Let's Encrypt automated free SSL certificate installs

Let's Encrypt automated free SSL certificate installs (SKINS)(LANG)

ติดตั้งแบบ ย่อ

echo letsencrypt=1 >> /usr/local/directadmin/conf/directadmin.conf

cd /usr/local/directadmin/custombuild

./build update

./build letsencrypt

./build rewrite_confs

Functionality for the new Free Certificate Authority:

https://letsencrypt.org/

directadmin.conf option:

letsencrypt=0

where 0 is the internal default.

To enable this feature, use:

letsencrypt=1

Users can then access it from:

User Level -> SSL Certificates

where a 3rd certification creation radio box will be created:

"Free & automatic certificate from Let's Encrypt"

in addition to the other 2 'self-signed' and 'create request' options.

There is an internal variable, set by default to:

letsencryptrenewaldays=85

you shouldn't need to adjust this.

The certificates are only valid for 90 days, so DA starts trying to renew 85 days in.

It's triggered at the end of a full tally, every night. Looks at any domain.com.cert.creation_time files, and sees if it's old enough.

You can alternatively use:

letsencrypt=2

to use:

/home/user/domains/domain.com/public_html/.well-known

but this method is not recommended, as it prevents the use of multi-domain certificates... use letsencrypt=1 :)

while:

letsencrypt=1

will use:

to use /var/www/html/.well-known

======================

ACTION REQUIRED

You must have the .well-known Alias pointing to /var/www/html/.well-known, so update your CustomBuild configs:

cd /usr/local/directadmin/custombuild

./build update

./build rewrite_confs

======================

RATE LIMIT

LetsEncrypt does have a rate limit, so you won't likely be able to secure hundreds of domains at the same time.

https://community.letsencrypt.org/t/quick-start-guide/1631

As of Jan 31st, 2016 the rates are:

Rate limit on registrations per IP is now 10 per 3 hours

Rate limit on certificates per Domain is now 5 per 7 days

but once the project becomes "stable", they'll likely increase the allowed rates.

======================

TASK.QUEUE

as mentioned above, the full tally does handle the automated renewals, if they're about to expire.

If you want to run a renewal check manually, you can use:

echo "action=rewrite&value=letsencrypt" >> /usr/local/directadmin/data/task.queue

which will call the same function as the full tally calls.

Only domains who's certificates are about to expire will be updated.

======================

SCRIPTS:

/usr/local/directadmin/scripts/letsencrypt.sh

usage:

./letsencrypt.sh request|renew|revoke domain.com 4096 (/path/to/csr-request-config-file) (document_root)

but you shouldn't need to run it manually, as DA will call it automatically when the User triggers it through DA.

Note, when you run it through DA, the domain.com.sanconfig will have more details, than if you run it from ssh (.sanconfig will be created, but with less info)

======================

CONFIG FILES

/usr/local/directadmin/data/users/username/letsencrypt.key - L.E. account ID for this User. Only created once.

/usr/local/directadmin/data/users/username/domains/domain.com.cert.creation_time - contains time L.E. cert was created (to be automatically renewed every 90 days)

/usr/local/directadmin/data/users/username/domains/domain.com.cert.san_config - csr -config request info, used for creation and renewal.

/var/www/html/.well-known/acme-challenge - directory created by DA for the random challenge key file: letsencrypt=1

/home/user/domains/domain.com/public_html/.well-known/acme-challenge - challenge key file if letsencrypt=2

.htaccess - added to either document root to disable mod_rewrite, in case it's enable higher up.

======================

SKINS

user/ssl.html

added a 3rd radiobox:

|*if LETSENCRYPT="1"|

<br><input type=radio name=request value="letsencrypt" disabled>Free & automatic certificate from <a class='listtitle' target=_blank href="https://letsencrypt.org/">Let's Encrypt</a></td>

|*endif|

---

Show if LE is in use:

|*if LETSENCRYPTRENEWALDAYS!=""|

<div style='padding: 20px; font-weight: bold;'>|LANGLETSENCRYPTINUSEAUTORENEWAL| |LETSENCRYPTRENEWALDAYS| |LANGLETSENCRYPT_DAYS|.</div>

|*endif|

======================

LANG

lang/en/user/ssl.html

LANGFREELETS_ENCRYPT=Free & automatic certificate from

LANGLETSENCRYPTINUSEAUTO_RENEWAL=Let's Encrypt in use. Auto-renewal in

LANGLETSENCRYPTDAYS=Days

lang/en/internal/ssl.txt

28=Let's Encrypt is not enabled. You cannot use this option.

29=Invalid keysize. Valid values: %s

30=Unable to create %s: %s

=====================

TROUBLESHOOTING

Reported issue with curl's ca-certificates where this command was required:

update-ca-certificates

if you see something like this in the output:

Getting challenge for domain.com from acme-server...

/usr/local/directadmin/scripts/letsencrypt.sh: 279: [: Illegal number:

/usr/local/directadmin/scripts/letsencrypt.sh: 295: [: Illegal number:

caused by an empty HTTD_STATUS variable, because of the broken ca-certificates for curl.

Reported issue of DNSSEC possibly causing this error:

"Challenge is invalid. Details: DNS problem: SERVFAIL looking up A for server.domain.com. Exiting...'. "

but only after confirming that the A record for server.domain.com works correctly.