the agent a choice of either:

* Provisioning a DNS record under example.com, or
* Provisioning an HTTP resource under a well-known URI on https://example.com/

Along with the challenges, the Let’s Encrypt CA also provides a nonce that the agent must sign with its private key pair to prove that it controls the key pair.

And let's encrypt will presumably support SAN (one certificate for multiple domains on one IP) and SNI (multiple certificates for multiple domains on one IP).

 

[companyou]

Yes,

This would be a great feature.
Especially then google will give encrypted sites a SEO bonus.

We already have some decent SSL Certificate management in DA.
I don't think this would a big change.

 

[dwilko]

+1 for this.

Going to be interesting to see how well it takes off once they go live.

 

[RoRoo]

Very!!!! interested in this feature!

 

[zmippie]

Any status on this? They're going mainstream on November 16th (if the launch doesn't get pushed back further). It would be a great addition to DirectAdmin, or any other hosting panel for that matter. Their goal is to lower the bar for people to use secure connections. Adding it as a one click option to web hosting panels would definitely fit in this philosophy.

 

[Barryvdh]

It would be great to be able to provide a simple tool to have just a 1-click "request, verify, install" option.

Here is the client repository: https://github.com/letsencrypt/letsencrypt

It's all automated:

The tool will prove domain control to the CA and submit a CSR (Certificate Signing Request).
If domain control has been proven, a certificate will get issued and the tool will automatically install it.

All you need to do to sign a single domain is:
user@www:~$ sudo letsencrypt -d www.example.org auth

For multiple domains (SAN) use:
user@www:~$ sudo letsencrypt -d www.example.org -d example.org auth

and if you have a compatible web server (Apache or Nginx), Let's Encrypt can not only get a new certificate, but also deploy it and configure your server automatically!:
user@www:~$ sudo letsencrypt -d www.example.org run

 

[nielsh]

I'm in beta now, and it's really simple. I don't think including this would be hard. There's an option to just generate a certificate, without changing the httpd config. So what would be needed is:
1. Add a button for "Add SSL certificate" - it would be cool if there was some sort of DNS check to ensure public DNS is pointing to the server, and then have DA issue an command to the let's encrypt client to generate a single certificate for all the domains in there (including the domain aliases + www. domain).
2. The command would basically be, generate a certificate for those domains and point it to the public_html. The client would issue a challenge to place an verification file in the public_html, which is all done automatically. A few seconds later you would have the multi-domain certificate.
3. DA just needs to add symlinks to the file holding the actual certs that can be renewed through some sort of cron (followed by a graceful reload) periodically. There's also a seperate file with the SSL chain that can be used for intermediates.

The only(?) issue I can see here is what to do if the public DNS no longer points to this server, so the verification would fail. Would it stop renewing and warn someone? Or renew anyways, but simply exclude the domain that no longer points to the server?

Since the lifetime of the certs is fairly short (3 months) there does have to be a cron of some sort to automatically renew.

 

[corneyl]

This thread is the second most viewed thread in the Feature Request forum, so it looks like a lot of people would like to see this implemented. Also Let's Encrypt announced that they go in public beta the 3rd of December.
It would be nice to get a response from the DirectAdmin team to see if this feature is planned!

 

[hci]

Will this also work for email when connecting too Exim and Dovecot?

 

[nielsh]

Looks like Plesk plans on supporting this at launch: https://twitter.com/Pleskdevelopers/status/667631874202845184

I'm still hoping DA will follow

 

[amphora]

I found this: https://raymii.org/s/articles/Lets_Encrypt_Directadmin.html
Maybe it helps DA dev's to make their own implementation.

 

[zmippie]

I found this: https://raymii.org/s/articles/Lets_Encrypt_Directadmin.html

I don't quite follow why he's manually installing the certificates through DirectAdmin after he created them. Why not just write out the certificates/keys at the same locations where DA writes them? Wouldn't that produce the exact same result without having to do manual labor? It's all about automation, so I was thinking about installing the certs/keys in all appropriate places (for Exim, for Dovecot, for ProFTP, for DA itself) through a script. Ideas?

 

[amphora]

I don't quite follow why he's manually installing the certificates through DirectAdmin after he created them. Why not just write out the certificates/keys at the same locations where DA writes them? Wouldn't that produce the exact same result without having to do manual labor? It's all about automation, so I was thinking about installing the certs/keys in all appropriate places (for Exim, for Dovecot, for ProFTP, for DA itself) through a script. Ideas?

Didn't say it was perfect. I actually didn't even read in entirely. Just hoping it helps anyone

 

[zmippie]

Didn't say it was perfect. I actually didn't even read in entirely. Just hoping it helps anyone

Sure, it's helpful alright, so thanks for posting the link. It proves that someone who's running DA is actively trying to integrate letsencrypt into the system. It's just a very low-tech integration: manually generate a certificate, manually upload it in DA.
I'm just a bit surprised that he didn't take it a little further, he's generally posting more advanced solutions. I'll try to ask him myself. It seems we're in the same country, we may even speak the same language.

 

[amphora]

Sure, it's helpful alright, so thanks for posting the link. It proves that someone who's running DA is actively trying to integrate letsencrypt into the system. It's just a very low-tech integration: manually generate a certificate, manually upload it in DA.
I'm just a bit surprised that he didn't take it a little further, he's generally posting more advanced solutions. I'll try to ask him myself. It seems we're in the same country, we may even speak the same language.

[offtopic]Oh haha... Didn't even notice it was from Remy. I sometimes have contact with him since i'm using CloudVPS services. (Yes I'm Dutch too)[/offtopic]

Anyway... I hope it can be as easy as just adding a domain to DA, click 'Enable Free SSL' and done..

 

[Arieh]

He also posted it here by the way http://forum.directadmin.com/showthread.php?t=52237