Let's Encrypt with DirectAdmin, now built in!
Published: 24-02-2016 | Author: Remy van Elst | Text only version of this article
Table of Contents
Let's Encrypt is a new certificate authority, recognized by all major browsers.They make it a breeze to set up TLS certificates for your web server. And forfree! Let's Encrypt is supported by major players like Mozilla, Akamai, Cisco,the EFF, the Internet Security Research Group and others. Let's Encrypt providesfree, automatic and secure certificates so that every website can be securedwith an SSL certificate.
I have written a guide on using Lets Encrypt with Directadmin before, butthat involved manually logging in via SSH and a lot of work.
DirectAdmin now supports Lets Encrypt natively since version 1.50, so nomore ssh fiddling, just via the control panel, for all the users on the server.
The previous article still applies and it still works. It's generic enough forall control panels and non-supported webservers by Let's Encrypt.
So let's get started. We'll do a couple of things, namely:
- Update Directadmin
- Enable Let's Encrypt
- Request a certificate
After step 3, everything is automatic, including renewals.
Do note that the last step of the article requires you to have set up a websiteand a domain already. They must be working and resolving in DNS, because Let'sEncrypt triggers a challenge-response authentication to the domain name.
You can test with a subdomain as well, but make sure to add the subdomain as anew domain, not as a subdomain (So, Domain Administration, Add a domain,testsub.example.org). Actual subdomains don't support seperate SSL inDirectadmin.
Do note that I'm not sponsored by Directadmin (Hi John and crew) nor by Let'sEncrypt. I just like them a lot both, Directadmin for being a lightweight butvery easy and functional controlpanel, and Let's Encrypt for their effort tosecure the entire web for free.
Remember when I said no more fiddling with SSH? Well, that part isn't entirelyuntrue. You need to login once via SSH to update Directadmin and enable Let'sEncrypt.
You can update Directadmin via the Administrator Settings -> Update / Licensingpage as well, but I like the custombuild method better. Why? Because you canupdate the other parts of your server as well and that a general good thing todo.
Also, you do need to login via SSH and execute a few other steps like enablingLet's Encrypt and rewriting the configuration files, so you might just as welllogin and update via Custombuild.
A friend of mine wrote a great article on keeping Directadmin up to date onher website. I'll give you the TL;DR version here, but, if you want to knowmore, read her article.
First log in to your server via SSH as root or as a user that can
sudo toroot. Navigate to the
Clean up earlier updates to make sure no weird quirks show up:
./build clean all
Update the software list:
If you want, you can get a list of the updates available:
./build versions | grep is
Output is like this:
DirectAdmin 1.49.1 to 1.50.0 update is available.cURL 7.46.0 to 7.47.1 update is available.FreeType 2.6.2 to 2.6.3 update is available.MySQL 5.6.28 to 5.6.29 update is available.PHP 5.6 (mod_php) 5.6.17 to 5.6.18 update is available.
Apply the updates:
If you only want to update Directadmin and not the other updates you can do thatwith the following command:
While you're applying updates, do the operating system updates as well:
apt-get update && apt-get upgrade || yum update
The above command will work on both Debian / Ubuntu and CentOS. You will beasked to confirm the updates before they're installed.
There is one more important thing to do and that is rewriting the configuration.You need to do this because Directadmin keeps all the challenge-response filesin one place, not for all domains seperate. Directadmin's Custombuild has afunction for this. Do note that if you did any manual changed (not viaDirectadmin), they will be lost. Make sure you have a backp. Rewrite the confs,still in the custombuild folder:
Now that your server is up to date, continue on to enable Let's Encrypt inDirectadmin.
Enable Let's Encrypt
Make sure you're still logged in via SSH. You can execute the below command andit will add the configuration to the Directadmin configuration, but only if it'snot already there:
grep -q 'letsencrypt=1' /usr/local/directadmin/conf/directadmin.conf || echo 'letsencrypt=1' >> /usr/local/directadmin/conf/directadmin.conf
You can also manually edit the file
/usr/local/directadmin/conf/directadmin.conf and add the following value:
If your server is recent enough, CentOS 6, Ubuntu 12.04 and you run Apache 2.2or higher, you can also enable
SNI support (Server name indication). Thatis an extension to the TLS protocol which, simply said, allows you to hostmultiple SSL enabled sites on one IP address.
Almost the same command as above, but with another value:
grep -q 'enable_ssl_sni=1' /usr/local/directadmin/conf/directadmin.conf || echo 'enable_ssl_sni=1' >> /usr/local/directadmin/conf/directadmin.conf
After changing the configuration, restart Directadmin:
service directadmin restart
You can check via the web interface if you now have the most recent version:
Request a certificate
Now that we're all set up we can request a certificate for a website. Do makesure the user and the package have SSL enabled in their settings, otherwise addthat option to the account.
Log in as the user you want to request the certificate for (either with theirusername and password or via the "Admin" -> "Show all users", "username", "Loginas username"). Navigate to "Advanced Features" -> "SSL Certificates".
Make sure the top line says:
SSL is currently enabled for this domain. You candisable it here.
If it says
SSL is currently disabled for this domain. You can enable it here.,click the
Enable it here link and turn it on, then go back to the "SSLCertificates" page.
Select the third option,
Free & automatic certificate from Let's Encrypt andfill in the fields below.
If you've set up everything correctly, that meaning updated Directadmin, rewrotethe configuration and enabled Let's Encrypt you should have output like in thepicture below, with a correctly and valid certificate.
You can check if it all worked by using my SSL Check over atSSLdecoder.org.
Directadmin will also show you that Let's Encrypt is enabled, plus the auto-renew date.
If you forgot to rewrite the configuration, you might get an error message likein the picture below. Go back and re-do everything in this tutorial, don'tforget to rewrite the configuration and try again.
That's all there is. Your website is now set up with a certificate for free,which will auto renew when it's about to expire. You don't have to do anythingor worry about it anymore.
Another subtopic? But we're already done, the site has a certificate and it allworks? I know, I know. There are a few things you might want to do to make sureit all keeps working in the best state.
First, to make sure the certificate doesn't expire, add your website to the freeCertificate Expiry Monitor service, one of my other projects. The renewprocess should be automatic, but you never know. Even Google sometimesforgets to renew certificates, so better to make sure it won't happen to yoursites.
Second, you can optimize all aspects of TLS and make sure it's very secure. Ihave a guide on that for Apache, the Mozilla Foundation has one aswell. Both are very good, explain all aspects and make sure your site is assecure as possible.apache, articles, centos, certificate, directadmin, nginx, openssl, ssl, tls