Let's Encrypt automated free SSL certificate directadmin

 ETA


Functionality for the new Free Certificate Authority:

https://letsencrypt.org/


directadmin.conf option:

letsencrypt=0


where 0 is the internal default.

To enable this feature, use:

letsencrypt=1


followed by the "ACTION REQUIRED" below to add the .well-known Alias to the httpd-alias.conf file.


Users can then access it from:

User Level -> SSL Certificates


where a 3rd certification creation radio box will be created:

"Free & automatic certificate from Let's Encrypt"

in addition to the other 2 'self-signed' and 'create request' options.


There is an internal variable, set by default to:

letsencrypt_renewal_days=85

you shouldn't need to adjust this.

The certificates are only valid for 90 days, so DA starts trying to renew 85 days in.

It's triggered at the end of a full tally, every night. Looks at any domain.com.cert.creation_time files, and sees if it's old enough.


You can alternatively use:

letsencrypt=2

to use:

/home/user/domains/domain.com/public_html/.well-known

but this method is not recommended, as it prevents the use of multi-domain certificates... use letsencrypt=1 :)


while:

letsencrypt=1

will use:

to use /var/www/html/.well-known


======================

ACTION REQUIRED

You must have the .well-known Alias pointing to /var/www/html/.well-known, so update your CustomBuild configs:

cd /usr/local/directadmin/custombuild

./build update

./build rewrite_confs


======================

RATE LIMIT


LetsEncrypt does have a rate limit, so you won't likely be able to secure hundreds of domains at the same time.

https://community.letsencrypt.org/t/quick-start-guide/1631


As of Jan 31st, 2016 the rates are:

Rate limit on registrations per IP is now 10 per 3 hours

Rate limit on certificates per Domain is now 5 per 7 days

but once the project becomes "stable", they'll likely increase the allowed rates.


======================

TASK.QUEUE


as mentioned above, the full tally does handle the automated renewals, if they're about to expire.

If you want to run a renewal check manually, you can use:

echo "action=rewrite&value=letsencrypt" >> /usr/local/directadmin/data/task.queue


which will call the same function as the full tally calls.

Only domains who's certificates are about to expire will be updated.


======================

SCRIPTS:

/usr/local/directadmin/scripts/letsencrypt.sh


usage:

./letsencrypt.sh request|renew|revoke domain.com 4096 (/path/to/csr-request-config-file) (document_root)


but you shouldn't need to run it manually, as DA will call it automatically when the User triggers it through DA.

Note, when you run it through DA, the domain.com.san_config will have more details, than if you run it from ssh (.san_config will be created, but with less info)


======================

CONFIG FILES

/usr/local/directadmin/data/users/username/letsencrypt.key                                           - L.E. account ID for this User. Only created once.

/usr/local/directadmin/data/users/username/domains/domain.com.cert.creation_time        - contains time L.E. cert was created (to be automatically renewed every 90 days)

/usr/local/directadmin/data/users/username/domains/domain.com.cert.san_config            - csr -config request info, used for creation and renewal.

/var/www/html/.well-known/acme-challenge                                                                   - directory created by DA for the random challenge key file: letsencrypt=1

/home/user/domains/domain.com/public_html/.well-known/acme-challenge                      - challenge key file if letsencrypt=2

.htaccess        - added to either document root to disable mod_rewrite, in case it's enable higher up.


Comments

Post a Comment

Popular posts from this blog

how to install internet download manger in linux

Image
How to run any Version of Internet Download Manager in Ubuntu/Linux with full Firefox Integration.  I 'm gonna show you how to use latest version of IDM in any linu x OS , yes you heard it right "latest version of IDM". Till wine 1.7.4x, it only supported an older version of ID M whic h wa s IDM 5.05. It was functional but shitty version when we look a t newer ve rsions of IDM with a dded new features . S o just follow t h is step by step g uide to get your IDM working. So I have divided this Post in 3 parts: Installing "Internet Download Manager" Integrating IDM with Firefox. Make IDM look Good.          Installing "Internet Download Manager" As you know IDM is a window's application. So to run IDM on linux we need something that supports Windows apps in linux. Wine (Wine is not an emulator) is a free and open source compatibility layer software application that aims to allow applications designed for Microsoft Win...
Read more

cpanel exam CPSP Answers

 Which of the following options best describes the role of Shared Hosting on a web server? Providing hosting for a single website owned by different people on multiple servers. Providing hosting for a single website owned by one person on one server. Providing hosting for multiple websites owned by different people on one server. Providing hosting for multiple websites owned by one person on one server. 3 Which of the following capabilities can a cPanel account user perform easily from within the cPanel account interface without the aid of a system administrator? File and configuration management. Relocating the physical server. Upgrading server hardware and equipment. Installing new database software. 1 File and configuration management. Which of the following options best describes a core benefit to using cPanel & WHM, as a web hosting provider operating on a cPanel & WHM environment? cPanel users are able to create new virtualization resources to help host their web appl...
Read more

How to install zimbra collaboration suite 8.8.11 on CentOS 7

Check system requirements  https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.0/Single_Server_Installation#System_Requirements prerequisites Before we get started, here are a few things that are required before we proceed with the installation. A clean installation of Centos 7 A Fully Qualified Domain (FQDN) for your server(Example mail.geekybum.com) An external DNS server with both A and MX records for your server to point to your Zimbra mail server IP Address A static IP Address assigned to network interface. Step 1: Root login to server through SSH Step 2: Install required packages for zimbra coloboration suite installation yum -y install unzip net-tools sysstat openssh-clients perl-core libaio nmap-ncat libstdc++.so Initial server setup To get started we need to configure a hostname for our server and a static IP address. vi /etc/hosts 135.125.30.56 mail.geekybum.com mail Replace the system hostname and FQDN values accordingly in order to match your ow...
Read more