echo letsencrypt=1 >> /usr/local/directadmin/conf/directadmin.conf
Functionality for the new Free Certificate Authority:
To enable this feature, use:
Users can then access it from:
User Level -> SSL Certificates
where a 3rd certification creation radio box will be created:
"Free & automatic certificate from Let's Encrypt"
in addition to the other 2 'self-signed' and 'create request' options.
There is an internal variable, set by default to:
you shouldn't need to adjust this.
The certificates are only valid for 90 days, so DA starts trying to renew 85 days in.
It's triggered at the end of a full tally, every night. Looks at any domain.com.cert.creation_time files, and sees if it's old enough.
You can alternatively use:
but this method is not recommended, as it prevents the use of multi-domain certificates... use letsencrypt=1
to use /var/www/html/.well-known
You must have the .well-known Alias pointing to /var/www/html/.well-known, so update your CustomBuild configs:
LetsEncrypt does have a rate limit, so you won't likely be able to secure hundreds of domains at the same time.
https://community.letsencrypt.org/t/qui ... guide/1631
As of Jan 31st, 2016 the rates are:
Rate limit on registrations per IP is now 10 per 3 hours
Rate limit on certificates per Domain is now 5 per 7 days
but once the project becomes "stable", they'll likely increase the allowed rates.
as mentioned above, the full tally does handle the automated renewals, if they're about to expire.
If you want to run a renewal check manually, you can use:
echo "action=rewrite&value=letsencrypt" >> /usr/local/directadmin/data/task.queue
which will call the same function as the full tally calls.
Only domains who's certificates are about to expire will be updated.
./letsencrypt.sh request|renew|revoke domain.com 4096 (/path/to/csr-request-config-file) (document_root)
but you shouldn't need to run it manually, as DA will call it automatically when the User triggers it through DA.
Note, when you run it through DA, the domain.com.san_config will have more details, than if you run it from ssh (.san_config will be created, but with less info)
/usr/local/directadmin/data/users/username/letsencrypt.key - L.E. account ID for this User. Only created once.
/usr/local/directadmin/data/users/username/domains/domain.com.cert.creation_time - contains time L.E. cert was created (to be automatically renewed every 90 days)
/usr/local/directadmin/data/users/username/domains/domain.com.cert.san_config - csr -config request info, used for creation and renewal.
/var/www/html/.well-known/acme-challenge - directory created by DA for the random challenge key file: letsencrypt=1
/home/user/domains/domain.com/public_html/.well-known/acme-challenge - challenge key file if letsencrypt=2
.htaccess - added to either document root to disable mod_rewrite, in case it's enable higher up.
added a 3rd radiobox:
<br><input type=radio name=request value="letsencrypt" disabled>Free & automatic certificate from <a class='listtitle' target=_blank href="https://letsencrypt.org/">Let's Encrypt</a></td>
Show if LE is in use:
<div style='padding: 20px; font-weight: bold;'>|LANG_LETSENCRYPT_IN_USE_AUTO_RENEWAL| |LETSENCRYPT_RENEWAL_DAYS| |LANG_LETSENCRYPT_DAYS|.</div>
LANG_FREE_LETS_ENCRYPT=Free & automatic certificate from
LANG_LETSENCRYPT_IN_USE_AUTO_RENEWAL=Let's Encrypt in use. Auto-renewal in
28=Let's Encrypt is not enabled. You cannot use this option.
29=Invalid keysize. Valid values: %s
30=Unable to create %s: %s
Reported issue with curl's ca-certificates where this command was required:
if you see something like this in the output:
Getting challenge for domain.com from acme-server...
/usr/local/directadmin/scripts/letsencrypt.sh: 279: [: Illegal number:
/usr/local/directadmin/scripts/letsencrypt.sh: 295: [: Illegal number:
caused by an empty HTTD_STATUS variable, because of the broken ca-certificates for curl.
Reported issue of DNSSEC possibly causing this error:
"Challenge is invalid. Details: DNS problem: SERVFAIL looking up A for server.domain.com. Exiting...'. "
but only after confirming that the A record for server.domain.com works correctly.