Skip to main content

Raymii.org Logo (IEC resistor symbol)logo

Quis custodiet ipsos custodes?
Home | About | All pages | RSS Feed | Gopher

Let's Encrypt with DirectAdmin or other Web Control Panels

Published: 11-1-2015 | Last update: 24-02-2016 | Author: Remy van Elst | Text only version of this article


Table of Contents


Let's Encrypt is a new certificate authority, recognized by all major browsers.They make it a breeze to set up TLS certificates for your web server. And forfree! Let's Encrypt is supported by major players like Mozilla, Akamai, Cisco,the EFF, the Internet Security Research Group and others. Let's Encrypt providesfree, automatic and secure certificates so that every website can be securedwith an SSL certificate.

Note: Directadmin has this build in since version 1.50.I've written a newguide to set it up via the built in automatic way here. This article isstill relevant for the manual way or other controlpanels, but the automatic wayis way more easy.

Changelog:

This article shows you how to setup Let's Encrypt with the DirectAdmin webcontrol panel. The guide is generic, so it works for other controlpanels aswell.

If you like this article, consider sponsoring me by trying out a Digital OceanVPS. With this link you'll get $100 credit for 60 days). (referral link)

First we talk a little bit on what Let's Encrypt is and how it works. We closeoff with the actual certificate generation and installation.

For now it works with the beta, and required some linux knowledge and rootaccess to the hosting server. So this guide might change later on when the finalversion is released. Also, Let's Encrypt tries to be as automatic as possible.It however is not able to update the Apache (webserver) configuration forDirectadmin just yet. We therefore manually generate the certificate and useDirectadmin to place it under a website.

In the future this will hopefully be automated away. We do symlink thecertificate files after creation so that will make renewing them easier.

This guide also works for any generic web service where you need a certificate(PEM) and a private key (PEM) file. The tutorial uses the certOnly optionwhich gets us these files. You can skip the DirectAdmin part and place (symlink)the files in your Apache, NGINX or Lighttpd configuration and be done with it.

What is Let's Encrypt

Let's Encrypt is a new certificate authority, recognized by all major browsers.They make it a breeze to set up TLS certificates for your web server. And forfree! Let's Encrypt is supported by major players like Mozilla, Akamai, Cisco,the EFF, the Internet Security Research Group and others. Let's Encrypt providesfree, automatic and secure certificates so that every website can be securedwith an SSL certificate.

For Let's Encrypt to issue you a certificate, you must prove to them that youcontrol the domain. If we own the domain, we can do this with a series ofchallenge-response transactions, which is part of the ACME protocol.Let's Encrypt explains this process well.

With the ACME protocol there is an automated way to securely generate, renew andrevoke certificates.

hiw

The key principles behind Lets Encrypt are:

Source

Beta Program

Let's Encrypt is in beta right now. This means it might not work, or might notwork as expected. So don't use it on production just yet.

If you really need an SSL certificate, GoGetSSL provides the cheapest ones,$3 something for a whole year comodo domain validation certificate. Otherproviders as well, no sponsoring here. (no referral link)

Since the 3rd of december 2015 the closed beta is over and you don't need aninvite anymore. There are limit's on the API though:

~~Read the article here on the beta program:https://community.letsencrypt.org/t/beta-program-announcements/1631 andfollow the instructions to sign up. I've got my invitation about 3 days after Isigned up, yours might be faster.~~

Installing the Let's Encrypt Client

The installation is pretty straightforward. It does require SSH access to yourDirectadmin host, so that might not be available if you're on a shared hostingserver. There is a manual way to authenticate the domain, that is alsoexplained. You can run the client somewhere else and place the result, via SFTP,on your shared hosting account to complete the challenge.

First make sure you have git installed:

# ubuntu & debianapt-get install git# centos & redhatyum install git

Clone the Let's Encrypt code:

git clone https://github.com/letsencrypt/letsencryptcd letsencrypt

Since December 2015 the client supports the --webroot option, so yourwebserver doesn't need to be brought down.

The below part doesn't apply anymore.

~~Now, Let's Encrypt binds to the HTTP port (80) to do the Domain Validatiopnsequence. You must stop your web server for a few moments to do this. Yourwebsite will be offline, but it will be for a minute at max.~~ ~~Directadminalso has a service monitor where we must indicate that HTTPD is offline,otherwise it will restart it and the process might fail:~~

sed -i 's/httpd=ON/httpd=OFF/g' /usr/local/directadmin/data/admin/services.statusservice httpd stop

~~If you don't want or are not able to take down all sites or bind to port 80,scroll down below for a manual command.~~

If you are not able to execute the client on the actual webserver, a sharedhosting account without ssh or are behind a firewall or loadbalancer, read onbelow for a manual method.

You need to provide your webroot path. The client places the authenticationchallenge files there to do the actual certificate domain ownership validation.You can find that in your webserver configuration. For directadmin it's likethis: /home/USERNAME/domains/DOMAIN.EXT/public_html.

Also don't forget to fill in your correct email address.

Execute the Let's Encrypt command to get the certificate:

./letsencrypt-auto --server https://acme-v01.api.letsencrypt.org/directory certonly --agree-tos --email 'user@domain.tld' --webroot --webroot-path '/home/certmon/domains/certificatemonitor.org/public_html/' -d certificatemonitor.org -d www.certificatemonitor.org

If you are using an older Python version, for example Python 2.6 on CentOS 6,add the --debug option as the client will tell you.

If you need a certificate with multiple subdomains or with www.domain.tld anddomain.tld, specify the -d domain option multiple times. Make sure thewebroot is the same. If you only need one domain, change the example and removethe last -d option.

The client will then do a bit of work with the Lets Encrypt service to validatedomain ownership.

If all goes well it will print out the below message:

Version: 1.1-20080819Version: 1.1-20080819IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at   /etc/letsencrypt/live/certificatemonitor.org/fullchain.pem. Your cert   will expire on 2016-03-06. To obtain a new version of the   certificate in the future, simply run Let's Encrypt again. - If like Let's Encrypt, please consider supporting our work by:   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate   Donating to EFF:                    https://eff.org/donate-le

If not, try again. Otherwise you might be hit by a beta bug.

Now turn on the webserver:

sed -i 's/httpd=OFF/httpd=ON/g' /usr/local/directadmin/data/admin/services.statusservice httpd start

I had to disable the CloudFlare protection service, before that I got thefollowing error:

FailedChallenges: Failed authorization procedure. www.certificatemonitor.org (dvsni): tls :: The server experienced a TLS error during DV :: Failed to connect to host for DVSNI challenge, certificatemonitor.org (dvsni): tls :: The server experienced a TLS error during DV :: Failed to connect to host for DVSNI challenge

You now have the certificate from Let's Encrypt. Lets proceed with theinstallation.

Manual mode

If you have a loadbalancer or something else where you run the client NOT on theactual webserver, you can use the -a manual command line flag. You enter youremail and domain, then the program displays the following:

Make sure your web server displays the following content athttp://www.certificatemonitor.org/.well-known/acme-challenge/1Qm[...]NHr0 before continuing:1Qm[...]SA8Content-Type header MUST be set to text/plain.If you don't have HTTP server configured, you can run the followingcommand on the target server (as root):mkdir -p /tmp/letsencrypt/public_html/.well-known/acme-challengecd /tmp/letsencrypt/public_htmlprintf "%s" 1Qm[...]SA8 > .well-known/acme-challenge/1Qm[...]Hr0# run only once per server:$(command -v python2 || command -v python2.7 || command -v python2.6) -c \"import BaseHTTPServer, SimpleHTTPServer; \SimpleHTTPServer.SimpleHTTPRequestHandler.extensions_map = {'': 'text/plain'}; \s = BaseHTTPServer.HTTPServer(('', 80), SimpleHTTPServer.SimpleHTTPRequestHandler); \s.serve_forever()" 

You need not to press ENTER just yet. Create or upload the page requested toyour domain and test it in a browser (via SFTP, for example). You might want touse the python command. You can also use curl:

curl http://www.certificatemonitor.org/.well-known/acme-challenge/1Qm[...]NHr0

If you get the requested string back you're good to go. Press ENTER on theprompt and the validation will occur. If you placed the file on the correctplace, it will succeed with the same output as above. If it failed, you willreceive an Authorization Error.

If you use the python script or watch your logs, you'll see something like thisdoing the verification:

outbound1.letsencrypt.org - - [07/Nov/2015 15:34:01] "GET /.well-known/acme-challenge/1Qm[...]Hr0 HTTP/1.1" 200 -

After succeeding, read on to install the certificates.

Installing the certificates

We generated a certificate, Let's Encrypt validated us and returned thecertificates, all automatically. The certificates are placed on your system andyou can check them with the following command:

ls -la /etc/letsencrypt/live/certificatemonitor.org/

Replace certificatemonitor.org with your own domain. Output:

total 8drwx------ 3 root root 4096 Nov  7 07:26 ..lrwxrwxrwx 1 root root   49 Nov  7 07:34 privkey.pem -> ../../archive/certificatemonitor.org/privkey2.pemlrwxrwxrwx 1 root root   51 Nov  7 07:34 fullchain.pem -> ../../archive/certificatemonitor.org/fullchain2.pemlrwxrwxrwx 1 root root   47 Nov  7 07:34 chain.pem -> ../../archive/certificatemonitor.org/chain2.pemlrwxrwxrwx 1 root root   46 Nov  7 07:34 cert.pem -> ../../archive/certificatemonitor.org/cert2.pem

As we can see they symlinked the files there. If you configure your ownwebserver manually, you can give these files as the location in your apace ornginx config. When you renew the certificate later on, you don't have to updatethe webserver config, just a reload/restart.

Get the contents of the certificate, private key and chain with the followingcommands. Remember to replace certificatemonitor.org with your domain:

cat /etc/letsencrypt/live/certificatemonitor.org/cert.pemcat /etc/letsencrypt/live/certificatemonitor.org/privkey.pemcat /etc/letsencrypt/live/certificatemonitor.org/chain.pem

Save the contents in a text editor somewhere, you need these in DirectAdmin.

After you've installed the certificates in the controlpanel (DirectAdmin), weneed to symlink those files to the Lets Encrypt files so that auto renewal worksbetter. We do need to first install them via the control panel so that theconfiguration gets updated in the correct way. Most controlpanels overwritemanual changes.

Login to your Directadmin control panel and navigate to your website. Under"Advanced Features" click "SSL Certificates".

Select the radio button for the Paste a pre-generated certificate and keyoption. In the textfield below, first paste the contents of the cert.pem file.Below that, paste the contents of the privkey.pem file.

le-da1

Click the Save button. Now go back to the main domain screen, and navigate to"Advanced Features" --> "SSL Certificates" again. Scroll down and open the linkClick Here to paste a CA Root Certificate. Mark the checkbox Use a CA Cert.and paste the contents of the chain.pem file there:

le-da2

Click the Save button.

If you haven't already enabled SSL for your domain, do that now. Navigate to themain domain screen. Click "Domain Setup". Open your domain. Mark the SecureSSL checkbox and click the Save button. Now, under private_html setup forcertificatemonitor.org - (SSL must be enabled above) mark the radio button Usea symbolic link from private_html to public_html - allows for same data in httpand https and click the save button again:

le-da3

Now navigate to https://yourdomain and behold Let's Encrypt in all it's glory.Well, actually, you should just see your own website with a valid SSLcertificate:

le-da4

You can check it with an SSL validator like the SSL server test from quallylabs or my own SSL test: https://ssldecoder.org.

Make sure to also setup a secure cipherlist and other secure SSL settings. Readup on the current best practice here: https://cipherli.st.

For other Control Panels, like cPanel, VestaCP, Plesk and Webmin, this processis the same. Look up their documentation on installing a certificate, and usethe files Let's Encrypt generated for you.

We're now going to symlink the certificates so that auto renewal works when theLet's Encrypt client supports it. Because we symlink, the files will be updatedautomatically. We do need to first install the certificates the control-panelway, otherwise our manual changes might be overwritten.

You need to check the apache configuration to find the certificate file paths.Use httpd -S to get the current configuration in use. Some distro's useapachectl -S instead of httpd -S:

httpd -S 2>&1 | grep 443 | grep certificatemonitor

Example output:

port 443 namevhost www.certificatemonitor.org (/usr/local/directadmin/data/users/certmon/httpd.conf:55)

Use the following command to get the SSL certificate file locations from theconfig file:

grep SSL /usr/local/directadmin/data/users/certmon/httpd.conf

Example output:

SSLEngine onSSLCertificateFile /usr/local/directadmin/data/users/certmon/domains/certificatemonitor.org.certSSLCertificateKeyFile /usr/local/directadmin/data/users/certmon/domains/certificatemonitor.org.keySSLCACertificateFile /usr/local/directadmin/data/users/certmon/domains/certificatemonitor.org.cacert

With the following commands we symlink the certificates to the Let's Encryptpath:

# remember, ln -s syntax is: ln -s /path/to/file /path/to/symlinkln -s /etc/letsencrypt/live/certificatemonitor.org/cert.pem /usr/local/directadmin/data/users/certmon/domains/certificatemonitor.org.certln -s /etc/letsencrypt/live/certificatemonitor.org/privkey.pem /usr/local/directadmin/data/users/certmon/domains/certificatemonitor.org.keyln -s /etc/letsencrypt/live/certificatemonitor.org/chain.pem /usr/local/directadmin/data/users/certmon/domains/certificatemonitor.org.cacert 

If you get an error about a file already existing, remove the files first beforecreating the symlink.

Tha's it! You're done, you've installed a valid Lets Encrypt certificate foryour domain. Awesome!.

Just one more important thing.

Renewing your certificate

After 90 day's, your certificate expires. With Let's Encrypt, that is not aproblem. Why? Because the goal of the project is to automate this whole process.When the product is finished and out of beta, it will renew the certificateautomatically when it is about to expire, so you don't have to do anything.

For now, that is not the case, since we're running the beta. Your certificatewill expire in 90 days. Make sure to setup a reminder in your calendar a fewdays before, or use my certificate expiry reminder service:https://certificatemonitor.org/. (That will send you a few mails before yourcertificate expires).

When the 90 days are almost up, come back to this page and execute the Let'sEncrypt command again with the correct domain and webroot options. You'll beasked if you want to renew, agree, and the certificate will be renewed. Thenrestart the webserver via a service httpd restart. Repeat is for allcertificates.

If you like this article, consider sponsoring me by trying out a Digital OceanVPS. With this link you'll get a $5 VPS for 2 months free (as in, you get $10credit). (referral link)

If you still have any questions or suggestions, shoot me a message. Check theAbout page for my details.

Tags: apache, articles, centos, certificate, cpanel, directadmin, nginx, openssl, plesk, ssl, tls