/usr/local/directadmin/scripts/custom/letsencrypt.sh

D

Driesp

Verified User
Joined
Mar 12, 2007
Messages
217
Location
Belgium
Hello all

It seems like the letsencrypt.sh script is now bundled in the DirectAdmin binary. Or something else is happening.
I can remove the letsencrypt.sh file in /usr/local/directadmin/scripts or /usr/local/directadmin/scripts/custom and DirectAdmin still processes certificates fine.

I changed the letsencrypt.sh script a long time ago, but I noticed my changes are not honored anymore.
I now tried using the pre hook, but that did not work either. Or maybe I am doing something wrong.
I used the file /usr/local/directadmin/scripts/custom/letsencrypt_pre.sh with the following contents to change the keysize, but that did not work either.
Code: 
#!/bin/sh

keysize="ec256"

I used this feature:

Version 1.50.1 | Directadmin Docs

DirectAdmin Knowledge Base
www.directadmin.com

I want to override to ec256 always regardless the selected keysize.
I hope to find an alternative way to override the keysize.

Thank you in advance
Kind regards
Dries
 
Hello Dries,

The feature does not work that way. You cannot change the value of environmental variables in the Hook script. The Environmental variables can be used in read-only mode.

A custom version of the script should be placed in /usr/local/directadmin/scripts/custom/letsencrypt.sh

Related: https://docs.directadmin.com/changelog/version-1.51.0.html#custombuild-to-manage-letsencrypt-sh

Driesp said:
I used the file /usr/local/directadmin/scripts/custom/letsencrypt_pre.sh with the following contents to change the keysize, but that did not work either.
Click to expand...
 
Hello Alex
Thank you for your quick reply.

I have been patching a copy of letsencrypt.sh into /usr/local/directadmin/scripts/custom/letsencrypt.sh, but it seems like DA does not call this script anymore when creating or renewing certificates.

Kr
Dries
 
@Driesp, yes we are migrating the letsencrypt.sh script logic into the main DirectAdmin service.

Could you please share with us some more details or use cases for why you want to prevent other certificate key sizes from being used? We would prefer to allow server administrators to configure the DA behaviour with the configuration options instead of script customisations.
 
Driesp said:
but it seems like DA does not call this script anymore when creating or renewing certificates.
Click to expand...

confirmed. The script /usr/local/directadmin/scripts/custom/letsencrypt.sh is no longer used:

Bash: 
# cat /usr/local/directadmin/scripts/custom/letsencrypt.sh
#!/bin/bash
echo Testing...
exit 1;
 
Hello. We change the TTL values for DNS records when issuing wildcart certificates. Therefore, we also use our own letsencrypt.sh script. If this script no longer works, we would like to see this setting in the control panel itself.
 
fln said:
@Driesp, yes we are migrating the letsencrypt.sh script logic into the main DirectAdmin service.

Could you please share with us some more details or use cases for why you want to prevent other certificate key sizes from being used? We would prefer to allow server administrators to configure the DA behaviour with the configuration options instead of script customisations.
Click to expand...

Hi fln

Thank you for the prompt reply.

I would like to use the ec256 keysize for all certificates, I am convinced any other keysize has no positive benefit for our clients.
Keys are also cycled every certificate renewal, I don't think a bigger size is beneficiary (in 2026).

Kind regards
Dries
 
Thanks, @Driesp, indeed you are right, there is little value in getting larger EC keys. However, I am not really sure if it is really worth actively blocking the key type selector for the users. Most of them are fine with the default size and do not really care. And if they do change the key type there is little harm in doing that.

@splby what TTL values are you using? Are there any problems with the default value? The letsencrypt.sh uses 5 second TTL by default for the DNS challenge record. This script is still used by the lego CLI tool for adding and removing DNS challenge records. However main DA service now instructs lego to always use scripts/letsencrypt.sh, even if the scripts/custom/letsencrypt.sh exists .
 
Thank you fln. I understand why DirectAdmin gives the end user the possibility to change the keysize. And it is a positive thing, DirectAdmin is very customizable.

However, most of the end users don't know what they are doing, and they don't care, indeed.
Using smaller key sizes also leads to faster TLS handshakes.
And currently EC384 is highlighted as the standard when requesting a new certificate in DirectAdmin.

Kr
Dries
 
Agree, there have end user might thinking like, "let's pick small keysize for fastest website.", but hosting provider have their own ways to adjust the real default protection, even mostly ec256 is secure enought and don't want the user change the thing.

Example: hacker can capture the current https request and try decode with AI in the future using super computer.
 
We use TTL 100. Our backbone provider either blocks it or has some issues with TTL records below 60. Currently, we change the TTL value directly in the script after each update.
 
You must log in or register to reply here.
Back
Top