Renewal in combination with directadmin


#1

Hi,

On:

https://letsencrypt.org/howitworks/

They are saying:

“To renew a certificate, simply run letsencrypt again providing the same values when prompted. Let’s Encrypt is working hard to fully automate this process and we apologize for the inconvenience until this functionality is ready.”

But on:

https://letsencrypt.readthedocs.org/en/latest/using.html#renewal1

There they are already giving some more options, but totally not with a clear explanation for newbies :wink:.

The “tutorial” i followed is:

https://raymii.org/s/articles/Lets_Encrypt_Directadmin.html

I copy / paste the content of the certificate files in Directadmin. But in the “tutorial” they are saying:

Installing the certificates -> “As we can see they symlinked the files there. If you configure your own webserver manually, you can give these files as the location in your apace or nginx config. When you renew the certificate later on, you don’t have to update the webserver config, just a reload/restart.”

So for easy renawel i think i have to do that, right?

With Directadmin i can change “Custom HTTPD Configurations” for a specific domain. For example i can change:

SSLCertificateFile /usr/local/directadmin/data/users/MYUSERNAME/domains/MYDOMAIN.nl.cert
SSLCertificateKeyFile /usr/local/directadmin/data/users/MYUSERNAME/domains/MYDOMAIN.nl.key
SSLCACertificateFile /usr/local/directadmin/data/users/MYUSERNAME/domains/MYDOMAIN.nl.cacert

But to what i have to change it? Letsencrypt is makeing 4 files: privkey.pem, fullchain.pem, chain.pem, cert.pem, but there are only 3 files: MYDOMAIN.nl.cert, MYDOMAIN.nl.key, MYDOMAIN.nl.cacert

And what else i have to do to arrange that the certificates will renew automatically? Are there somewhere some examples of cronjobs or something like that? I am familiar with PHP, but not that much with server side things like Letsencrypt.


#2

They are also giving you the hint --help all which probably gives you the answers you’re looking for.

Also, you said you’ve already installed the certificates in DirectAdmin. At least I’m assuming your “I copy / paste” equals “installed”… Why would you bother with Custom HTTPD Configurations for a specific domain? Do you need that?


#3

Yeah they are saying: “You can automate it slightly by passing necessary flags on the CLI (see --help all)”. But that’s not clear to newbies like me. Where i have to put that flag behind? I don’t even know what they mean by CLI, client?

Just to try, now i did:

“./letsencrypt-auto --help all --debug”

But then it was updating letsencrypt and not only showing the help documentation. But i was reading the flags a bit, but it’s not making it very clear to me. I miss some examples / tutorial of the basics how to do it.

And about:

‘At least I’m assuming your “I copy / paste” equals “installed”’

I followed the instructions at:

https://raymii.org/s/articles/Lets_Encrypt_Directadmin.html

At the end i got the content of the certificates and i have to copy / paste them in Directadmin like they are saying there. But if i am thinking of it…you don’t want to copy / paste the content of the certificates every time when you have to renew. So probably you just have to put the direct locations of the files in the “Custom HTTPD Configurations”. That’s why i think i need that, but that’s actually also my question. And if i don’t need them…how else can i arrange the renewal without copy / pasting the content of the certificates every time in Directadmin, because then i can also not make a cronjob or something?

And at the end i want some auto renewal, so probably i need to make kind of cronjob, but how and are there examples of that?

p.s. To make it more clear…i already did a test to renew it and it’s kind of working, but with “a lot” of manual actions:

  • Command by hand
  • After the command you are getting some options and i selected to renew.
  • Then i had to watch the content of the generated files and copy / paste them to Directadmin.

But that’s manually and at the end i want to make it automatically.


#4

And yes, if you want to fully automate your renewal, obviously copy/pasting certificates won’t work.

I’m not that familiar with DirectAdmin to advise you with manually installing certificates like the guide tells you: I think DirectAdmin can be installed on many different server configurations, so perhaps you’ll won’t find the same configuration options like the guide has. Or perhaps you do. I have no clue.

If you add the --renew-by-default switch to the “Command by hand”, you shouldn’t have to “select to renew”. In fact, every option you’re getting after the “Command by hand” you should be able to set/get rid of by some sort of switch on the CLI.


#5

Yeah i googled it, so probably they mean “Command-line-interface” in this case.

And i am aware of the --renew-by-default flag. I can use it in a cronjob later on, so i will not get the options back.

But i followed the guide and everything is working, but in that guide they don’t give more explanation about auto renewal. They are saying this:

As we can see they symlinked the files there. If you configure your own webserver manually, you can give these files as the location in your apace or nginx config. When you renew the certificate later on, you don’t have to update the webserver config, just a reload/restart.

That’s where I am stuck…i don’t how to do that exactly. If i have that then later on i can try to make a cronjob to do the rest of the job (i think).


#6

Do you know your distribution? Do you know your used webserver software?


#7

I am running on CentOS release 6.7, is that what you mean? Also “DirectAdmin 1.49.1” / "Apache 2.4.17 "…


#8

Might I suggest some Google search keywords like “CentOS 6.7 Apache SSL”? For example, the top result is Setting up an SSL secured Webserver with CentOS.

Ofcourse, you don’t have to follow that guide from top to bottom literally (for example, you already have a certificate and private key, so you don’t have to generate one again), but you should be able to use the information in it.

Important note: everywhere, in every guide, if they refer to SSLCertificateFile, you should direct that directive to the fullchain.pem in your /live/ directory. Because your Apache version is sufficiently new, you won’t need SSLCertificateChainFile (if that’s indicated in a guide) if you use fullchain.pem. If you don’t refer to fullchain.pem, but to cert.pem, you do need SSLCertificateChainFile to refer to chain.pem.
Do not set SSLCACertificateFile if you are not using certificates for client authentication.

You can read more about the meaning of all those SSLbladiebla directives on: http://httpd.apache.org/docs/2.4/mod/mod_ssl.html You should read it.


#9

I checked: https://wiki.centos.org/HowTos/Https

I think it’s the same what DirectAdmin is doing automatically. And DirectAdmin is setting up the VirtualHost. If i am watching the “Custom HTTPD Configurations” later on i see something like:

SSLCertificateFile /usr/local/directadmin/data/users/MYUSERNAME/domains/MYDOMAIN.nl.cert
SSLCertificateKeyFile /usr/local/directadmin/data/users/MYUSERNAME/domains/MYDOMAIN.nl.key
SSLCACertificateFile /usr/local/directadmin/data/users/MYUSERNAME/domains/MYDOMAIN.nl.cacert

So i think i can also just change those locations at the end, by changing the “Custom HTTPD Configurations”. Then i know the settings are anyway correct, because DirectAdmin is doing it.

With letsencrypt i got: privkey.pem, fullchain.pem, chain.pem, cert.pem

You’re saying that i can ignore chain.pem, so probably i can change the location of MYDOMAIN.nl.cert to the letsencrypt location fullchain.pem. And on the same way MYDOMAIN.nl.key -> privkey.pem and MYDOMAIN.nl.cacert -> cert.pem

But i don’t know if that’s correct and i can do it like that. And the letsencrypt files are in the “etc” directory, so i also don’t know if that will give problems. Now the files are somewhere in a directory of the domain path.