Let's Encrypt automated free SSL certificate directadmin

 ETA

Functionality for the new Free Certificate Authority:

https://letsencrypt.org/

directadmin.conf option:

letsencrypt=0

where 0 is the internal default.

To enable this feature, use:

letsencrypt=1

followed by the "ACTION REQUIRED" below to add the .well-known Alias to the httpd-alias.conf file.

Users can then access it from:

User Level -> SSL Certificates

where a 3rd certification creation radio box will be created:

"Free & automatic certificate from Let's Encrypt"

in addition to the other 2 'self-signed' and 'create request' options.

There is an internal variable, set by default to:

letsencrypt_renewal_days=85

you shouldn't need to adjust this.

The certificates are only valid for 90 days, so DA starts trying to renew 85 days in.

It's triggered at the end of a full tally, every night. Looks at any domain.com.cert.creation_time files, and sees if it's old enough.

You can alternatively use:

letsencrypt=2

to use:

/home/user/domains/domain.com/public_html/.well-known

but this method is not recommended, as it prevents the use of multi-domain certificates... use letsencrypt=1 :)

while:

letsencrypt=1

will use:

to use /var/www/html/.well-known

======================

ACTION REQUIRED

You must have the .well-known Alias pointing to /var/www/html/.well-known, so update your CustomBuild configs:

cd /usr/local/directadmin/custombuild

./build update

./build rewrite_confs

======================

RATE LIMIT

LetsEncrypt does have a rate limit, so you won't likely be able to secure hundreds of domains at the same time.

https://community.letsencrypt.org/t/quick-start-guide/1631

As of Jan 31st, 2016 the rates are:

Rate limit on registrations per IP is now 10 per 3 hours

Rate limit on certificates per Domain is now 5 per 7 days

but once the project becomes "stable", they'll likely increase the allowed rates.

======================

TASK.QUEUE

as mentioned above, the full tally does handle the automated renewals, if they're about to expire.

If you want to run a renewal check manually, you can use:

echo "action=rewrite&value=letsencrypt" >> /usr/local/directadmin/data/task.queue

which will call the same function as the full tally calls.

Only domains who's certificates are about to expire will be updated.

======================

SCRIPTS:

/usr/local/directadmin/scripts/letsencrypt.sh

usage:

./letsencrypt.sh request|renew|revoke domain.com 4096 (/path/to/csr-request-config-file) (document_root)

but you shouldn't need to run it manually, as DA will call it automatically when the User triggers it through DA.

Note, when you run it through DA, the domain.com.san_config will have more details, than if you run it from ssh (.san_config will be created, but with less info)

======================

CONFIG FILES

/usr/local/directadmin/data/users/username/letsencrypt.key                                           - L.E. account ID for this User. Only created once.

/usr/local/directadmin/data/users/username/domains/domain.com.cert.creation_time        - contains time L.E. cert was created (to be automatically renewed every 90 days)

/usr/local/directadmin/data/users/username/domains/domain.com.cert.san_config            - csr -config request info, used for creation and renewal.

/var/www/html/.well-known/acme-challenge                                                                   - directory created by DA for the random challenge key file: letsencrypt=1

/home/user/domains/domain.com/public_html/.well-known/acme-challenge                      - challenge key file if letsencrypt=2

.htaccess        - added to either document root to disable mod_rewrite, in case it's enable higher up.